Tag: Security

Schneier and Friends on Fixing Airport Security

Security guru Bruce Schneier comes down on the strictly pragmatic side in this essay called “Fixing Airport Security.” Because of terrorism fears, he says, TSA checkpoints are “here to stay.” The rules should be made more transparent. He also argues for an amendment to some constitutional doctrines:

The Constitution provides us, both Americans and visitors to America, with strong protections against invasive police searches. Two exceptions come into play at airport security checkpoints. The first is “implied consent,” which means that you cannot refuse to be searched; your consent is implied when you purchased your ticket. And the second is “plain view,” which means that if the TSA officer happens to see something unrelated to airport security while screening you, he is allowed to act on that. Both of these principles are well established and make sense, but it’s their combination that turns airport security checkpoints into police-state-like checkpoints.

The comments turn up an important recent Fourth Amendment decision circumscribing TSA searches. In a case called United States v. Fofana, the district court for the southern district of Ohio held that a search of passenger bags going beyond what was necessary to detect articles dangerous to air transportation violated the Fourth Amendment. “[T]he need for heightened security does not render every conceivable checkpoint search procedure constitutionally reasonable,” wrote the court.

Application of this rule throughout the country would not end the “police-state-like checkpoint,” but at least rummaging of our things for non-air-travel-security would be restrained.

I prefer principle over pragmatism and would get rid of TSA.

Trading Washington for Tbilisi?

Alliances often are advanced, as with NATO expansion, as a cheap way of keeping the peace.  After all, it is said, no one would dare challenge America.  But while alliances can deter, deterrence can fail – with catastrophic consequences.  Both World Wars I and II featured failed alliances and security guarantees.  Oops!

If deterence fails, the guaranteeing state either has to retreat ignominously or plunge into war, neither of which is likely to be in America’s interest.  Moreover, promising to defend other nations encourages them to be irresponsible:  after all, why not adopt a risky foreign policy if Washington is willing to back you up, nuclear weapons and all?  It’s a form of moral hazard applied to foreign policy.

That appears to be the case with the country of Georgia.  There’s a lot of disagreement over the character of Mikhail Saakashvili’s government, even among libertarians.  But a new European Union panel has amassed evidence that President Saakashvili is a bit of a foreign policy adventurer.  Reports Spiegel online:

Unpublished documents produced by the European Union commission that investigated the conflict between Georgia and Moscow assign much of the blame to Georgian President Mikhail Saakashvili. But the Kremlin and Ossetian militias are also partly responsible.

From her office on Avenue de la Paix, Swiss diplomat Heidi Tagliavini, 58, looks out onto the botanical gardens in peaceful Geneva. The view offers a welcome respite from the stacks of documents on her desk, which deal exclusively with war and war blame. They contain the responses, from the conflicting parties in the Caucasus region – Russia, Georgia, South Ossetia and Abkhazia – to a European Union investigative commission conducting a probe of the cause of the five-day war last August. The documents also include reports on the EU commission’s trips to Moscow, the Georgian capital Tbilisi and the capitals of Abkhazia and South Ossetia, dossiers assembled by experts and the transcripts of interviews of diplomats, military officials and civilian victims of the war.

The Caucasus expert, nicknamed “Madame Courage” by the Zurich-based Swiss daily Neue Zürcher Zeitung, is considered a specialist on sensitive diplomatic matters. The Caucasus issue is the most difficult challenge she has faced to date. The final report by the commission she heads must be submitted to the EU Council of Ministers by late July. In the report, Tagliavini is expected to explain how, in August 2008, a long-smoldering regional conflict over the breakaway Georgia province of South Ossetia could suddenly have escalated into a war between Georgia and its much more powerful neighbor, Russia. Who is to blame for the most serious confrontation between East and West since the end of the Cold War?

In addition to having a budget of €1.6 million ($2.2 million) at her disposal, Tagliavini can draw on the expertise of two deputies, 10 specialists, military officials, political scientists, historians and international law experts.

Much hinges on the conclusions her commission will reach. Is Georgia, a former Soviet republic, a serious candidate for membership in NATO, or is the country in the hands of a reckless gambler? Did the Russian leadership simply defend South Ossetia, an ally seeking independence from Georgia, against a Georgian attack? Or did Russia spark a global crisis when its troops occupied parts of Georgia for a short period of time?

The confidential investigative commission documents, which SPIEGEL has obtained, show that the task of assigning blame for the conflict has been as much of a challenge for the commission members as it has for the international community. However, a majority of members tend to arrive at the assessment that Georgian President Mikhail Saakashvili started the war by attacking South Ossetia on August 7, 2008. The facts assembled on Tagliavini’s desk refute Saakashvili’s claim that his country became the innocent victim of “Russian aggression” on that day.

In summarizing the military fiasco, commission member Christopher Langton, a retired British Army colonel, claims: “Georgia’s dream is shattered, but the country can only blame itself for that.”

Whatever the justification for President Saakashvili’s conduct, it certainly isn’t the kind of policy to which the U.S. should tie itself.  Yet including Georgia in NATO would in effect make President Saakashvili’s goals those of the American government and, by extension, the American people.

How many Americans should die to ensure that George gets to rule South Ossetia and Abkhazia?  Should we risk Washington for Tbilisi?  These are questions the Obama administration should answer before it joins the Bush administration in pushing NATO membership for Georgia.  The American people deserve to know exactly what risks the Obama administration plans to take with their lives and homelands before adding yet another fragile client state to Washington’s long list of security dependents.

Morozov vs. Cyber-Alarmism

I’m no information security expert, but you don’t have to be to realize that an outbreak of cyber-alarmism afflicts American pundits and reporters.

As Jim Harper and Tim Lee have repeatedly argued (with a little help from me), while the internet created new opportunities for crime, spying, vandalism and military attack, the evidence that the web opens a huge American national security vulnerability comes not from events but from improbable what-ifs. That idea is, in other words, still a theory. Few pundits bother to point out that hackers don’t kill, that cyberspies don’t seem to have stolen many (or any?) important American secrets, and that our most critical infrastructure is not run on the public internet and thus is relatively invulnerable to cyberwhatever. They never note that to the extent that future wars have an online component, this redounds to the U.S. advantage, given our technological prowess.  Even the Wall Street Journal and New York Times recently published breathless stories exaggerating our vulnerability to online attacks and espionage.

So it’s good to see that the July/ August Boston Review has a terrific article by Evgeny Morozov taking on the alarmists. He provides not only a sober net assessment of the various worries categorized by the vague modifier “cyber” but even offers a theory about why hype wins.

Why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

I agree.

Exciting! But Not True …

The Center for a New American Security is hosting an event on cybersecurity next week. Some fear-mongering in the text of the invite caught my eye:

[A] cyberattack on the United States’ telecommunications, electrical grid, or banking system could pose as serious a threat to U.S. security as an attack carried out by conventional forces.

As a statement of theoretical extremes, it’s true: The inconvenience and modest harms posed by a successful crack of our communications or data infrastructure would be more serious than an invasion by the Duchy of Grand Fenwick. But as a serious assertion about real threats, an attack by conventional forces (however unlikely) would be entirely more serious than any “cyberattack.”

This is not meant to knock the Center for a New American Security specifically, or their event, but breathless overstatement has become boilerplate in the “cybersecurity” area, and it’s driving the United States toward imbalanced responses that are likely to sacrifice our wealth, progress, and privacy.

… But What Is “Cyber”?

Cyberwar. Cyberdefense. Cyberattack. Cybercommand.

You run across these four words before you finish the first paragraph of this New York Times story (as reposted on msnbc.com). It’s about government plans to secure our technical infrastructure.

When you reach the end of the story, though, you still don’t know what it’s about. But you do get a sense of coming inroads against Americans’ online privacy.

The problem, which the federal government has assumed to tackle, is the nominal insecurity of networks, computers, and data. And the approach the federal government has assumed is the most self-gratifying: “Cyber” is a “strategic national asset.” It’s up to the defense, intelligence, and homeland security bureaucracies to protect it.

But what is “cyber”?

With the Internet and other technologies, we are creating a new communications and commerce “space.” And just like the real spaces we are so accustomed to, there are security issues. Some of the houses have flimsy locks on the front doors. Some of the stores leave merchandise on the loading docks unattended. Some office managers don’t lock the desk drawers that hold personnel files. Some of the streets can be too easily flooded with water. Some of the power lines can be too easily snapped.

These are problems that should be corrected, but we don’t call on the federal government to lock up our homes, merchandise, and personnel files. We don’t call on the federal government to fix roads and power lines (deficit “stimulus” spending aside). The federal government secures its own assets, but that doesn’t make all assets a federal responsibility or a military problem.

As yet, I haven’t seen an explanation of how an opponent of U.S. power would use “cyberattack” to advance any of its aims. If it’s even possible, which I doubt, taking down our banking system for a few days would not “soften up” the country for a military attack. Knocking out the electrical system in one region of the country for a day wouldn’t let Russia take control of the Bering Strait. Shutting down Americans’ access to Google Calendar wouldn’t advance Islamists’ plans for a worldwide Muslim caliphate.

This is why President Obama’s speech on cybersecurity retreated to a contrived threat he called “weapons of mass disruption.” Fearsome inconvenience!

The story quotes one government official as follows:

“How do you understand sovereignty in the cyberdomain?” General Cartwright asked. “It doesn’t tend to pay a lot of attention to geographic boundaries.”

That’s correct. “Cyber” is not a problem that affects our sovereignty or the integrity of our national boundaries. Thus, it’s not a problem for the defense or intelligence establishments to handle.

The benefits of the online world vastly outstrip the risks - sorry Senator Rockefeller. With those benefits come a variety of problems akin to graffiti, house fires, street closures, petit theft, and organized crime. Those are not best handled by centralized bureaucracies, but by the decentralized systems we use to secure the real world: property rights, contract and tort liability, private enterprise, and innovation.

Cyber Security “Facts”

National Journal’s “Expert Blog” on National Security asked me late last week to comment on the question, “How Can Cyberspace Be Defended?” My comment and others went up yesterday.

My response was a fun jaunt through issues on which there are no experts. But the highlight is the response I drew out of Michael Jackson, the former #2 man at the Department of Homeland Security.

It does little to promote serious discourse about the truly grave topic of cyber security threats to begin by ridiculing DHS and DOD as “grasping for power” or to suggest that President Obama has somehow been duped into basing his sensible cyber strategy on “a lame and corny threat model called ‘weapons of mass disruption.’” It shows ignorance of the facts to deny that cyber vulnerabilities do indeed present the possibility of “paralyzing results.”

Jackson neglects to link to a source proving the factual existence of “paralyzing” threats to the Internet – he’d have to defeat the Internet’s basic resilient design to do it. (Or he has collapsed the Internet, the specific way of networking I was talking about, with “cyber” – a meaningless referent to everything.) But the need for tight argument or proof is almost always forgiven in homeland security and cyber security, where the Washington, D.C. echo-chamber relentlessly conjures problems that only an elite bureaucracy can solve.

In another comment – not taking umbrage at mine, but culturally similar to Jackson’s – Ron Marks, Senior Vice President for Government Relations at Oxford-Analytica, says, “Cyberterrorism is here to stay and will grow bigger.” The same can be said of the bogeyman, but the bogeyman isn’t real either.

(To all interlocutors: Claiming secrecy will be taken as confessing you have no evidence.)

Jackson’s close is the tour de force though: “Good people are working hard on these matters, and they deserve our unwavering financial and personal support. For now and for the long-term.”

A permanent tap on America’s wallets, and respect on command? Sounds like “grasping for power” to me.

House Votes against “Strip-Search” Machines

Yesterday the House adopted an amendment to the Transportation Security Administration Authorization Act that would prohibit the TSA from using Whole Body-Imaging machines for primary screening at airports and require the TSA to give passengers the option of a pat-down search in place of going through a WBI machine, among other things.

You can read the amendment here, and the roll call vote will soon be up here. Use it to decide whether to cheer or jeer your member of Congress.

More on strip-search machines here, here, and here.