Many large and expensive government programs--the CAPPS II airline profiling system, the US-VISIT program that fingerprints foreigners entering our country, and the various data-mining programs in research and development--take as a given the need for more security.
At the end of 2005, when many provisions of the controversial Patriot Act expire, we will again be asked to sacrifice certain liberties for security, as many legislators seek to make those provisions permanent.
As a security professional, I see a vital component missing from the debate.
As Americans, and as citizens of the world, we need to think of ourselves as security consumers. Just as a smart consumer looks for the best value for his dollar, we need to do the same. Many of the countermeasures being proposed and implemented cost billions. Others cost in other ways: convenience, privacy, civil liberties, fundamental freedoms, greater danger of other threats. As consumers, we need to get the most security we can for what we spend.
The invasion of Iraq, for example, is presented as an important move for national security. It may be true, but it's only half of the argument. Invading Iraq has cost the United States enormously. The monetary bill is more than $100 billion, and the cost is still rising. The cost in American lives is more than 600, and the number is still rising. The cost in world opinion is considerable. There's a question that needs to be addressed: "Was this the best way to spend all of that? As security consumers, did we get the most security we could have for that $100 billion, those lives, and those other things?"
If it was, then we did the right thing. But if it wasn't, then we made a mistake. Even though a free Iraq is a good thing in the abstract, we would have been smarter spending our money, and lives and good will, in the world elsewhere.
That's the proper analysis, and it's the way everyone thinks when making personal security choices. Even people who say that we must do everything possible to prevent another Sept. 11 don't advocate permanently grounding every aircraft in this country. Even though that would be an effective countermeasure, it's ridiculous. It's not worth it. Giving up commercial aviation is far too large a price to pay for the increase in security that it would buy. Only a foolish security consumer would do something like that.
We need to bring the same analysis to bear when thinking about other security countermeasures. Is the added security from the CAPPS-II airline profiling system worth the billions of dollars it will cost, both in dollars and in the systematic stigmatization of certain classes of Americans? Would we be smarter to spend our money on hiring Arabic translators within the FBI and the CIA, or on emergency response capabilities in our cities and towns?
As security consumers, we get to make this choice. America doesn't have infinite money or freedoms. If we're going to spend them to get security, we should act like smart consumers and get the most security we can.
The efficacy of a security countermeasure is important, but it's never the only consideration.
Similarly, much of what is being proposed as national security is a bad security trade-off. It's not worth it, and as consumers we're getting ripped off.
Being a smart security consumer is hard, just as being a good citizen is hard. Why? Because both require thoughtful consideration of trade-offs and alternatives. But in this election year, it is vitally important. We need to learn about the issues. We need to turn to experts who are nonpartisan--who are not trying to get elected or stay elected. We need to become informed. Otherwise it's no different than walking into a car dealership without knowing anything about the different models and prices--we're going to get ripped off.
Biography
Bruce Schneier is CTO of Counterpane Internet Security, Inc. He is one of the world's foremost security experts. His latest book is "Beyond Fear: Thinking Sensibly About Security in an Uncertain World."
Mr Schenier is disguising his pacifistic political agenda as a technology perspective. It seems his cure for our security issues is inaction- a very un-American approach. Multimodal event correlation and fusion across systems like CAPSS-II and US Visit can prevent events like 9/11, simply because they flag the potential suspects and warn the next security layer. Such as system would have prevented some of the 9/11 hijackers from getting on board if suspect data from Sate Dept, INS and FBI could have been fused and correlated.
Mr Schenier, seemingly well intentioned is naive about terrorism, the terrorists and their end goal. The tag team of terrorists and so called Islamist moderates have two complementary goals. The terrorist envision a unrealistic global Islamic state with the whole humanity as Moslems. The moderates have a more plausible agenda, namely that of a global Islamist hegemony replacing the western influence. These two groups are playing the classic good cop/bad cop technique to force the world into a policy of Islamist appeasement.
The only question remaining for us is the following. Are we willing to lose Americans everyday for draining the terrorist swamps at the source around the world, or are we willing to sacrifice some of our liberties and freedom for our security ? Mr Schenier wants do neither because both are inconvenient. He wants his cake and eat it too - a classic pacifistic fuzziness which guarantees yet another security disaster not to mention subservience to terrorists, just like Spain ? a yet another un-American suggestion.
Sincerley,
Ravi Razdan
Multimodal event correlation and fusion across systems like CAPSS-II and US Visit can prevent events like 9/11 simply because they flag the potential suspects and warn the next security layer.
[/i]
It all sounds good but is that approach the most cost effective approach? Are there alternatives that are even more effective in preventing terrorism? We need these types of discussions and I think that's the point that the author is trying to bring across. Have you talked with academics about alternatives to CAPSS-II or are you assuming that it's the best approach just because the government says so?
[i]
... or are we willing to sacrifice some of our liberties and freedom for our security ?
[/i]
I think everyone is, but the real question is is that security the best security there is? Or are we being duped by the government to pay more than is necessary for it. As Americans who value their liberty and freedoms more than anyone in the world, are we satisfied with paying more for the sacrifice or do we want to minimize the costs?
In keeping on topic, I agree with him. Whenever you are going to implement a solution to a problem, whether a security, political, military, or social one, you need to look at the costs and weigh them against the benefits of the solution. Why spend $10 billion on a computer security to protect a $10,000 database with public information of car parts. Would you want to give up any of your civil liberties or rights in order to allow a security tool that will read every email you send, no matter where it is sent to or from, just to allow police to monitor for suspected terrorists sending emails?
Security management needs to work hard to make their case for security spending as it is. What makes it harder is not being able to show a return on investment, or how the security measures will help the company in any other ways or how it will not affect the company's business in any way.
Management needs to implement a risk management process, and part of that process should be in assessing the financial and other costs of security. Then there won't be bigger problems caused by creating a $10 billion paperweight.
Better pipes between law-enforcement and intelligence agencies would hopefully have flagged some/all of the 9/11 terrorists, but do we really need to monitor all e-mail traffic for suspect words and phrases? Given the false-positives we see already in spam filters, what makes you think the Feds won't slip up as well?
I'm definitely in favor of better security (I lost schoolmates at WTC), but Franklin's quote still holds: "Those who would give up essential liberty to purchase a little temporary safety deserve neither". The massive expenditures currently being made in the name of domestic security seem mainly to be concerned with window-dressing such as nationalizing airport screeners, and less with root-cause work like better human intelligence, because *that's* longer-term and less flashy.
It seems the Neoconservatives have Mr Razdan nicely brainwashed. Perhaps he does not know that Richard Perle of the defense policy review board advocated that PM Netanyahu of Israel should attack Iraq as early as 1996. Fortunately, Netanyahu did not. Unfortunately, Bush did in 2003, with an event horizon of 9/11 and without a grasp on history. The New Yorker did a nice exposée of Richard Perle and his dealings with Saudi Adnan Khashoggi (of Iran Contra scandal) but failed to report Khashoggi's role as a Mossad agent (Ostrovsky, 1990, ISBN 0-9717595-0-2). Smell something unpleasant? Go to Google and follow the scent!
Perhaps Mr. Razdan would care to accompany me on my next business trip to Karachi or Riyadh to get a feel for just how much security $100 billion plus has bought so far. Or he might care to visit Turkey to find out why youth there are demanding the right to wear hijab and then visit Iran to find our why youth there are demanding the right NOT to wear it. Confused? So much for rampant Islamism! The quests for cultural identity, gender equality and universal justice are perhaps more pressing issues for the majority of the MidEast populous!
It is the gross oversimplification and naivety of the Neoconservatives including their "Project For The New American Century" and their projections of power that are a destabilising influence in the world in general and the MidEast in particular.
It's nice to see Bruce Schneier put a free market economy cost/value assessment on security since these are values the Neocons also espouse. Sometimes doing nothing is the right thing to do, especially if there is no pressing need. Let the democratic process take its course and find out what the American people want to spend the next $100 billion on!
- Simply Universal Best Practice in Security
- by djugan July 25, 2004 4:43 AM PDT
- Bruce Schneier uses our current national security situation to make a point that is well know to trained information security professionals: Security begins with a thorough effort to understand the probability of the occurrence of a specific event coupled with a thorough assessment of loss that could be incurred as a result of this event.
- Like this Reply to this comment
-
(6 Comments)He chose our ongoing national security situation and applied 'best practice' to a situation that is familiar to all of us.
Unfortunately, corporations, institutions, and government often fail to fully comprehend or simply dismiss this longstanding, prudent approach to risk assessment. The insurance industry has always used this model as their basis for setting rates. Consumers, perhaps unmindful of these fundamentals, have purchased all forms of life and casualty insurance while making these trade-offs with premium (cost of coverage) vs. extent of coverage (mitigation of risk).
The bottom line in all forms of security and risk management is simply that there are no magic bullets that guarantee total security in any time or place. Rather, we must consider security as a journey without a destination ? a process rather than a product ? and make the best choices available based on sound information, accurate assessment, reasonable economic and social costs, and plain old common sense.
These fundamentals hold true in most, if not all, forms of security practice -- information security and national security included.