Identity Systems Aren’t Good Security, and Other Lessons From the Chicago Airport Fake ID Story

AFP is reporting that more than a hundred people with false identification documents were given employee security passes to Chicago’s O’Hare airport.

This is a good opportunity to compare conventional wisdom to actual security wisdom.

CW: This was a breach of the airport’s security system.
W: This was definitely a breach of the airport’s identity system, but identity systems provide very little security. The airport’s security, already weak if it relied on workers’ identities, was little changed.

CW: “ ‘If we are to ensure public safety, we must know who has access to the secure areas of airports,’ said Patrick Fitzgerald, US attorney for the northern district of Illinois.”
W: Public safety can’t be ensured by knowing who has access to the secure areas of airports. Knowing who has access may protect against ordinary threats like theft, but not against the threats to aviation that we care about.

CW: “A fundamental component of airport safety is preventing the use of false identification badges and punishing those who commit or enable such violations.”
W: Preventing the use of false identification is a trivial component of airport safety. It’s a fundamental component of airport safety programs, which are mostly for show. Security expert Bruce Schneier calls them “security theater.”

CW: “Unauthorized workers employed at sensitive facilities such as airports, nuclear power plants, chemical plants, military bases, defense facilities and seaports pose a vulnerability which compromises the integrity of those key assets,’ US Immigration and Customs Enforcement said in a statement.”
W: Authorized workers employed at sensitive facilities pose a vulnerability which compromises the integrity of those very same assets. If you want to prevent some kind of harm, you must make that harm difficult to cause, regardless of who may try.

Security is not easy.