Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Overreacting to Security Theatre is Harmful

Security Theatre is a term that has been gaining acceptance as part of the Information Security lexicon for some time and it has also found acceptance in other security fields, being used to describe actions or proposals that deliver more show than substance with respect to a real or imagined threat.

In simple terms, it can be argued that Security Theatre is nothing more than an overreaction to a real or perceived threat by those who do not fully understand the risks that they are trying to mitigate.

There is little argument that Security Theatre is harmful to those who are paying for it, as well as those who are notionally being given greater protection as a result. With most of these projects originating from various government agencies, it is the tax payers who fall into both categories and also those who can have the greatest difficulty determining whether a measure is appropriate or not.

Just as harmful is the immediate labelling of security initiatives as Security Theatre, which is a risk when those doing the labelling do not fully understand the risks that have been attempted to be mitigated. Into this category, unfortunately, fall mainly Information Security experts who have been encouraged to step beyond the limits of their immediate practical knowledge and experience and assess something which they have little understanding of.

One of the main proponents of this new term is the noted Information Security specialist Bruce Schneier, who has been using his blog to draw attention to egregious examples of Security Theatre. From time to time, Bruce falls into the trap of being too dismissive of a technology or effort, labelling it as Security Theatre when there may actually be a viable reason for the implementation.

Comments on a blog should never be relied upon as authoritative, but because Bruce writes with such authority and there is a distinct trend of an emerging groupthink, it encourages readers to accept what is presented without questioning the validity of what is being put forward. Even Bruce argues that "Security is fundamentally a fear sell, and so it doesn't sell very well."

In a recent case, the decision to fit commercial passenger aircraft with anti-missile systems (three American Airlines jets on unidentified routes) has been dismissed as "security theater[sic] against a movie-plot threat". In amongst the significant number of comments backing the argument of Security Theatre were a couple of dissenting voices that pointed out it isn't a completely inane suggestion, with more than 20 recorded airline crashes since 1975 that can be attributed to surface-to-air attacks.

There have been a number of recent attacks against airliners, including an attack against El Al in Kenya (where the aircraft was reported to have been fitted with anti-missile defences and the missile missed), and an attack against a DHL freight aircraft in Iraq (where the crew were able to land the aircraft despite significant damage to the port wing). One of the most famous examples of a civilian airliner being destroyed by a surface missile is the Iranian airliner shot down by a US warship over the Persian Gulf a number of years ago.

It isn't the first time that it has been suggested that civilian airliners should be fitted with defensive systems like this, but the main argument within the aviation world has been about the relative costs and benefits of these systems, as well as the level of threat faced by the airliners. It has long been rumoured that the Israeli national air line, El Al, has fitted at least some of their aircraft with defences, but it has never been officially confirmed. With a fluid geopolitical environment some could argue that the threat to civilian airliners around the world has increased, thus justifying the expenditure and effort to fit the anti-missile systems. Perceived American aggression in a number of countries and regions can also be seen as a contributing factor to a perceived increased threat against American airliners.

To the uninformed, it does appear that fitting aircraft with defences is an inane suggestion, especially if the commentator is living in a stable country or region that has not traditionally seen attacks against civilian targets. In other words, the perceived risk is very low and fitting aircraft with defences is a waste of resources. To the informed, it still appears somewhat inane, but there are defined cases where it would be prudent to ensure a civilian airliner is protected against external attack while it is in flight. Flight operations to regions that are politically unstable or where there is lax law enforcement are cases where defence mechanisms may be justified. It is somewhat ironic that US airlines are considering fitting their aircraft with defences against US-built and sold missiles.

Using lasers against missiles could be considered inappropriate use of technology as, on the surface, it seems impossible for a laser defence system to disable missiles that are radar-guided, semi-active, or even modern IR-guided weapons. One of the main theorised approaches is to use the laser to provide localised heating of the weapon such that it disables the guidance circuits or even prematurely detonates the weapon. Using the laser also allows for continuous tracking of trajectories and probable launch sites which can be useful to determine if to take evasive action (not needed if it is going to miss), and to aid in any law enforcement investigation (providing an actual launch location). Other suggested modes of operation include blinding IR seekers with blooms of light / heat. Laser anti-missile defensive systems are still in their infancy compared to the more traditional flares, chaff, and ECM.

There is also a quite well defined threat, with the basic launch platform being the MANPAD (MAN Portable Air Defence), which includes the SA-7, SA-14 and Stinger type of shoulder launched missiles, though the RPG is also a viable unguided ground-air weapon. There are many thousands of these class of weapons that have gone 'missing' from official inventories around the world, and many more that have been sold off the books to different organisations. For a weapon that can be broken down into approximately 1-2 suitcases for transit, it is something that can be shipped quickly and easily concealed - almost the perfect weapon of terror.

24 January 2008

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.