Why does granny get hassled at the airport, like she's a member of Osama's crew? How do you get your three year-old kid off of the no-fly list? And when can we start bringing shampoo back on the plane? All week, Wired News security guru Bruce Schneier has been running a Q&A with Transportation Security Administration chief Kip Hawley, pressing hard on all of those questions. Each of the five parts are must-reads. Here's a sample:
BS: When can we keep our shoes on?
KH: Any time after you clear security. Sorry,
Bruce, I don't like it either, but this is not just something leftover from 2002. It is a real, current concern. We're looking at shoe scanners and ways of using millimeter wave and/or backscatter to get there, but until the technology catches up to the risk, the shoes have to go in the bin.BS: This feels so much like "cover your ass" security:
you're screening our shoes because everyone knows Richard Reid hid explosives in them, and you'll be raked over the coals if that particular plot ever happens again. But there are literally thousands of possible plots.So when does it end? The terrorists invented a particular tactic, and you're defending against it. But you're playing a game you can't win. You ban guns and bombs, so the terrorists use box cutters. You ban small blades and knitting needles, and they hide explosives in their shoes. You screen shoes, so they invent a liquid explosive... [W]hy play this slow game of whittling down what people can bring onto airplanes? When do you say: "Enough. It's not about the details of the tactic; it's about the broad threat"?
KH: In late 2005, I made a big deal about focusing on Improvised Explosives Devices (IEDs) and not chasing all the things that could be used as weapons. Until the liquids plot this summer, we were defending our decision to let scissors and small tools back on planes and trying to add layers like behavior detection and document checking, so it is ironic that you ask this question -- I am in vehement agreement with your premise. We'd rather focus on things that can do catastrophic harm (bombs!) and add layers to get people with hostile intent to highlight themselves. We have a responsibility, though, to address known continued active attack methods like shoes and liquids and, unfortunately, have to use our somewhat clunky process for now.
BS: You don't have a responsibility to screen shoes; you have one to protect air travel from terrorism to the best of your ability. You're picking and choosing. We know the Chechnyan terrorists who downed two Russian planes in 2004 got through security partly because different people carried the explosive and the detonator. Why doesn't this count as a continued, active attack method?
I don't want to even think about how much C4 I can strap to my legs and walk through your magnetometers. Or search the Internet for "BeerBelly." It's a device you can strap to your chest to smuggle beer into stadiums, but you can also use it smuggle 40
ounces of dangerous liquid explosive onto planes. The magnetometer won't detect it. Your secondary screening wandings won't detect it. Why aren't you making us all take our shirts off? Will you have to find a printout of the webpage in some terrorist safe house? Or will someone actually have to try it? If that doesn't bother you, search the Internet for "cell phone gun."It's "cover your ass" security. If someone tries to blow up a plane with a shoe or a liquid, you'll take a lot of blame for not catching it. But if someone uses any of these other, equally known, attack methods, you'll be blamed less because they're less public.
KH: Dead wrong! Our security strategy assumes an adaptive terrorist, and that looking backwards is not a reliable predictor of the next type of attack. Yes, we screen for shoe bombs and liquids, because it would be stupid not to directly address attack methods that we believe to be active. Overall, we are getting away from trying to predict what the object looks like and looking more for the other markers of a terrorist. (Don't forget, we see two million people a day, so we know what normal looks like.) What he/she does; the way they behave. That way we don't put all our eggs in the basket of catching them in the act. We can't give them free rein to surveil or do
dry-runs;
we need to put up obstacles for them at every turn. Working backwards, what do you need to do to be successful in an attack? Find the decision points that show the difference between normal action and action needed for an attack. Our odds are better with this approach than by trying to take away methods, annoying object by annoying object. Bruce, as for blame, that's nothing compared to what all of us would carry inside if we failed to prevent an attack.
