Tuesday, December 29, 2009
Airline security is a great case study in large systems security, and specifically the challenges of defense in depth implementation. While the U.S. will rapidly get back to business-as-usual, forgetting the near disaster of a Christmas day airline bombing, other countries have the threat of attack put in their face daily. This isn't something a person wishes the U.S. to experience, but you cannot ignore the ongoing annealing effect this has on the security posture of these foreign communities. It translates into large expenditures of money being applied to security because the threat is real. Contrast the TSA here in the States with El Al in Israel. El Al catches terrorists using multiple layers of security. The first defense is a knowledge of the world they live, the status of their enemies and who is likely to target them at any given time. This means putting intelligence to work and informing different organizations so they can work together. The second layer is a skilled person interrogating passengers. El Al realizes it is not a right to fly, it is a privilege. The screener focuses on the person. El Al respects the power of human threat detection by incorporating the interview into the screening process. The traveler may be asked to produce receipts for the places he reports to have stayed. If the person makes the screener nervous, that person gets set aside for more in depth screening. Simple. This increases the time it takes to check in, but this process has been proven effective. Humans are the best threat detectors in our known universe (seconded by our trusted animal companions). But, here in the States, we are so afraid of being accused of racial profiling and discrimination that TSA is forced to ignore human solutions, and instead relies on mechanical procedures and a compulsive focus on carry-on luggage. The next layer of security is technology based - if a traveler fails to pass the human screener, he or she may be asked to submit to a full body scan, a technology that raises hackles here in the States because of 'privacy' - never mind that it will actually detect plastic explosives taped to the body. The extra cost of sending would-be passengers through a puffer machine is easily shouldered by El Al, because they know it works at detecting explosives. The defense-in-depth goes even further: El Al has special reinforcements in the aircraft fuselage to protect the weakest point against an explosive blast. This is the kind of security that would make me feel safe to fly. All of this is expensive, time consuming and necessary, because it saves lives. The cost of security can't always be measured by money. Some things are more valuable like reputation, goodwill, and peace of mind. The U.S. should take some lessons from this, and start spending smart money on a few key defense-in-depth strategies that work, not only in our airline screening process but in our networks and infrastructure as well. Risk Intelligence is a lot cheaper to implement than we think if we consider the consequences.