« Speak Softly, and Don't Buy Anyone A Stick | Main | Can't Write Them Out of the Script Entirely »

December 31, 2009

Comments

As delicious as a three-stripe Secretary would be, I believe her last name is spelled Napolitano.

On topic: It's worth pointing out that some elements of airplane security probably did work correctly and probably did prevent a worse outcome.

A (Dutch!) passenger noticed the bomber's suspiciously burning crotch and interrupted him.

Additionally, Al Qaeda's novelly-hidden bombs haven't worked very well: Richard Reid's shoe bomb, the anus bomber only killed himself, and this last attempt failed as well.

The suitcase bombs of the past seemed much more reliable (it's also possible that they just failed silently). So it's not unreasonable to conclude that current scans and random checks have forced Al Qaeda to use a less-effective technique.

I would prefer to keep bombs off of planes in the first place, but the concept of defense in depth applies here. Multiple independent defenses are more difficult to thwart.

As delicious as a three-stripe Secretary would be, I believe her last name is spelled Napolitano.

Ha. Fixed. And my grandfather's from Naples.

On topic: It's worth pointing out that some elements of airplane security probably did work correctly and probably did prevent a worse outcome.

True.

The suitcase bombs of the past seemed much more reliable (it's also possible that they just failed silently).

I wonder why they haven't gone this route. ASAICT, not all checked bags are screened. So why not go for the Lockerbie approach?

I fully agree with Spencer Ackerman. Let's not forget that when the No-Fly list was at its height, TSA people were harassing Senator Ted Stevens' wife, Catherine Stevens, asking her to prove she was not the singer Cat Stevens. Aside from getting their genders mixed up, he was only on the list because he made a donation to a suspect charity. And the list was only 30,000 at the time. Expand it to the entire watch list, and you have about 550,000 people, many of them just as tangentially related, to say nothing of who knows how many others who just have the wrong name.

Where I do think security failed is not sending up any red flags because he was a man traveling alone, with no luggage on a trans-Atlantic flight, who paid cash for a one-way ticket. The should have subjected him to closer scrutiny. Granted suicide bombers can partially thwart such scrutiny by packing bags they don't need and buying return tickets they won't use. (Getting around paying in cash will presumably be harder).

I also fully agree that maintaining good will is vital to getting the kind of tips that fight terror.

I can't agree on the intelligence issue. They didn't know where he was but they knew his name. He traveled under his name. That should be pretty much enough to get him heightened scrutiny right there. I'm not sure why Napolitano gets to spin that as the system working.

"But it will make it much harder for people who aren’t threatening to enter, a move that will ripple out to effect diplomacy, security relationships (good luck entering the U.S. for a military-to-military contact program if, say, you’re a member of the Sunni Awakening in Iraq, since you had contacts with known extremists), international business and trade, and so on. Are we prepared for that?"

I'd be much more open to this objection if the crappy things being suggested by the TSA weren't so useless. We all sit with nothing in our laps for the first and last hour? Seriously? Come on. If that was a real response do you think people might realize that you could blow up the plane during the in between hours?

"ASAICT, not all checked bags are screened."

Aren't they? I thought all checked bags were put through that device (is it just X-ray?).

elm: just what element of post-9/11 security helped? TSA didn't help in foiling Reid or the long-chance mixing bomber, either - the TSA just just pushed barn-door-closing new annoyances on the American public,

To me, the American public had shown that it didn't need that kind of help on both 9/11 and when Reid tried to do his thing. Yeah - all bags are at least supposed to be checked. How have TSA's checkpoints helped that's remotely worth sacrificing so much American dignity and privacy, and adding some new petty pilferage from TSA?

I can't agree on the intelligence issue. They didn't know where he was but they knew his name. He traveled under his name. That should be pretty much enough to get him heightened scrutiny right there.

The trouble is that there are approximately 550,000 names on the terrorism watch list, with about 1,600 new tips coming in per day. Multiply that by the number of people who have the same name as one of the 550,000 and airline traffic will probably break down under the number of people requiring increased scrutiny.

For right now, I recommend increased scrutiny for anyone who pays cash for a one-way ticket. (And no, I have no idea how many of them there are).

Your comment about TSA idiocy is, of course, spot on. This one may turn out to be a bridge too far.

"not all checked bags are screened"

I think terrorist groups are particularly afraid of failed attacks, partly because it's a propaganda disaster, but mostly because a failed attack triggers a furious intelligence effort - and you don't even get to claim a success first.

Mind you, this attempt had a high risk of failure, especially with a single guy flying alone and paying cash. All it would take is the right kind of search and he would have been caught at the security screen. Which is a counterargument for my suggestion that randomly-applied measures at a lower frequency would still work well.

In this case the system worked. Not perfectly, but it worked. The guy didn't get a working bomb onboard the aircraft and nobody except him got hurt. The question of whether the millions of hours lost to security checks is worth the enhanced security is open, but look, one planeload of passengers killed is roughly 100,000,000 hours of life lost. (Call it an average of 35 years life remaining x 300 passengers.) US airlines had about 50,000,000 passengers in 2009; security measures probably added an average hour to each flight. So if one plane bombing is prevented each year we're talking order-of-magnitude similarities between costs and benefits, and that's before we consider whether people would rather wait an hour in line or take a (say) 1/100,000 chance of being blown up. (I think most people will take the wait.)

These measures are not 100% effective but they are not wholly ineffective either. The idea that they are pure security theater is bogus. We can argue about whether extremely low-probability events merit this kind of security, we can argue about whether it's a dignified way to exist to submit to searches and body scans, but as long as people are out there trying to blow up US flights, this kind of security will have some value.

When I've traveled from Brazil post 9/11,if my wife is not with me, my checked baggage gets a hand inspection after I check in. When I'm traveling with my wife, I don't.

Returning from Germany in 1974 to start college, I was frisked after clearing security.

BTW, not in defense of what Napolitano said, but since when is the TSA responsible for security in Lagos and Amsterdam?

Ha. Fixed. And my grandfather's from Naples.

OT Eric, but have you seen Gomorrah?

Wait... people are suggesting that we should fire the head of the DHS because someone tried and failed to launch a minor terrorist attack?

And we're bothering to entertain these suggestions?

If that level of safety's so important to you, then you had better stop driving as well, Jacob. The demonstrated level of risk from terrorism is far, far smaller than that from driving. In terms of deaths, the US'd have to lose something like 200 planes each year from terrorism to balance the risk from driving. 10 9/11s each year would also balance the death risks. Of course, we aren't seeing either.

Now, there are some people who do decide to stop driving, for a bunch of reasons, especially in big cities. But, most of us choose to live with that risk for the reward of being able to get places more conveniently.

Then I'm lucky I was traveling *with* my wife, Randy....

"If that level of safety's so important to you"

When you're talking about a (partially-) preventable risk, it is reasonable to look at the cost and benefit of the precautions related to that particular risk. If the benefit of the precautions exceeds the cost, then it will be sensible to take them no matter what the risks involved in some unrelated activity. (e.g. if you are jumping out of an airplane, the benefits of putting on a parachute exceed the costs; the fact that jumping out of an airplane with a parachute might be less dangerous than riding a motorcycle without a helmet is totally irrelevant.)

As I said, the back-of-an-envelope calculation of simple loss of life-hours from terrorism versus hours lost to security precautions puts them at least in the same order of magnitude, assuming that you deter or prevent one plane-bombing per year. I was somewhat surprised to find that to be the case, but so far as I can see, they're comparable. I have to say that having looked at the numbers, I don't think I'd even say what I said in the last thread, which is that I'd be willing to fly without the security precautions. If I'm truly trading off 1 hour per trip in security to save about 1 hour of life in reduced terrorism, that's not a bad deal, considering the other costs of successful terrorist attacks.

(You may see the previous thread for discussion of driving safety. Driving accident statistics tend to be skewed by the presence of extremely poor drivers, drunk-drivers, people who drive dangerous old cars, and so on; the wide range in insurance rates gives a clue as to the different risks of different drivers.)

Wait... people are suggesting that we should fire the head of the DHS because someone tried and failed to launch a minor terrorist attack?

And we're bothering to entertain these suggestions?

Sadly, these are the influential pundits.

So if one plane bombing is prevented each year we're talking order-of-magnitude similarities between costs and benefits, and that's before we consider whether people would rather wait an hour in line or take a (say) 1/100,000 chance of being blown up. (I think most people will take the wait.)

Do you have any cites for terrorists that have been captured by airport security who could have reasonably been expected to destroy an aircraft? I'm specifically interested in indictments or convictions. I can't really think of any. Which suggests that your cost-benefit analysis is messed up: if airport security isn't actually defending us from a realistic threat, the benefit is zero and the cost is just wasted.

Right now, the best techniques for reducing aircraft terrorism are free: passenger resistance and hardened cockpit doors. They both make a 9/11 attack impossible. So all that's left is the possibility of an explosive device on the plane. But that possibility has been present for decades and was never much of a threat: blowing up a plane doesn't have nearly the same psychological impact as using planes to destroy major landmarks. Moreover, just blowing up a plane produces far fewer deaths and far lower financial costs.

Note that airport screening cannot possibly prevent suicide bombers from blowing up aircraft. All you need is a few laptop batteries and you've got a powerful explosive device. Since we're never going to ban portable electronics from an aircraft, no amount of screening will ever eliminate the threat. In fact, it won't even do much to reduce the threat. The only terrorists prevented from blowing up aircraft are the incompetent ones that passengers could easily subdue anyway.

Well, except, Jacob,
o) As Turbulence wrote, there's no evidence that the new authoritarian measures are performing anything like as well as you say; certainly, you haven't introduced any such evidence. Why not guess that it saves 10 flights a month since you're guessing?

o) It's not just a question of time we're giving, but basic freedom to travel for the unlucky innocent on the do-not-fly list, humiliation, privacy, and extra pilferage. You might not mind the extra humiliation and extra worry over being allowed to fly and theft, but I think you're a minority on that point; it's certainly wrong to impose on a supposedly free people anytime we fly, especially when the return's so questionable.

o) It's not exactly in the class of return from foreign telco interceptions in WW2, is it? That loss of rights made sense, because it did alot to win the war with Japan, especially. THAT, IMHO, was worth it. Here we're hard-put to identify clearly any saving.

Unfortunately security measures at airports fail on a regular basis when tested by plain clothes security personnel. From that we have, I think, to conclude that our strongest defense is the incompetence of wannabe terrorists. I myself got items through the controls I could do a lot of mischief with, and I did not 'smuggle' them, I even asked whether some of them were allowed. If I had evil intent, I could have put nerve gas in the wee nose spray bottle, the chocolate could have contained something nasty under the outer surface and at least at some airports (with no sniffer machines) the book I read could have been made from nitrocellulosis (aka gun cotton). But I could not carry a sewing needle and twine in my hand luggage because the security people were unsure whether it was allowed.
Terrorists could imo clog the system quite effectively by creating false scares like framing innocent travellers, putting fake bombs etc. in other people's luggage (or simply using a nitro spray in order to trigger the sniffers).
And maybe one day one of them will watch 'Lawrence of Arabia' and get the idea that derailing a few commuter trains could be an alternative to hijacking or blowing up airplanes. Not to forget unguarded trains with chemicals going through large cities.

This is so good, I have to steal it: http://www.wilmott.com/blogs/eman/index.cfm/2009/12/29/Trading-Places

I had a fantasy in which the Fed and the TSA (Transportation Security Administration) switched roles. If a bank failed at 9 a.m. one morning and shut its doors, the TSA would announce that all banks henceforth begin their business day at 10 a.m. And, if a terrorist managed to get on board a plane between Stockholm and Washington, the Fed would increase the number of flights between the cities.

"he was only on the list because he made a donation to a suspect charity."

Oh, I don't know, his public statements in favor of killing Salman Rushdie might have had something to do with it, too.

I'm concerned he paid cash for a one way ticket without a passport. That seems to be a problem with the ticket counter in the foreign country where he got on. And that is where the attention should be.

Oh, I don't know, his public statements in favor of killing Salman Rushdie might have had something to do with it, too.

Aside from some obvious problems with the premises here, unless Salman Rushdie was going to be booked on one of Cat Stevens's flights, who the hell besides pants-wetters cares?

"cites for terrorists that have been captured by airport security who could have reasonably been expected to destroy an aircraft"

That's looking at only one specific effect of the current security regime. I said already that the failure of the latest attack (and the shoe bomber before him) was due to the current security system (admittedly on international and not domestic flights).

Then there is deterrent effect. Terrorists seem to be reluctant to launch attacks that have a high chance of detection or failure. Of course, this is subject to the tiger repellent problem. However, I think it is hard to argue that there are no tigers, given that one of them tried to blow up a plane last week.

"Why not guess that it saves 10 flights a month"

Well, I was thinking of one plane because even one bombing would change the calculus. If you think it is desirable to greatly reduce security because bombings are rare and the casualties small in absolute terms, I have to wonder what you are thinking would happen the next time a flight was bombed. Politicians and bureaucrats who reduced security would be torn apart in the press, in front of Congress, and perhaps in court. There is no way that a loosened security regime would survive another terrorist bombing. You say that plane bombings attract less attention than the 9/11 attacks - sure, but we're still talking major media hysteria.

As for 10 a month, flying wouldn't survive that statistic. On the other hand one bombing prevented or deterred per year is not an implausible number given the actual attempts over the past 10 years.

People are willing to pay a large premium to reduce downside risk. They're especially willing to pay for even partial protection against low-probability but extremely-high-cost events. That's why you buy fire insurance. In the case of airport security, since there appear to be few other ways to reduce risk (it's not a competitive market), they may well be willing to pay every single year in what amounts to a 10:1 ratio in hours lost to security lines if the effect is even a 50% chance of foiling one plane bombing killing 300 people every ten years.

And in this case an event has recently occurred that killed 3,000 people. That is 1 billion life hours lost, or roughly 20 years of 50 million passengers waiting an extra hour to get on a plane. The question of the effectiveness of measures is always relevant, but you really can't blame people for wanting to do their best to "smear out" the harm from a major terrorist attack into a billion small inconveniences at the airport.

As for it being a minority opinion that the current TSA security regime is justified, I'm afraid not. Poll taken Dec 28th: 83% think current airport security measures are sufficient or not strict enough. Only 11% think they are too strict. I'm not saying that the opinion of the public on the effectiveness of security measures is determinative or trumps discussing whether they actually are, but it is reasonable to proceed from the assumption that the public thinks the current security system is a worthwhile trade-off.

I flew today. The security line is annoying, but even an average of an hour added to trips is probably overstating it, as for every time I've had to wait in an endless line there have been several other times when I went through security in 5 minutes. This is a relatively low-cost-per-passenger measure that evidence would indicate is at least somewhat effective in reducing the chance of rare but devastating attacks. Most people accept that it's likely that they'll still happen, but hopefully at a lower frequency. We don't know exactly how well they work, but since terrorist attacks are so upsetting and damaging, we're willing to try a scattershot approach.

That poll was interesting because it showed an upswing in the people who think the security system is justified after this latest attempt. I think I'm one of those switchers. This is not a perfect system, but it's working to some extent.

Jacob, unless I'm missing something, the number of passenger trips on US airlines is more like 50 million per month, not per year.

Jacob: If you think it is desirable to greatly reduce security because bombings are rare and the casualties small in absolute terms, I have to wonder what you are thinking would happen the next time a flight was bombed. Politicians and bureaucrats who reduced security would be torn apart in the press, in front of Congress, and perhaps in court. There is no way that a loosened security regime would survive another terrorist bombing.

Exactly right. Which is why politicians and bureaucrats will never take steps to undo the meaningless security theater which airplane passengers are now obliged to perform. Each additional "tightening" of security is therefore in place permanently, no matter how useless or counterproductive it is. (As for example, the "terrorist watch" list of half a million names.)

The liquids-dumping rule is the one that causes me the most rage, most of the time, because it guards against a MacGyverism that is impossible in the real world - but it is like the rest - pointless to guard against an actual terrorist attack, counterproductive in that it distracts staff time and attention from real dangers, mere security theater to ensure that bureaucrats and politicians are covering their asses and saying "hey we took ALL PRECAUTIONS" when the next terrorist attack happens - or is attempted.

Of course it would be desirable to relax the timeconsuming "security precautions". For passengers, for airline and airport staff, for everyone concerned except the politicians and the bureaucrats who would find themselves being blamed by an angry media when the next terrorist attack happened.

Randy,

Sorry, just so your question now. No, haven't seen it. Do you recommend?

KCinDC: err... yes. I thought that figure was a little low. You're right, I used the wrong number, I apologize for my carelessness.

Still, though, it's 600 million hours lost a year to security* versus 100 million life-hours lost in a plane bombing or 1 billion life-hours lost in 9/11. I still think that people are not completely crazy to assess the security hassle as reasonable partial insurance against attacks.

* Assuming one hour per flight, which is probably a bit high.

Jes, I agree about the basic political dynamic you're talking about, but there is a countervailing dynamic which is that too many completely useless but annoying measures would generate their own backlash. I see the current level of security as the result of a rough trade-off between hassle and effectiveness. There are lots of more-invasive and more-annoying measures that could be taken but haven't been, some of them even potentially effective. For instance, pat-downs of every single traveler; hand-searches of all luggage; El Al-style passenger interviews. So there is obviously some countervailing effect to just ratcheting upwards. It does seem to be true that once widely instituted, measures never go away, but I'm not sure that the ones widely pilloried as useless are as useless as claimed.

In particular I'm not sure I agree about the uselessness of the liquid ban - there are several links here worth reading, including the Register stories. The problem I have with their conclusion is that they can't seem to decide whether the plot is impossible to prevent or impossible to carry off, which I think is a classic sign of the all-or-nothing fallacy - a security restriction can be useful even if it is not 100% effective. (The discussion of security measures is infested with that fallacy - the idea that unless you can guarantee the effectiveness of a measure, taking it is worthless.)

I wonder when the first attempt will be made to use an airborne poison. I am not aware that the cockpit typically has its own air circuit, so a few ml of nerve gas (e.g. in a nose spray bottle) could work*. The Japanese Sarin attacks failed iirc mainly because the stuff was not used as a spray but as volumes of liquid expected to evaporate more quickly than actually happened (and the vaporizer contraptions they also prepared failed mechanically). The main 'problem' with nerve gas is to produce it without killing yourself. Once it is sealed in containers, it could be, I think, used easily by suicidal terrorists. Iirc the effects take a while to manifest, so even with a test spray** at the security check the plane could be in the air before someone drops and gives the game away.

*also works through skin, so even pilots with oxygen masks would be affected.
**I did not have to do that with my own spray but I hear it's done at some airports.

but there is a countervailing dynamic which is that too many completely useless but annoying measures would generate their own backlash

You may hope for that, as do I, but I have been hoping for that for years - and so far, the only "backlash" is that the US tourist industry isn't growing as fast as the US tourist board thinks it should.

Furthermore, it's you who acknowledged that no politician or bureaucrat dare rescind the completely useless and annoying measures labeled "security", because if they did, the next time there was a terrorist attack, they would be torn to pieces.

Eric,

Gomorrah is not to be missed; neither is the book. Arguably the best film I saw last year.

I can speak and understand a little Italian, but the Neapolitan dialect had me completely lost. I could better understand the Italian spoken by the Chinese immigrant.

I keep seeing the claim that he bought a one way ticket, but this is false.

http://seminal.firedoglake.com/diary/21562

He bought a round trip ticket with cash, but from what I understand, only 1% of Nigerians use plastic money. It's still a largely cash society.

Therefore, he paid the same way everyone else did, and bought a round trip ticket. So he would not have been flagged.

Jes, my whole point is that the current security system is somewhat effective and a reasonable cost-benefit trade-off, so there is no widespread backlash because people generally approve of it. If everyone had to submit to an MRI prior to boarding their flight, there'd be a backlash.

The reason the TSA focuses on preventing repetition of past attacks - frequently described as closing the barn door after the horse has bolted, which I think is unfair - is because their situation is one of asymmetric information.

The attacker has little information about what kinds of attacks might succeed. Determining the chance of success of an attack in advance is very difficult. The attacker knows the plan can fail in any number of different ways, and does not know every detail of the security system in place with the defender. All the attacker knows is what methods have succeeded or failed in the past, and (to some extent) whether those methods have been blocked.

So, when choosing a method for a new attack, if they know of a method that has worked in the past, and they believe that it has not been blocked, they are likely to choose it again. (For instance, hijacking was the choice in the 9/11 attacks, a method that had previously been shown to be successful.)

The defender has the inverse problem. They know many ways that an attack could potentially succeed, but they don't know which one an attacker might choose. Defending against all of them would be prohibitively expensive. However, they do know what methods have been tried and been successful in the past. Knowing what the attacker knows, they have good reason to believe that if they do not block a previously successful method, that is likely to be the method that is chosen the next time. So it makes sense that they are devoting considerable resources to blocking known-successful methods rather than speculatively assigning them to any of the dozens of other ways that an attack might succeed without any information about which one might be used.

This applies even in the case of partial successes like the shoe bomber and the underpants bomber. The attacker learns something about what might succeed and the defender has to start by blocking those methods.

Jes, my whole point is that the current security system is somewhat effective and a reasonable cost-benefit trade-off, so there is no widespread backlash because people generally approve of it.

Well, certainly, there are elements of effectiveness in the current system: as others have noted, armoured doors to the cockpit: and what has been done for years, checking with passengers to be sure they're not carrying aboard anything potentially lethal without knowing it. Even the "watchlist" could be effective if only it were actually subject to some analysis.

But most of the current system has no benefits at all: beyond the "magic stone that keeps away tigers" syndrome. It's pointless to force people to ditch liquids before a flight, or to make them throw away nail-clippers or knitting-needles. The endless security-check line could be faster and much more effective if instead of paying people minimum wage and giving them a checklist they must follow, security checks were performed by trained personnel who actually have an idea of what they're doing and are performing their jobs thoughtfully, not as a matter of rote or racism.

People submit to the current system not because they approve of it or think it works, but because they have no choice and no alternative. If you want to fly, you have to submit to the rules and regulations thereof. And there has been no backlash because people can't afford a backlash.

Public transit - trains, subways - is equally vulnerable to terrorist attack (ask the Spanish or the English!) but will never have the same degree of security theatre, because the bureaucrats who run such services know they can't afford to subject their passengers to the same kind of time-consuming security theatre as airline bureaucrats can: their passengers have alternatives.

The attacker has little information about what kinds of attacks might succeed. Determining the chance of success of an attack in advance is very difficult. The attacker knows the plan can fail in any number of different ways, and does not know every detail of the security system in place with the defender. All the attacker knows is what methods have succeeded or failed in the past, and (to some extent) whether those methods have been blocked.

Yes. A 9/11 hijacker attack can never work again, because never again will pilots and passengers assume that cooperating with hijackers is the way to go to minimise loss of life. There is no effective way to prevent a determined suicide attack, except by ensuring your country is not behaving in such a way that you drive people to feel that they had rather die than endure it.

This applies even in the case of partial successes like the shoe bomber and the underpants bomber. The attacker learns something about what might succeed and the defender has to start by blocking those methods.

Would be nice if they did. Instead, as noted here, they begin with elaborate, inconvenient security theatre, which is pointless and ineffective but primarily lets the bureaucrats and politicians whose jobs depend it being able to say "see, something is being done".

I think one main problem is that additional security measures tend to be literally additional, i.e. costing extra time and inconvenience. What will imo be necessary is a general reworking of the procedures. Second generation full body scanners (that remove the nude image) might be a step in that direction because then the partial undressing could be dropped (that's the part I find most inconvenient).
I think there is much room for improvement within even the current system as my experiences at different airports have led me to believe. In some cases it is rather quick and imo efficient, in others it is neither, i.e. slow, inconvenient and still easy to fool (although formally it's the same procedures).
Against some possible means of attack there probably never will be a defense.
But, hey, air traffic for commoners will be a thing of the past in the not too far future anyway.

So what about the tube? 3 million passenger journeys in London every day, no security to speak of, no complaints in this regard as far as I'm aware. I suppose it's not much different in New York.

Are airline passengers somehow worth more or is this just big business for the security and surveillance sectors and a chance for the US/UK "intelligence" services to get everybody's fingerprints on file?

So what about the tube? 3 million passenger journeys in London every day, no security to speak of, no complaints in this regard as far as I'm aware.

And far more terrorist attacks, and terrorist threats, over the past thirty years, than anyone in the US has had to cope with - except for the poor souls working in women's health clinics that provide abortions. Homegrown terrorist movements present a far more serious ongoing threat than anything outsiders can cook up.

Jon: "just what element of post-9/11 security helped?"

I think two post-9/11 changes have helped: locked cockpit doors and passengers who fight attackers.

The TSA doesn't have much to do with either of those. In my opinion, the TSA has had almost no benefit. Its operations have been both wasteful and inept. I agree with your opinion of the agency.

The purpose of my original post (apart from the initial pun) was to point out how exactly two factors foiled this attempt. 1) A passenger stopped the bomber and 2) his bomb didn't work as expected.

I would argue that airport security did play a role in element #2:
Many groups can build reliable suitcase bombs, briefcase bombs, and suicide bomber vests. But magnetometers and x-ray machines can detect those*. So AQ builds bombs in unproven form factors with unreliable trigger mechanisms.

* I realize that they're actually not good at detecting bombs. But for some reason, Richard Reid and Abdulmutallab used bombs designed to avoid detection.

Novakant, in New York they're doing some ridiculous random searching at subway entrances, which is even more obviously useless than anything TSA is doing. Fortunately they haven't started it in DC, but there have been noises -- and similar noises about random searching for Amtrak passengers, though at least they wouldn't have the option of just going in a different entrance if they didn't want to be searched.

Schneier, "Where Airport Security Worked"

"With all the talk about the failure of airport security...people forget that airport security played an important role in foiling the plot. In order to get through airport security, Abdulmutallab -- or, more precisely, whoever built the bomb -- had to construct a far less reliable bomb than he would have otherwise; he had to resort to a much more ineffective detonation mechanism. And, as we've learned, detonating PETN is actually very hard."

I think that's a pretty interesting statement coming from the chief popularizer of the term "security theater".

Schneier is a really smart guy, and frequently right. But people with backgrounds in computer security (like Schneier, and to a infinitely less significant degree, me) have a systematic bias when it comes to security measures: the all-or-nothing fallacy isn't a fallacy for computer security. A defense that works 99% of the time is useless because it's trivial and cheap to repeat the attack until it works. A defense that works 50% of the time is a joke.

Physical security is not like that. Each attack consumes significant resources, not least the rare person insane enough to want to kill themselves while murdering dozens of other people, but sane enough to function in the western world and get through airport security. Worse, failed attacks yield valuable intelligence for the defender and are likely to result in that method being blocked in future. And failure is embarrassing.

In computer security, inconvenience is not very effective against attackers. It's easy to automate things so that any number of hoops can be jumped through reliably and repeatably until you succeed.

In the real world, inconvenience is very effective, as I've been saying. Each inconvenient step is another chance to fail or give yourself away. Having to carry on your bomb in your underwear with the detonator separate means you have to rely on the ability of the attacker to assemble the bomb past security. That has failed twice now.

We can & should continue to argue about the effectiveness of any given measure, but the system as a whole works, at least to some extent. And our assessments of individual measures should accept that even partial effectiveness can be worth paying for, and even circumventable measures are useful.

Besides the pointless and useless security drama, such as being required to remove belt and shoes for some flights, or not carry on liquid because MacGyver could have constructed a bomb out of it on TV, there are some security theater measures which are actually counterproductive: listing any number of people as "terrorists" who are guilty of, um... spanking their kids on an aircraft? This may be bad parenting, but there's no way it's indicative of a desire to blow up the plane!

but the system as a whole works, at least to some extent

And I've got some very useful magical stones here which protect you against tigers, sharks, and kzinti. Proof: I've had them for years and in that time I've never been attacked or threatened by any one of those species!

That would be a better argument had someone not tried to blow up a plane last week, but failed because his bomb sucked, because he had to smuggle it through security.

But there's no argument from me that the management of the various watch lists has been very poor and that all kinds of BE VERY AFRAID measures like the terror alert levels are a total waste of time. And the TSA ground staff hiring seems extremely uneven, which is particularly bad since they're supposed to be the ones smart enough to spot things that are unusual. (I'm sure many TSA ground staff are very nice, smart people, but it doesn't take too many experiences with those who are not to put you off the whole set.)

The comments to this entry are closed.