This article demonstrates what I like about Matt Blaze's physical security writing that I don't like about Schneier's.
Both are computer security experts by training, but Blaze's writing has a concrete engineering-driven perspective that Schneier's lacks. Schneier's writing always "feels" right, but leaves you with the sense that's it's not based on any operational reality.
It's probably not a coincidence that Matt Blaze has done formal research on physical security topics (safecracking, wiretapping, etc) --- in addition to being a bona fide computer scientist.
First of all I must say I don't believe in these kind of unpredictable systems: rarely doing this 'select randomly the process from a set of processes' works better than using the best process in the set.
But I don't think this applies:
But terrorist organizations -- especially those employing
suicide bombers -- have very different goals and incentives
from those of smugglers, fare beaters and tax cheats.
Groups like Al Qaeda aim to cause widespread disruption and
terror by whatever means they can, even at great cost to
individual members. In particular, they are willing and
able to sacrifice -- martyr -- the very lives of their
solders in the service of that goal. The fate of any
individual terrorist is irrelevant as long as the loss
contributes to terror and disruption.
Training a terrorist has a cost, and he should succeed the "fate of any individual terrorist is not irrelevant". The terrorist group does not have an infinite number of terrorists (as he correctly concedes in the next paragraph).
So random screening works, not because that influences the behavior even of those who aren't checked, but because makes executing the attack more expensive to overcome the possibility of being detained in the random test.
Of course random screening is not as good as full screening, but from a realistic point of view is the only thing you can apply without shutting down world economy.
But if you read the article, I believe the point was that if the terrorist gets caught under a random system, the terrorist still achieves a positive result for the terrorists (the govt becomes forced to shut down aviation and then apply the maximum screening to everyone, causing expensive chaos and terror of its own).
Getting caught this time was a huge win. By all accounts, the guy who got caught was a nobody. Had he even been to the camps for training? For the cost of a pair of explosive underpants and the life of one shmuck, AQ is once again top-of-mind in the west --- not to mention the tens of millions of dollars of disruption the stunt caused.
There is a practically limitless supply of shmucks out there for AQ to weaponize. All they have to do is get better at converting them. What evidence do we have that this will be a long-term operational problem for AQ? Everything I see indicates that they will get better at it, not worse.
This is also why they aren't shutting down traffic lights. A failed attempt to shut down traffic lights wins nothing. Nobody is viscerally afraid of darkened traffic lights. In fact, until it happens, nobody is going to be viscerally afraid of someone taking out the grid. But everyone is afraid in their gut of exploding planes. Just the threat --- just 5% of the threat --- is enough to wreak havoc.
Ramping up a new KSM has a high cost. Ramping up a mujahedeen to skirmish with NATO in Khost has a high cost. Ramping up the guys who know how to rig PETN bombs has high cost. Ramping up guys who can operate safe houses and route money through a paranoid cell system has a high cost.
Building the system has a high cost. Using the system to exploit the dumbfucks who get captured by the system in order to get them to put the explosive underpants on is cheap.
If the system was jeopardized by any terrorist attempt, you'd be right. But it isn't. It's like spam. It may have a 0.001% conversion rate, but as long as it pays off 10000000:1, it's sustainable and resilient.
I disagree with your premise that a comparison can be made between SPAM and Sending-terrorists into the American Aviation system. SPAM is cheap because it is simply software than can be used to send out billions of copies. The number of possible jihad-motivated individuals that can be sent into the American Aviation system, between the screening, visa, and no-fly/selective screen lists (that you just _know_ are about to get a lot more aggressive in the next 90-120 days) is pretty limited.
There just aren't that many jihadists that will be allowed to fly without a lot of careful screening anymore.
Particularly after international airlines now have some experience with patting down and inconveniencing _all_ of their customers as a result of missing the christmas underwear bomber - there is now a pretty good incentive for them to start being cautious about those who were in gray area previously. No more gray area - if there are doubts (I.E. you are on the TIDE list) - you get checked carefully.
You keep using this word "jihadist" as if the people on the flights have spent a year running obstacle courses and stripping down kalashnikovs in the camps in Waziristan. That's not who they'll put on the planes. For every AQ op that can shoot straight, somewhere in the world there are 100 shmucks that can put a pair of underpants on and board a plane.
All AQ has to do is get better at taking mentally unstable people from unstable parts of the world and pointing them in the right direction. 90% of them will fail. Hell, 99%. But the 1% that succeed will make us react horribly to the other 99%.
Theoretically, yes. But why hasn't AQ gotten better at this "flood 'em with attempts" strategy so far?
Perhaps even most fanatics and angry unstable people prefer to shoot at soldiers than take a 99-in-100 chance of winding up in infidel custody, famous only in failure.
Per - Jihad: The Origin of Holy War in Islam. Oxford University Press
'The term "Jihad" used without any qualifiers is generally understood in the West to be referring to holy war on behalf of Islam.'
What I'm trying to state is that the number of individuals who have radicalized to the point at which they will blow themselves up AND are authorized to fly on the American Aviation system, are few and far between. Even the christmas underwear bomber had been reported to both the CIA and State Department. If they had simply taken the father at his word "My Son is radicalized islamist and has a Visa which permits him to fly into the USA" they would have put him onto a list of selective screening and a bit of an extra pat-down, if not revoked his Visa in the same manner as the UK.
You can be certain that the TIDE list is going to be aggressively reviewed, and the list of 14,000 or so people currently targeted for selective screening is going to grow dramatically in the next few months.
Ironically religious beliefs mean that Islamic extremists won't let people with a known mental illness become suicide bombers. So they have to filter for sane people then get them to act insane.
Also, consider that the greatest threat is not from people who hope to live and accept a strategic risk of death. Rather, the greatest threat is from people who believe that death is the ultimate success, for both their worldly and otherworldly aims.
While a one-in-a-twenty chance of success sounds good from a terror chief's perspective, no suicide bomber wants a 95% chance of winding up in captivity, famous only as a failure. Out of the twenty, they want to be the one!
So plans that allocate many participants to expected capture will have far fewer volunteers. And every report of a capture will decrease potential-volunteers' willingness to sign up, because they will adjust upward their expectation of embarrassing capture rather than martyrdom.
What AQHQ knows about the odds of success for a operation are and what some shmuck is told about the odds of success are two different and unrelated things.
Even granting that the bombers are gullible and unstable, and that "AQHQ" will oversell them on the chances of success, they can see the actual track record, and the mere act of training them sensitizes them to all the ways things can go wrong.
There's also a tradeoff between their naivete and effectiveness: a bumpkin who's never traveled internationally might believe whatever his handlers tell him, but is also more likely to draw suspicion or otherwise foul the mission.
Another thing to note - Matt Blaze typically approaches security scenarios with a different cost/benefit perspective than Schneier, for example Blaze writes:
"The TSA's much maligned "three ounce" liquid rule is, in fact, a nice example of good security engineering of this kind. "
Schneier, on the other hand, considers the inconvenience to travelers to be not worth the hassle. He always seems to fail to recognize the principles of defense-in-depth, and over-emphasizes the importance of stopping the terrorist before they launch an attack. I say this as someone who has ready pretty much every essay and book he has ever written, sometimes multiple times.
". Banning box cutters since 9/11, or taking off our shoes since Richard Reid, has not made us any safer. And a long-term prohibition against liquid carry-ons won't make us safer, either. It's not just that there are ways around the rules, it's that focusing on tactics is a losing proposition."
o Banning box-cutters (and other sharp devices) has made it much more difficult to bring on an _effective_ weapon on board a plane. Nobody is denying that you can still fashion a shiv, of some kind - but the amount of damage you can do with a roughly fashioned hand weapon, versus something designed to kill lots of people at close range, is enough to deter people from trying to do so. Note - one of the principal reasons for banning box cutters and their like is so that the _other_ passengers on the plane have a pretty straightforward mechanism for subduing a malevolent passenger.
o Banning Large amounts of liquids, in the face of Liquid Bombs being _actually designed_ just makes good sense. Likewise banning powdered substances (PETN) from being brought onto planes makes sense now that we know that there are active attempts to use this vector.
Focusing on tactics is actually a very effective proposition - It's actually pretty damn difficult to bring down a plane these days from inside - not impossible, I'm sure there are a lot of vectors still left, but they are getting pretty few and far between. Not to say you don't still try and stop attacks at their source, but, if one gets by - you hope that further lines of defense will stop them.
Maybe it's just that Blaze's stuff seems falsifiable, and Schneier's stuff is slippery and abstract. At least we can argue rationally about the three-ounce rule. But if you accept Schneier's argument, there's no incremental discussion to be had.
Even if I agree with that (I do more than I don't), it's not productive. Regardless of whether "it's time for the TSA to go" (+34 yesterday last time I checked), the TSA isn't going anywhere. Shut up?
He always seems to fail to recognize the principles of defense-in-depth...
That's a broad claim given that Schneier's built his reputation/business around defense-in-depth. It's practically his hobby horse and I don't read any such misunderstanding in his essays on the TSA.
Of course he has built his reputation on it - I've probably learned half of what I know about defense-in-depth from Schneier. The thing is, when it comes to aviation security, he has a tendency to discount the importance of preventing bad things from getting on airplanes, and over emphasize the importance of preventing bad people from getting on airplanes.
I think they are both important. The TSA clearly thinks the "prevent bad things from getting on airplanes" is a more containable problem. We have the NSA/CIA/FBI and other intelligence services that will work on the bad-people problem, which in no way means we can't simultaneously dedicate resources to the "bad things on airplane problem."
As an aside, our last line of defense is clearly "Prevent Bad people from doing bad things on airplanes" - which is how both the christmas underwear bomber and the shoe bomber were stopped.
The problem is that with non-random screening the terrorists can be much more efficient. They can get a pool of candidates together and send them on flights without any explosives on them. They can then find out which of the guys get screened at a rate less than chance and send those on the actual attack. That's why random screening is the best system possible because any other system would have to be perfect, otherwise any flaw can be detected on dry runs and exploited for the attack.
This was thoroughly explored last time the TSA tried to be smart about screening and implemented its Computer-Assisted Passenger Screening System. MIT article exploring it:
It seems to me that the right approach should always have a significant random element, not as a deterrent, but as a check on how well the non-random component is working. The random part will examine in depth to find anything that should have been found in the non-random part but wasn't (say, body searches to find large metal objects making it through the x-ray screen at the airport). Without that you would be blind to defects in the system.
I think this article isn't talking about random vs. profiled (which is what the mit paper is about), but random vs. 100% (where there 100% has been analyzed carefully to be sufficient to detect large bombs, etc.).
He was hand-waving at the end about the 100% but that's not a solution. They are doing it randomly because 100% is simply not possible. My point was that in a situation where 100% is not possible, as in real life, any system is potentially worse than randomness.
Maybe this just means we need to come up with screening mechanisms that can be applied to 100%, but given the current capabilities, choosing random screening is better than profiling.
the best terrorist strategy (as long as they have enough volunteers)
Do they have enough volunteers? The Shoe Bomber and the Undie Bomber, compared with the team that pulled off 9/11, are a couple of amateurish mooks. If these are the best men that al-Qaeda can send against the United States, they must not have a very deep bench.
If you recall, at least one of the 9/11 hijackers almost missed his flight because he was late. Al-Qaeda is not sending its best men for these missions. Why would an organization send its best men if they are going to end up dead or in jail?
It doesn't make sense. You send the worst people possible that have a chance of pulling it off.
That's just it... the people who pulled off 9/11 were a bunch of amateurish mooks. A bunch of amateurish mooks with an 18 in the Luck department is still dangerous.
Just as in this case, there were any number of measures already in place that could have stopped 9/11, if they had only been followed. More rules are not the answer.
Paradoxically, the best terrorist strategy (as long as they have enough volunteers) under unpredictable screening may be to prepare a cadre of suicide bombers for the least rigorous screening to which they might be subjected, and not, as the strategy assumes, for the most rigorous. Sent on their way, each will either succeed at destroying a plane or be caught, but either outcome serves the terrorists' objective. ...
We might reflexively assume that any passenger screening system needs to be 100% effective at detecting all possible weapons and dangerous objects, an obviously difficult task. But, fortunately, that's not the requirement. Instead, the mechanisms need only be highly effective at detecting objects that can create actual terror under the conditions they will be subjected to in an actual flight. That is, in order to have meaningful security screening, we first must understand what it realistically takes to bring down an airplane. The security system can then be designed specifically to eliminate the preconditions for successful terrorism.
The TSA's much maligned "three ounce" liquid rule is, in fact, a nice example of good security engineering of this kind. ...
The idea that Matt Blaze thinks the three-ounce rule is sensible was surprising to me; I hit it, jumped back to the top, and re-read the whole article. What's the flaw in his reasoning? The three-ounce rule always seemed like one of the more ridiculous TSA measures.
What is the alternatives to preventing liquid bombs from bringing down an Airplane? What Matt Blaze is saying, is that instead of eliminating _all_ liquids (which would have also prevented aircraft from catastrophic explosions) - the TSA simply did the engineering to determine what the smallest amount of liquid was required to do significant damage, and then limited bottled liquids to something smaller than that. People can still bring on toothpaste, shampoo, and other useful liquids/medicines, but at the same time can't bring them on in large enough volumes to destroy an airplane.
I was also surprised by this. The three-ounce rule applies to a single passenger. All it takes is a bit of team work to get around it. A 747 for example can carry between 400 and 500 passengers depending on class layout. A team of 3 terrorists would represent less than 1% of the passengers.
Kip Hawley, former head of the TSA has answered this question a number of times, including conversations with Schneier. Most of the liquids that can do the type of damage the TSA are concerned about are likely highly oxygen reactive, or otherwise have significant obstacles to being combined outside of a lab environment.
If that weren't the case, the TSA would have simply banned all liquids.
Why would you have to combine the liquids into one reservoir? Couldn't the N passengers just make N bombs from their 3x 3oz, each independently capable of going off, but intended to be detonated together for maximum effect?
Because then you have to get two suicide bombers on the plane at the same time.
By all indications, the 9/11 bombers were very high on the AQ food chain. The underpants bomber didn't get tens or hundreds of thousands of dollars wired to him before the op; he was a shmuck, in a strategy designed to weaponize schmucks.
If a TSA measure doubles the manpower required to carry off an AQ op, it is almost prima facie "effective". Is, I think, the logic you'd deploy against the "combine the 3oz bottles" argument.
If the TSA is acting rationally, and I have to believe they are, I would have to believe that the ingredients can't be combined outside of a lab, or trivially in a washroom. Otherwise you are right - you don't even need to have more than one person on the plane carry the dangerous liquid, in fact, you wouldn't even need the person about to blow up the plane carry the liquid - just have three or four people taking planes to random areas get together, reformulate the bomb, and then hand it off to person number five who is clean.
Of course, we're now talking about a _conspiracy_ - and a conspiracy of four average people is 100x more likely to be discovered by a intelligence team than a single attacker.
So perhaps it's the forcing of attacks to be _conspiracies_ is the goal of allowing only small amounts of liquids.
Regardless - I think we can all agree that it makes liquid bomb attacks substantially more difficult than simply allowing people to carry on as much liquid as they chose, and therefore opening the door wide open to a lone attacker just blowing up airplanes at will without possibility of detection.
If you think about it there are things you can do with a not too large an amount of liquid chemicals that would cause serious problems on plane. I don't think making explosives is one of them.
His reasoning appears to be 'no-one has blown a plane up with liquid explosives, therefore it must be working', at least that was the impression I got from the article.
The problem with this post is his answer to the question "What do we do when we detect a terrorist through random screening?" His answer is "shut down all commercial aviation until the the most rigorous screening possible can henceforth be applied universally, effectively creating the same kind of havoc that occurs after a successful attack", and his whole post rests on this point, but I think it's totally flawed.
- Shutting down commercial flight is better outcome (for the defender) than the the destruction of 9/11
- There are alternative responses, such as heightened screening, tighter in-flight security, or checking passenger lists for people with known connections to the terrorist caught.
The article hinges on the proposition that a failed attack still serves the terrorist network's purposes. Seriously, can you imagine a terrorist being briefed like this?
"Well, if you succeed, you may shock the world and rally the Muslim nations to our cause, while drawing the Great Satan into an unwinnable war costing over a trillion dollars. If you fail... well, you're going to cause a lot of air travellers to be a little annoyed for five minutes."
There is this idea that terrorists are like devils, delighting in causing misfortune of any kind. I don't think that's the case. Al-Qaeda has concrete goals, like advancing Wahabbi ideology or ejecting the USA from the holy places. Failed missions don't support that, do they?
It was just to demonstrate a certain absurdity. No, that conversation might not happen, but the point was that the terrorist planners have objectives beyond "cause mayhem". And that increasing airline security costs probably don't even rank on their scale of worthy goals.
In Afghanistan, al-Qaeda is bleeding the USA of billions of dollars every month. But the article suggests that merely inconveniencing air travellers -- to the tune of maybe a few hundred million a year, widely dispersed -- might rank as an acceptable second best to a terrorist.
al-Qaeda wants 'The West' to fear them. People get scared of air travel every time there is an incident, even if that incident is a terrorism attempt that was caught before it ever got off the ground. If al-Qaeda doesn't have some sort of media presence, then people will start to think that they are a non-issue. Maybe al-Qaeda doesn't really think of things in these terms, but I have a hard time believing that they are all religious fundamental crazies. For them to be so organized, some of them have to be thinking on a more practical level.
It's perfectly possible that an organization headed by the government whose primary focus is the security of airline passengers is completely incompetent and ineffective.
But is it not also possible that the TSA is purposefully putting on the guise of an incompetent governmental entity? That would seem like an excellent strategy to take, as it follows the principles in Sun Tzu's Art of War to the letter. If you are strong, appear weak, if you are weak, appear strong, etc.
If these terrorists think they can easily game the system, it will likely lead them to be less cautious, exactly as stated in the article:
Paradoxically, the best terrorist strategy (as long as they have enough volunteers) under unpredictable screening may be to prepare a cadre of suicide bombers for the least rigorous screening to which they might be subjected, and not, as the strategy assumes, for the most rigorous.
That seems like a good thing to me, and if this is the TSA's actual strategy, it's a smart one. Say one thing publicly, but do another privately.
But is it not also possible that the TSA is purposefully putting on the guise of an incompetent governmental entity?
It's extremely unlikely. For one thing, appearing incompetent in order to encourage the incautious, freelancers, amateurs and copycats is essentially using the public as bait - if you happen to miss one, people die. As a strategy it's morally and probably legally questionable.
Personally, my take on the "unpredictable security measures" is that what's really being said is "things are pretty chaotic here and we don't really have a well-though-out plan in place, but we're going to try to cover that up by claiming that the inconsistency is actually intentional".
True, but if someone is going to go to the trouble of planning and financing an attack, I imagine they'd want a better than 20% chance of success. Especially since one attacker being caught could ruin the chances of all the others.
WHY? Really, how much do you think a PETN bomb costs? Re-read the article: nothing that happens in response to these attacks fails to help the terrorists. They send 5 people and one blows up a plane: huge positive ROI. They send 5 people and nobody blows up a plane, but commercial air travel is disrupted to the tune of hundreds of millions of dollars: huge positive ROI.
You have a good point, if you measure it in terms of financial damage, the terrorists win either way.
A side point: I suspect bombs are at bottom of the price chart in terms of financing an attack. More likely, the most expensive part is finding someone stupid enough to blow themselves up, and getting them to the right place at the right time. The cost of doing this undetected would probably increase non-linearly with the number of people involved in your attack.
Both are computer security experts by training, but Blaze's writing has a concrete engineering-driven perspective that Schneier's lacks. Schneier's writing always "feels" right, but leaves you with the sense that's it's not based on any operational reality.
It's probably not a coincidence that Matt Blaze has done formal research on physical security topics (safecracking, wiretapping, etc) --- in addition to being a bona fide computer scientist.