Phil Bond Doesn’t Understand Security

Here’s an interesting Washington Technology article on the security issues that would be created by implementing the REAL ID Act. Complying with the law would require states to create huge, nationally accessible databases of information about all licensed drivers and ID card-holders. Computer security guru Bruce Schneier, chief technology officer at BT Counterpane Internet Security, is quoted, saying “Computer scientists don’t know how to keep a database of this magnitude secure.”

The really striking quote from the article, though, goes to a different kind of security: security against terrorist attacks. Information Technology Association president Phil Bond is quoted in a statement on the REAL ID Act:

“Today’s system is the system that helped to bring us the terrorist attacks of Sept. 11, 2001,” said Phil Bond, ITAA president, in the statement. “We know the problem, and we have the technology to fix it.”

How many different ways has Bond gotten security wrong? I can’t list them all, but …

The first is the implied causal relationship between our present-day ID card system and terror attacks. There are many causes of terrorism and terrorist attacks - Ron Paul recently stirred the Republican pot by suggesting they include an interventionist foreign policy. To respond to the literal import of Bond’s statement: the ID system in our country did not cause weak groups elsewhere to adopt the strategy of terrorism. Our current ID and licensing system did not “bring us” the terrorist attacks of September 11, 2001.

But Bond was making purposeful use of inaccurate language. His implication is that the current driver licensing system is so lacking in security measures that it can be treated as an equivalent to a real cause of terrorist attack. This is where Bond’s security ignorance shines like a beacon.

For all the benefits they provide, including a modicum of security, identity systems provide almost no security against committed opponents like terrorist organizations, criminal enterprises, or even hardened criminals. In my book Identity Crisis: How Identification is Overused and Misunderstood, I show how identity acts as an economic and social glue. It brings people together for all kinds of transactions, and it holds them together if and when things go wrong. But I also show how breakable this glue is. Identity does not reveal intention.

People who have studied identity and security know that you can’t extrapolate from the use of identity in every-day transactions to the use of identity in counter-terrorism. Commited bad actors will defraud, inflitrate, or corrupt card issuing systems, or create fraudulent identity documents directly - to say nothing of simply avoiding targets that are controlled by identification checks. (That’s not a big improvement in security. There are far more uncontrolled targets than controlled targets.)

Evidently, Phil Bond is not someone who has studied identity and security, which is a shame given that he is the highly regarded leader of a significant technology-industry trade association.