Rich here. I’m writing thi from an airport, so I will eschew my normal ‘personal’ intro and spend a little time on our favorite security show: Airport Screening Follies.

(But before I do that, go buy Motherless Children by Dennis Fisher. Dennis is an actual writer, and despite him screwing up an EMT reference it’s a great book (so far… nearly halfway through)).

It’s easy to knock the TSA. But like kicking a puppy, it’s also far from satisfying.

And while it’s also easy to criticize specific screening techniques, it might be more useful to understand them. Because if we really want our airport traveling experience to change, we need to attack the economics and stop wasting our time focusing on the value of particular security controls, or the failings of a small percentage of the workforce.

If we look at the TSA, there are really three levels of people involved (not counting the public):

  • Policymakers (politicians)
  • TSA executives (and high-level appointees)
  • TSA staff

Let’s take a moment to look at the dynamics at each level.

  • Politicians only care about being reelected, and don’t want any responsbility for their actions. To them the risk of changing the TSA is that on the off chance something bad, happens they will be excoriated (worst case: not re-elected). The reward for actually changing TSA practices is low, while the reward for posturing is high. In other words: if a politician implements a reduction in security and something bad happens they are likely to be held responsible even if it’s a coincidence; but proposing bills that don’t pass, loudly demanding tigher security (even if their demands are meaningless), and spending complaining to the press, all help them get reelected. So they all talk a lot without doing anything useful.
  • TSA execs – the high-level decision-makers – face the same risks as politicians. Drop a single pointless security ‘control’, and when the next event happens they will be stoned by politicians, press, and the public. There is no cost to them for implementing more security theater, but there is a high risk from removing anything. It’s not an evil mindset, and not one they are necessarily conscious of, but the sad truth is that it is at least as important for them to look like they are doing anything to address every potential visible risk, as to actually stop an attack or improve transportation.
  • TSA staff mostly just want to keep their jobs. One important way to do that is to buy into the security theater. They also want to feel good about their work, so like an AV vendor hyping Mac malware, they believe that even low-value security is important – it’s what they do, day to day. I don’t mean this in an insulting way. There is actually a lot of value in screening, although certain TSA technologies and practices are basically pointless. When you are in the trenches, it is often hard to divest yourself emotionally and to understand the differences objectively. I’m fairly certain that many of our fine readers enforce plenty of IT security theater (especially when it comes to passwords), so you all know what I mean. As a guy who used to hand-search thousands of concert and football attendees, I get it.

What about the flying public? The only thing we can control is the political environment, and if we aren’t going to hold our elected officials responsible for their economic foibles we certainly aren’t going to vote based on who will change the TSA.

So our politicians really have nothing vested in reducing security theater. We have executives and appointees who see only a downside to reducing it, because public complaints don’t really affect them. And they are motivated to double down when challenged so they seem ‘decisive’ and knowledgeable. Last we have the staffers who just want to keep their jobs and go home without feeling like asses.

It’s all risk/reward, and the odds certainly do not favor the flying public. Until the political climate for security theater becomes untenable nothing will change. And that won’t happen as long as we have 24-hour news channels and talk radio.

Oh – and this all applies to CISPA, and whatever else is pissing you off today.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to CJG, in response to Watching the Watchers: Access to the Keys (to the Kingdom) – New Series.

There are many solutions out there for identity management and access control, almost all are software bits installed on the servers themselves. What I have found is most if not all (yet to find one that doesn’t have this P-User hole) software based tools only manage the “logged in” user. In the case of windows servers many of the tools watch the windows user account you are logged in with, unfortunately if you then connect to a DB with SA credentials you are now outside the awareness of the tool. SA in MS SQL is dangerous because of XP_cmdshell, you now have system access to run any command line kung fu you can Google. This is true with most DB software, MS SQL being the biggest eyesore I’ve come across so far.