US guru highlights pointlessness of security policy

Net Results:   What's your worst security nightmare? I don't mean on a personal level or even a corporate level

Net Results:  What's your worst security nightmare? I don't mean on a personal level or even a corporate level. I mean on a massive scale. The really scary stuff. The worst terrorists could do. Got something in mind? Then why not enter it into US security guru Bruce Schneier's Movie Plot Threat Contest.

I've mentioned Bruce Schneier - author of one of the bibles of the digital security world, Applied Cryptography - many a time. I am a devotee of his intelligent, amusing, thought-provoking free newsletter, the Crypto-Gram (subscribe at www.schneier.com/crypto- gram.html). He's also picked apart the silly pointlessness of much global security policy in the wake of 9/11 in his recent book, Beyond Fear.

I'm sure he'd have plenty to say about ours, such as the introduction of what was supposed to be a very special amendment to Irish law to allow the Garda to scan the phone records of serious criminals and, yes, scary terrorists - but placing absolutely no restrictions on how and when that amendment can be used, so that a cyclist who has neglected to turn on a bicycle light can quite legally have three years of her phone records called up by the the Garda.

In the very near future, they can also demand three years of internet access and e-mail records, too. Yes, really.

READ SOME MORE

But back to Bruce. He has stumbled across so many patently ridiculous, useless "security measures" that burn up huge amounts of money, nicely benefit certain industry sectors, inconvenience the public, but offer little to no actual security benefit, all in the name of vague national security threats, that he thought Joe (or Janet) Public could come up with something more plausible.

So plausible that it might make a nice movie. His argument is that the US government - and other governments - keep scaring their citizens with what he calls "movie plot threats".

While these are dramatic, exciting, scary and very useful for persuading people to tolerate draconian privacy-bashing legislation like the Patriot Act in the US, or our very own free-form data retention amendment, they are extremely unlikely to occur.

Meanwhile, the measures used to counteract the supposed terrorist threat make for a society even more at risk - because poorly secured personal information held in vast repositories has a bad habit of being stolen by criminals or even accidentally leaked out to the world at large because systems aren't very good at keeping such things hidden.

As Schneier has argued cogently many times, existing laws are usually more than adequate for dealing with these new threats because, in criminal and terrorist terms, there really is nothing new under the sun. The ways in which such acts are perpetrated may vary but the basic security issues remain the same and can be dealt with in more thoughtful and effective ways.

One of his key examples is the massive amount of money and effort going into border security and airport screening processes. We have all seen how poor the systems are at finding decoy devices and dangerous items, and how easily human error further banjaxes the whole system.

Instead of trying to find a needle by screening the haystacks, and imposing huge surveillance projects like data retention on the general public, argues Schneier, why not invest money into beefing up skills that really would make a difference - more security agents able to speak the languages of the countries that terrorists tend to come from; better surveillance networks that target actual suspects rather than the entire citizenry of a nation just in case one of those millions is doing something wrong (again, screening the haystack); better co-operation and leadership.

Overall, the possible plots the US government has come up with for scaring the public are pretty second rate, says Schneier. Certainly the public can do better? Hence the contest, which Schneier posted on his weblog. Here's how Schneier describes it: "Entrants are invited to submit the most unlikely, yet still plausible, terrorist attack scenarios they can come up with.

"Your goal: cause terror. Make the American people notice. Inflict lasting damage on the US economy. Change the political landscape, or the culture. The more grandiose the goal, the better.

"Assume an attacker profile on the order of 9/11: 20 to 30 unskilled people, and about $500,000 with which to buy skills, equipment, etc."

By his deadline at the end of April, 782 people had posted responses.

Schneier says the plots fall into three broad categories: attacks against infrastructure, "big ticket plots" that involve grand gestures such as bombing the Oscars or using nuclear waste or anthrax, and, finally, "low-tech attacks that go on and on" - perhaps teams of snipers terrorising communities.

He thinks most of us underestimate how hard it is to carry out a terrorist attack. "It's harder to find willing recruits than we think. It's harder to co-ordinate plans. It's harder to execute those plans. Terrorism is rare and, for all we've heard about 9/11 changing the world, it's still rare," he writes on his blog.

If you've got an idea for a plot, he'd like to hear from you, even though the deadline has passed. He's also interested in getting comments on the plots already posted. You can add your plot or your observations here: http://tinyurl.com/olgrs.

While you're at it, why not write to your TD to ask when we'll limit our own anti-terrorist laws such as the data retention amendment to terrorists.

klillington@irish-times.ie weblog: http://weblog.techno-culture.com

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology