Friday, June 15, 2007

Don't look a leopard in the eye

Bruce Schneier discusses the value of targets, variable tactics and objectives in security in his latest Crypto-Gram. Recommended as usual.

"If you encounter an aggressive lion, stare him down. But not a leopard;
avoid his gaze at all costs. In both cases, back away slowly; don't run.
If you stumble on a pack of hyenas, run and climb a tree; hyenas can't
climb trees. But don't do that if you're being chased by an elephant;
he'll just knock the tree down. Stand still until he forgets about you...

The advice I was given was
based on thousands of years of collective wisdom from people
encountering African animals again and again.

Compare this with the Transportation Security Administration's approach.
With every unique threat, TSA implements a countermeasure with no basis
to say that it helps, or that the threat will ever recur.

Furthermore, human attackers can adapt more quickly than lions. A lion
won't learn that he should ignore people who stare him down, and eat
them anyway. But people will learn. Burglars now know the common
"secret" places people hide their valuables -- the toilet, cereal boxes,
the refrigerator and freezer, the medicine cabinet, under the bed -- and
look there...

This is the arms race of security. Common attack tactics result in
common countermeasures. Eventually, those countermeasures will be evaded
and new attack tactics developed. These, in turn, require new
countermeasures...

The result of these tactic-specific security countermeasures is to make
the attacker go elsewhere. For the most part, the attacker doesn't
particularly care about the target...

This approach requires a different kind of countermeasure, but it's
still well-understood in the security world. For people, it's what alarm
companies, insurance companies and bodyguards specialize in. President
Bush needs a different level of protection against targeted attacks than
Bill Gates does, and I need a different level of protection than either
of them...

Al-Qaeda terrorism is different yet again. The goal is to terrorize. It
doesn't care about the target, but it doesn't have any pattern of
tactic, either. Given that, the best way to spend our counterterrorism
dollar is on intelligence, investigation and emergency response. And to
refuse to be terrorized."

If you only have the time to read one or two of the stories in crypto-gram at the moment, may I suggest Portrait of the Modern Terrorist as an Idiot and the winner of the movie plot threat contest, a scenario which would lead to the banning of water on planes.

No comments: