Homeland Insecurity
Computer networks are difficult to keep secure in part because they have so many functions, each of which must be accounted for. For that reason Schneier and other experts tend to favor narrowly focused security measures—more of them physical than digital—that target a few precisely identified problems. For air travel, along with reinforcing cockpit doors and teaching passengers to fight back, examples include armed uniformed—not plainclothes—guards on select flights; "dead-man" switches that in the event of a pilot's incapacitation force planes to land by autopilot at the nearest airport; positive bag matching (ensuring that luggage does not get on a plane unless its owner also boards); and separate decompression facilities that detonate any altitude bombs in cargo before takeoff. None of these is completely effective; bag matching, for instance, would not stop suicide bombers. But all are well tested, known to at least impede hijackers, not intrusive to passengers, and unlikely to make planes less secure if they fail.
Flashbacks: "Pearl Harbor in Retrospect"
(May 25, 2001)Atlantic articles from 1948, 1999, and 1991 look back at Pearl Harbor from American and Japanese perspectives.
It is impossible to guard all potential targets, because anything and everything can be subject to attack. Palestinian suicide bombers have shown this by murdering at random the occupants of pool halls and hotel meeting rooms. Horrible as these incidents are, they do not risk the lives of thousands of people, as would attacks on critical parts of the national infrastructure: nuclear-power plants, hydroelectric dams, reservoirs, gas and chemical facilities. Here a classic defense is available: tall fences and armed guards. Yet this past spring the Bush Administration cut by 93 percent the funds requested by the Energy Department to bolster security for nuclear weapons and waste; it denied completely the funds requested by the Army Corps of Engineers for guarding 200 reservoirs, dams, and canals, leaving fourteen large public-works projects with no budget for protection. A recommendation by the American Association of Port Authorities that the nation spend a total of $700 million to inspect and control ship cargo (today less than two percent of container traffic is inspected) has so far resulted in grants of just $92 million. In all three proposals most of the money would have been spent on guards and fences.
The most important element of any security measure, Schneier argues, is people, not technology—and the people need to be at the scene. Recall the German journalists who fooled the fingerprint readers and iris scanners. None of their tricks would have worked if a reasonably attentive guard had been watching. Conversely, legitimate employees with bandaged fingers or scratched corneas will never make it through security unless a guard at the scene is authorized to overrule the machinery. Giving guards increased authority provides more opportunities for abuse, Schneier says, so the guards must be supervised carefully. But a system with more people who have more responsibility "is more robust," he observed in the June Crypto-Gram, "and the best way to make things work. (The U.S. Marine Corps understands this principle; it's the heart of their chain of command rules.)"
"The trick is to remember that technology can't save you," Schneier says. "We know this in our own lives. We realize that there's no magic anti-burglary dust we can sprinkle on our cars to prevent them from being stolen. We know that car alarms don't offer much protection. The Club at best makes burglars steal the car next to you. For real safety we park on nice streets where people notice if somebody smashes the window. Or we park in garages, where somebody watches the car. In both cases people are the essential security element. You always build the system around people."
After meeting Schneier at the Cato Institute, I drove with him to the Washington command post of Counterpane Internet Security. It was the first time in many months that he had visited either of his company's two operating centers (the other is in Silicon Valley). His absence had been due not to inattentiveness but to his determination to avoid the classic high-tech mistake of involving the alpha geek in day-to-day management. Besides, he lives in Minneapolis, and the company headquarters are in Cupertino, California. (Why Minneapolis? I asked. "My wife lives there," he said. "It seemed polite.") With his partner, Tom Rowley, supervising day-to-day operations, Schneier constantly travels in Counterpane's behalf, explaining how the company manages computer security for hundreds of large and medium-sized companies. It does this mainly by installing human beings.
The command post was nondescript even by the bland architectural standards of exurban office complexes. Gaining access was like a pop quiz in security: How would the operations center recognize and admit its boss, who was there only once or twice a year? In this country requests for identification are commonly answered with a driver's license. A few years ago Schneier devoted considerable effort to persuading the State of Illinois to issue him a driver's license that showed no picture, signature, or Social Security number. But Schneier's license serves as identification just as well as a license showing a picture and a signature—which is to say, not all that well. With or without a picture, with or without a biometric chip, licenses cannot be more than state-issued cards with people's names on them: good enough for social purposes, but never enough to assure identification when it is important. Authentication, Schneier says, involves something a person knows (a password or a PIN, say), has (a physical token, such as a driver's license or an ID bracelet), or is (biometric data). Security systems should use at least two of these; the Counterpane center employs all three. At the front door Schneier typed in a PIN and waved an iButton on his key chain at a sensor (iButtons, made by Dallas Semiconductor, are programmable chips embedded in stainless-steel discs about the size and shape of a camera battery). We entered a waiting room, where Schneier completed the identification trinity by placing his palm on a hand-geometry reader.
Beyond the waiting room, after a purposely long corridor studded with cameras, was a conference room with many electrical outlets, some of which Schneier commandeered for his cell phone, laptop, BlackBerry, and battery packs. One side of the room was a dark glass wall. Schneier flicked a switch, shifting the light and theatrically revealing the scene behind the glass. It was a Luddite nightmare: an auditorium-like space full of desks, each with two computer monitors; all the desks faced a wall of high-resolution screens. One displayed streams of data from the "sentry" machines that Counterpane installs in its clients' networks. Another displayed images from the video cameras scattered around both this command post and the one in Silicon Valley.
On a visual level the gadgetry overwhelmed the people sitting at the desks and watching over the data. Nonetheless, the people were the most important part of the operation. Networks record so much data about their usage that overwhelmed managers frequently turn off most of the logging programs and ignore the others. Among Counterpane's primary functions is to help companies make sense of the data they already have. "We turn the logs back on and monitor them," Schneier says. Counterpane researchers developed software to measure activity on client networks, but no software by itself can determine whether an unusual signal is a meaningless blip or an indication of trouble. That was the job of the people at the desks.
Highly trained and well paid, these people brought to the task a quality not yet found in any technology: human judgment, which is at the heart of most good security. Human beings do make mistakes, of course. But they can recover from failure in ways that machines and software cannot. The well-trained mind is ductile. It can understand surprises and overcome them. It fails well.
When I asked Schneier why Counterpane had such Darth Vaderish command centers, he laughed and said it helped to reassure potential clients that the company had mastered the technology. I asked if clients ever inquired how Counterpane trains the guards and analysts in the command centers. "Not often," he said, although that training is in fact the center of the whole system. Mixing long stretches of inactivity with short bursts of frenzy, the work rhythm of the Counterpane guards would have been familiar to police officers and firefighters everywhere. As I watched the guards, they were slurping soft drinks, listening to techno-death metal, and waiting for something to go wrong. They were in a protected space, looking out at a dangerous world. Sentries around Neolithic campfires did the same thing. Nothing better has been discovered since. Thinking otherwise, in Schneier's view, is a really terrible idea.
Charles C. Mann, an Atlantic correspondent, has written for the magazine since 1984. He is at work on a book based on his March 2002 Atlantic cover story, "1491".
Article Toolssponsored by: |
|
