Comments on: We are all security customers

Counterpane CTO Bruce Schneier says security is always going to be a trade-off, and that will force users to view the future through a different prism.

Flawed reasoning - low on technical logic high on Political Rhetoric

Dear Editor,

Mr Schenier is disguising his pacifistic political agenda as a technology perspective. It seems his cure for our security issues is inaction- a very un-American approach. Multimodal event correlation and fusion across systems like CAPSS-II and US Visit can prevent events like 9/11, simply because they flag the potential suspects and warn the next security layer. Such as system would have prevented some of the 9/11 hijackers from getting on board if suspect data from Sate Dept, INS and FBI could have been fused and correlated.

Mr Schenier, seemingly well intentioned is naive about terrorism, the terrorists and their end goal. The tag team of terrorists and so called Islamist moderates have two complementary goals. The terrorist envision a unrealistic global Islamic state with the whole humanity as Moslems. The moderates have a more plausible agenda, namely that of a global Islamist hegemony replacing the western influence. These two groups are playing the classic good cop/bad cop technique to force the world into a policy of Islamist appeasement.

The only question remaining for us is the following. Are we willing to lose Americans everyday for draining the terrorist swamps at the source around the world, or are we willing to sacrifice some of our liberties and freedom for our security ? Mr Schenier wants do neither because both are inconvenient. He wants his cake and eat it too - a classic pacifistic fuzziness which guarantees yet another security disaster not to mention subservience to terrorists, just like Spain ? a yet another un-American suggestion.

Sincerley,
Ravi Razdan

[nrlz]

reply

[i]
Multimodal event correlation and fusion across systems like CAPSS-II and US Visit can prevent events like 9/11 simply because they flag the potential suspects and warn the next security layer.
[/i]

It all sounds good but is that approach the most cost effective approach? Are there alternatives that are even more effective in preventing terrorism? We need these types of discussions and I think that's the point that the author is trying to bring across. Have you talked with academics about alternatives to CAPSS-II or are you assuming that it's the best approach just because the government says so?

[i]
... or are we willing to sacrifice some of our liberties and freedom for our security ?
[/i]

I think everyone is, but the real question is is that security the best security there is? Or are we being duped by the government to pay more than is necessary for it. As Americans who value their liberty and freedoms more than anyone in the world, are we satisfied with paying more for the sacrifice or do we want to minimize the costs?

[kscherry2000]

Difference of opinion

I think you are a bit off base here. Mr. Schneier was only using the Iraq war as an example, he didn't (to me at least) seem to be saying he was against it, nor did he say it wasn't worth it. You also lost the point of the article because it is about security costs.

In keeping on topic, I agree with him. Whenever you are going to implement a solution to a problem, whether a security, political, military, or social one, you need to look at the costs and weigh them against the benefits of the solution. Why spend $10 billion on a computer security to protect a $10,000 database with public information of car parts. Would you want to give up any of your civil liberties or rights in order to allow a security tool that will read every email you send, no matter where it is sent to or from, just to allow police to monitor for suspected terrorists sending emails?
Security management needs to work hard to make their case for security spending as it is. What makes it harder is not being able to show a return on investment, or how the security measures will help the company in any other ways or how it will not affect the company's business in any way.
Management needs to implement a risk management process, and part of that process should be in assessing the financial and other costs of security. Then there won't be bigger problems caused by creating a $10 billion paperweight.

[rkhalloran]

Current overkill

The current air security system where former vice-presidents and wheelchair-bound grandmothers are subjected to extensive pre-flight checks is clearly absurd, but profiling to minimize this can just as easily lead to harassment for Flying While Islamic. Another columnist has suggested the biggest improvement in air security is reinforcing the cockpit doors and having the passengers willing to fight back rather than permit the hijacking and expecting to be ransomed.

Better pipes between law-enforcement and intelligence agencies would hopefully have flagged some/all of the 9/11 terrorists, but do we really need to monitor all e-mail traffic for suspect words and phrases? Given the false-positives we see already in spam filters, what makes you think the Feds won't slip up as well?

I'm definitely in favor of better security (I lost schoolmates at WTC), but Franklin's quote still holds: "Those who would give up essential liberty to purchase a little temporary safety deserve neither". The massive expenditures currently being made in the name of domestic security seem mainly to be concerned with window-dressing such as nationalizing airport screeners, and less with root-cause work like better human intelligence, because *that's* longer-term and less flashy.

An exercise in projection

Ravi Razdan accuses Bruce Schneier of naivety and then goes on to project pacifism and un-Americanism (whatever that is) onto him. Then he goes on to blather about terrorism and Islamism.

It seems the Neoconservatives have Mr Razdan nicely brainwashed. Perhaps he does not know that Richard Perle of the defense policy review board advocated that PM Netanyahu of Israel should attack Iraq as early as 1996. Fortunately, Netanyahu did not. Unfortunately, Bush did in 2003, with an event horizon of 9/11 and without a grasp on history. The New Yorker did a nice exposée of Richard Perle and his dealings with Saudi Adnan Khashoggi (of Iran Contra scandal) but failed to report Khashoggi's role as a Mossad agent (Ostrovsky, 1990, ISBN 0-9717595-0-2). Smell something unpleasant? Go to Google and follow the scent!

Perhaps Mr. Razdan would care to accompany me on my next business trip to Karachi or Riyadh to get a feel for just how much security $100 billion plus has bought so far. Or he might care to visit Turkey to find out why youth there are demanding the right to wear hijab and then visit Iran to find our why youth there are demanding the right NOT to wear it. Confused? So much for rampant Islamism! The quests for cultural identity, gender equality and universal justice are perhaps more pressing issues for the majority of the MidEast populous!

It is the gross oversimplification and naivety of the Neoconservatives including their "Project For The New American Century" and their projections of power that are a destabilising influence in the world in general and the MidEast in particular.

It's nice to see Bruce Schneier put a free market economy cost/value assessment on security since these are values the Neocons also espouse. Sometimes doing nothing is the right thing to do, especially if there is no pressing need. Let the democratic process take its course and find out what the American people want to spend the next $100 billion on!

[djugan]

Simply Universal Best Practice in Security

Bruce Schneier uses our current national security situation to make a point that is well know to trained information security professionals: Security begins with a thorough effort to understand the probability of the occurrence of a specific event coupled with a thorough assessment of loss that could be incurred as a result of this event.

He chose our ongoing national security situation and applied 'best practice' to a situation that is familiar to all of us.

Unfortunately, corporations, institutions, and government often fail to fully comprehend or simply dismiss this longstanding, prudent approach to risk assessment. The insurance industry has always used this model as their basis for setting rates. Consumers, perhaps unmindful of these fundamentals, have purchased all forms of life and casualty insurance while making these trade-offs with premium (cost of coverage) vs. extent of coverage (mitigation of risk).

The bottom line in all forms of security and risk management is simply that there are no magic bullets that guarantee total security in any time or place. Rather, we must consider security as a journey without a destination ? a process rather than a product ? and make the best choices available based on sound information, accurate assessment, reasonable economic and social costs, and plain old common sense.

These fundamentals hold true in most, if not all, forms of security practice -- information security and national security included.