Bureaucracy at Work, Protecting the Skies

Bruce Schneier's CRYPTO-GRAM from 2/15/05.

As I wrote last month, I am participating in a working group to study
the security and privacy of Secure Flight, the U.S. government's
program to match airline passengers with a terrorist watch list. In the
end, I signed the NDA allowing me access to SSI (Sensitive Security
Information) documents, but managed to avoid filling out the paperwork
for a SECRET security clearance.

Last month the group had its second meeting.

At this point, I have four general conclusions. One, assuming that we
need to implement a program of matching airline passengers with names
on terrorism watch lists, Secure Flight is a major improvement -- in
almost every way -- over what is currently in place. (And by this I
mean the matching program, not any potential uses of commercial or
other third-party data.)

Two, the security system surrounding Secure Flight is riddled with
security holes. There are security problems with false IDs, ID
verification, the ability to fly on someone else's ticket, airline
procedures, etc. There are so many ways for a terrorist to get around
the system that it doesn't provide much security.

Three, the urge to use this system for other things will be
irresistible. It's just too easy to say: "As long as you've got this
system that watches out for terrorists, how about also looking for this
list of drug dealers...and by the way, we've got the Super Bowl to
worry about too." Once Secure Flight gets built, all it'll take is a
new law and we'll have a nationwide security checkpoint system.

And four, a program of matching airline passengers with names on
terrorism watch lists is not making us appreciably safer, and is a
lousy way to spend our security dollars.

Unfortunately, Congress has mandated that Secure Flight be implemented,
so it is unlikely that the program will be killed. And analyzing the
effectiveness of the program in general, potential mission creep, and
whether the general idea is a worthwhile one, is beyond the scope of
the working group. In other words, my first conclusion is basically all
that they're interested in hearing.

But that means I can write about everything else.

To speak to my fourth conclusion: Imagine for a minute that Secure
Flight is perfect. That is, we can ensure that no one can fly under a
false identity, that the watch lists have perfect identity information,
and that Secure Flight can perfectly determine if a passenger is on the
watch list: no false positives and no false negatives. Even if we could
do all that, Secure Flight wouldn't be worth it.

Secure Flight is a passive system. It waits for the bad guys to buy an
airplane ticket and try to board. If the bad guys don't fly, it's a
waste of money. If the bad guys try to blow up shopping malls instead
of airplanes, it's a waste of money.

If I had some millions of dollars to spend on terrorism security, and I
had a watch list of potential terrorists, I would spend that money
investigating those people. I would try to determine whether or not
they were a terrorism threat before they got to the airport, or even if
they had no intention of visiting an airport. I would try to prevent
their plot regardless of whether it involved airplanes. I would clear
the innocent people, and I would go after the guilty. I wouldn't build
a complex computerized infrastructure and wait until one of them
happened to wander into an airport. It just doesn't make security sense.

That's my usual metric when I think about a terrorism security measure:
Would it be more effective than taking that money and funding
intelligence, investigation, or emergency response -- things that
protect us regardless of what the terrorists are planning next. Money
spent on security measures that only work against a particular
terrorist tactic, forgetting that terrorists are adaptable, is largely
wasted.