Computer networks are difficult to keep secure in part because they have so many functions, each of which must be accounted for. For that reason Schneier and other experts tend to favor narrowly focused security measures—more of them physical than digital—that target a few precisely identified problems. For air travel, along with reinforcing cockpit doors and teaching passengers to fight back, examples include armed uniformed—not plainclothes—guards on select flights; "dead-man" switches that in the event of a pilot's incapacitation force planes to land by autopilot at the nearest airport; positive bag matching (ensuring that luggage does not get on a plane unless its owner also boards); and separate decompression facilities that detonate any altitude bombs in cargo before takeoff. None of these is completely effective; bag matching, for instance, would not stop suicide bombers. But all are well tested, known to at least impede hijackers, not intrusive to passengers, and unlikely to make planes less secure if they fail.
Flashbacks: "Pearl Harbor in Retrospect" (May 25, 2001)
Atlantic articles from 1948, 1999, and 1991 look back at Pearl Harbor from American and Japanese perspectives.
It is impossible to guard all potential targets, because anything and everything can be subject to attack. Palestinian suicide bombers have shown this by murdering at random the occupants of pool halls and hotel meeting rooms. Horrible as these incidents are, they do not risk the lives of thousands of people, as would attacks on critical parts of the national infrastructure: nuclear-power plants, hydroelectric dams, reservoirs, gas and chemical facilities. Here a classic defense is available: tall fences and armed guards. Yet this past spring the Bush Administration cut by 93 percent the funds requested by the Energy Department to bolster security for nuclear weapons and waste; it denied completely the funds requested by the Army Corps of Engineers for guarding 200 reservoirs, dams, and canals, leaving fourteen large public-works projects with no budget for protection. A recommendation by the American Association of Port Authorities that the nation spend a total of $700 million to inspect and control ship cargo (today less than two percent of container traffic is inspected) has so far resulted in grants of just $92 million. In all three proposals most of the money would have been spent on guards and fences.
The most important element of any security measure, Schneier argues, is people, not technology—and the people need to be at the scene. Recall the German journalists who fooled the fingerprint readers and iris scanners. None of their tricks would have worked if a reasonably attentive guard had been watching. Conversely, legitimate employees with bandaged fingers or scratched corneas will never make it through security unless a guard at the scene is authorized to overrule the machinery. Giving guards increased authority provides more opportunities for abuse, Schneier says, so the guards must be supervised carefully. But a system with more people who have more responsibility "is more robust," he observed in the June Crypto-Gram, "and the best way to make things work. (The U.S. Marine Corps understands this principle; it's the heart of their chain of command rules.)"
"The trick is to remember that technology can't save you," Schneier says. "We know this in our own lives. We realize that there's no magic anti-burglary dust we can sprinkle on our cars to prevent them from being stolen. We know that car alarms don't offer much protection. The Club at best makes burglars steal the car next to you. For real safety we park on nice streets where people notice if somebody smashes the window. Or we park in garages, where somebody watches the car. In both cases people are the essential security element. You always build the system around people."
After meeting Schneier at the Cato Institute, I drove with him to the Washington command post of Counterpane Internet Security. It was the first time in many months that he had visited either of his company's two operating centers (the other is in Silicon Valley). His absence had been due not to inattentiveness but to his determination to avoid the classic high-tech mistake of involving the alpha geek in day-to-day management. Besides, he lives in Minneapolis, and the company headquarters are in Cupertino, California. (Why Minneapolis? I asked. "My wife lives there," he said. "It seemed polite.") With his partner, Tom Rowley, supervising day-to-day operations, Schneier constantly travels in Counterpane's behalf, explaining how the company manages computer security for hundreds of large and medium-sized companies. It does this mainly by installing human beings.
The command post was nondescript even by the bland architectural standards of exurban office complexes. Gaining access was like a pop quiz in security: How would the operations center recognize and admit its boss, who was there only once or twice a year? In this country requests for identification are commonly answered with a driver's license. A few years ago Schneier devoted considerable effort to persuading the State of Illinois to issue him a driver's license that showed no picture, signature, or Social Security number. But Schneier's license serves as identification just as well as a license showing a picture and a signature—which is to say, not all that well. With or without a picture, with or without a biometric chip, licenses cannot be more than state-issued cards with people's names on them: good enough for social purposes, but never enough to assure identification when it is important. Authentication, Schneier says, involves something a person knows (a password or a PIN, say), has (a physical token, such as a driver's license or an ID bracelet), or is (biometric data). Security systems should use at least two of these; the Counterpane center employs all three. At the front door Schneier typed in a PIN and waved an iButton on his key chain at a sensor (iButtons, made by Dallas Semiconductor, are programmable chips embedded in stainless-steel discs about the size and shape of a camera battery). We entered a waiting room, where Schneier completed the identification trinity by placing his palm on a hand-geometry reader.
For clear primers on modern cryptography and on network security, it is hard to do better than Bruce Schneier's Applied Cryptography (1993) and Secrets and Lies (2000), respectively; these books (especially the latter) render technological arcana comprehensible to even the willfully Luddite. The consensus classic in the field of cryptology remains The Codebreakers: The Story of Secret Writing (1967), by David Kahn. Kahn spent four years working on a book that sought, in his words, "to cover the entire history of cryptology." (That is in fact a modest description of a 1,200-page book that begins with a chapter called "The First 3,000 Years" and closes, twenty-five chapters later, with "Messages From Outer Space.") All subsequent chroniclers of cryptography unavoidably stand on Kahn's shoulders. But The Codebreakers nearly died aborning: reportedly, the Pentagon tried to suppress its publication; only after Kahn agreed to delete three passages was the book finally published. Kahn issued a new edition of the book in 1996, bringing his history nearly up to the century's end. Two of the most relevant books on the subject of homeland security, both published in 1998, were also the most prescient. Terrorism and America: A Commonsense Strategy for a Democratic Society, by Philip B. Heymann, and America's Achilles' Heel: Nuclear, Biological, and Chemical Terrorism and Covert Attack, by Richard A. Falkenrath, Robert D. Newman, and Bradley A. Thayer, warned of the imminent danger of a major terrorist attack on American soil. Although the proposed Department of Homeland Security was hastily thrown together, the idea for such an entity had circulated within the government for years. Some of the proposals can be found in the excellent compilation of disparate reports that the U.S. Senate Committee on Foreign Relations put together last fall, when it was preparing for hearings on the subject of national security. The compilation is called Strategies for Homeland Defense and is available on the Internet at purl.access.gpo.gov/GPO/LPS15541.
Beyond the waiting room, after a purposely long corridor studded with cameras, was a conference room with many electrical outlets, some of which Schneier commandeered for his cell phone, laptop, BlackBerry, and battery packs. One side of the room was a dark glass wall. Schneier flicked a switch, shifting the light and theatrically revealing the scene behind the glass. It was a Luddite nightmare: an auditorium-like space full of desks, each with two computer monitors; all the desks faced a wall of high-resolution screens. One displayed streams of data from the "sentry" machines that Counterpane installs in its clients' networks. Another displayed images from the video cameras scattered around both this command post and the one in Silicon Valley.
On a visual level the gadgetry overwhelmed the people sitting at the desks and watching over the data. Nonetheless, the people were the most important part of the operation. Networks record so much data about their usage that overwhelmed managers frequently turn off most of the logging programs and ignore the others. Among Counterpane's primary functions is to help companies make sense of the data they already have. "We turn the logs back on and monitor them," Schneier says. Counterpane researchers developed software to measure activity on client networks, but no software by itself can determine whether an unusual signal is a meaningless blip or an indication of trouble. That was the job of the people at the desks.
Highly trained and well paid, these people brought to the task a quality not yet found in any technology: human judgment, which is at the heart of most good security. Human beings do make mistakes, of course. But they can recover from failure in ways that machines and software cannot. The well-trained mind is ductile. It can understand surprises and overcome them. It fails well.
When I asked Schneier why Counterpane had such Darth Vaderish command centers, he laughed and said it helped to reassure potential clients that the company had mastered the technology. I asked if clients ever inquired how Counterpane trains the guards and analysts in the command centers. "Not often," he said, although that training is in fact the center of the whole system. Mixing long stretches of inactivity with short bursts of frenzy, the work rhythm of the Counterpane guards would have been familiar to police officers and firefighters everywhere. As I watched the guards, they were slurping soft drinks, listening to techno-death metal, and waiting for something to go wrong. They were in a protected space, looking out at a dangerous world. Sentries around Neolithic campfires did the same thing. Nothing better has been discovered since. Thinking otherwise, in Schneier's view, is a really terrible idea.