Friday, December 19, 2008

Penetration-testing national security

The TSA is ridiculous. Bruce Schneier just posted an article about bypassing airport security. Apparently, contractors, repairmen and others enter airports -- sometimes with utility vans -- and get tarmac access, often without going through security.

Meanwhile, I wait in line to have my coke taken away because it's more than 3.5 ounces of liquid, and send my my Croc sandals through an astoundingly expensive scanner. The last time I went through security at Salt Lake International, I counted twenty-two TSA workers. It was early in the morning and there was no line. Four of them were working and the other eighteen were chatting in two big groups. All part of what Schneier calls security theatre.

All this security (which is dubious to begin with) is more than canceled out by negligent (or simply stupid) attitudes towards the simpler and more mundane risks that airports face. I'm sure that these security-nullifying attitudes vary widely from airport to airport, and even from employee to employee. I'm referring to bad habits that become part of the work culture -- like not asking for unknown people's ID (@Swede) and letting vans onto the tarmac with nothing more than a contractor logo (@WarLord).

Here's what I wish the government would do -- not just the TSA, but the NSA and others as well: pen-test national security. Send security contractors posing as contractors to airports and see if they can get in. Can they get a piece of unchecked luggage onto a plane? Can they leave without getting caught?

Clearly, there would need to be a robust vetting process to avoid costly lockdowns when the intrusions do get caught. Maybe, the first thing airports would do with a suspected breach would be to call directly to a national authority (TSA, for example) and check if it's a test. This extra complexity would add some cost and some potential security flaws.

Still, I think it would be a vastly better use of money than most of what the TSA is doing now. It would decrease overall risk significantly because airports would have a real, month-by-month financial and legal incentive to ensure real security. Most importantly, it would bring some accountability to airports and to the security programs that operate in them. There would be actual data on how frequently and severely trained, funded attackers can compromise various systems at airports. Security performance could be compared between airports, between security programs, and over time.

Nothing screams "wasteful theatre" louder than a $4.18 billion (FY2008) TSA budget and no real, quantitative evaluation of its effectiveness. Let's pen test airports and find out how well the security systems really work ... or if they work at all.

No comments: