As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways:
- Failures are rare
- Partial failures are generally secret
- Actual failures are analyzed in secret
- Procedures are secret
- Procedures seem bizarre and arbitrary
- External analysis seems to show that the procedures are fundamentally flawed
- Those charged with doing the work appear to develop a bunker mentality
In this situation, anyone can offer up their opinions, and most of us do.
It’s hard to figure out which analysis are better than others, because the data about partial failures is harder to get than opinions. And so most opinions are created and appear equal. Recommendations in airline security are all ‘best practices’ which are hard to evaluate.
Now, as Peter Swire has pointed out, the disclosure debate pivots on if an attacker needs to expose themselves in order to test a hypothesis. If the attacker needs to show up and risk arrest or being shot to understand if a device will make it through a magnometer, that’s very different than if an attacker needs to send packets over the internet.
I believe much of this swivels on the fact that most of the security layers have been innocently exposed in many ways. The outline of how the intelligence agencies and their databases work is public. The identity checking is similarly public. It’s easy to discover at home or at the airport that you’re on a list. The primary and secondary physical screening layers are well and publicly described. The limits of tertiary screening are easily discovered, as an unlucky friend discovered when he threw a nazi salute at a particularly nosy screener in Amsterdam’s Schiphol airport. And then some of it comes out when government agencies accidentally expose it. All of this boils down to partial and unstructured disclosure in three ways:
- Laws or public inquiries require it
- The public is exposed to it or can “innocently” test it
- Accidents
In light of all of this, the job of a terrorist mastermind is straightforward: figure out a plan that bypasses the known defenses, then find someone to carry it out. Defending the confidentiality of approaches is hard. Randomization is an effort to change attacker’s risk profiles.
But here’s the thing: between appropriate and important legal controls and that the public goes through the system, there are large parts of it which cannot be kept secret for any length of time. We need to acknowledge that and design for it.
So here’s my simple proposal:
- Publish as much of the process as can be published, in accordance with the intent of Executive Order on Classified National Security Information:
“Agency heads shall complete on a periodic basis a comprehensive review of the agency’s classification guidance, particularly classification guides, to ensure the guidance reflects current circumstances and to identify classified information that no longer requires protection and can be declassified,”
That order lays out a new balance between openness and national security, including terrorism. TSA’s current approach does not meet that new balance.
- Publish information about failed attempts and the costs of the system
- Stop harassing and intimidating those like Chris Soghoian, Steven Frischling or Christopher Elliott who discuss details of the system.
- Encourage and engage in a fuller debate with facts, rather than speculation.
There you have it. We will get better security through a broad set of approaches being brought to the problems. We will get easier travel because we will understand what we’re being asked to do and why. Everyone understand we need some level of security for air travel. Without an acrimonious, ill-informed firestorm, we’ll get more security with less pain and distraction.
So last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at 
