Friday, January 8, 2010

Why can’t we have T-Hackers stay ahead of potential breaches?

Metal detectors at an airport

Clark Kent Ervin, the former inspector general of the State Department (2001-2003) and of the Department of Homeland Security (2003 to 2004) who is currently the director of the Aspen Institute’s homeland security program recently wrote an op-ed for NYT excerpted below:

"Perhaps the biggest lesson for airline security from the recent incident is that we must overcome our tendency to be reactive. We always seem to be at least one step behind the terrorists. They find one security gap — carrying explosives onto a plane in their shoes, for instance — and we close that one, and then wait for them to exploit another. Why not identify all the vulnerabilities and then address each one before terrorists strike again?

Since the authorities have to succeed 100 percent of the time, and terrorists only once, the odds are overwhelmingly against the authorities. But they’ll be more likely to defy fate if they go beyond reflexive defense and play offense for a change."

It’s hard to argue with his point, for we clearly are reactive.  It’s as if our enemies have found our magic buttons, and they know exactly which button would get the desired reaction.

On December 2001, shoe-bomber Richard Reid made an unsuccessful attempt to blow up American Airlines Flight 63 from Paris to Miami with PETN as explosive.   According to Wikipedia, pentaerythritol tetranitrate (PETN) is one of the most powerful high explosives known, with a relative effectiveness factor (R.E. factor) of 1.66. It is also used as a medical drug to treat heart conditions.

Soon after that, we all had to take off our shoes, get wand screenings and pat downs at security points in our airports and at airports overseas. Shoes have become weaponized; they might as well join those box cutters and a whole lot of items now enshrined in the list of prohibited items when we fly.  Some funnies and some not so funny stories here

In 2006, the transatlantic aircraft terrorist plot to detonate liquid explosives carried on board at least 10 airliners travelling from the United Kingdom was discovered which resulted in chaos on how much liquids one can carry onto commercial aircrafts.

Imagine if you were breastfeeding or pumping milk the day those restrictions took effect? TSA says air travelers may now carry liquids, gels and aerosols in their carry-on bag when going through security checkpoints but “all liquids, gels and aerosols must be in 3.4 ounce (100ml) or smaller containers. Larger containers that are half-full or toothpaste tubes rolled up are not allowed. Each container must be 3.4 ounces (100ml) or smaller.” Somewhere, some not so nice folks are laughing.   

What are they going to think of next?

According to this report from Stratfor, when suicide-bomber Abdullah Hassan al Asiri attempted to assassinate the Saudi Arabian Deputy Minister of Interior Prince Muhammad bin Nayef  this past August, al Asiri who was described as a human Trojan horse activated a small improvised explosive device (IED) he was carrying inside his anal cavity. (Eww!)  PETN was reportedly the explosives used. The minister survived, the bomber did not.

Then on 25 December 2009, PETN was also found in the possession of Underpants Bomber, Umar Farouk Abdulmutallab who attempted to blow up Northwest Airlines Flight 253 while approaching Detroit from Amsterdam. Abdulmutallab allegedly tried to detonate PETN sewn into his underwear, by adding liquid from a syringe.

In the aftermath of these recent failed attempts, especially the latter, it looks like we are now faced with the distinct possibility of 1) a full body security scan which uses high frequency radio waves to produce an image of the human body to determine if passengers are smuggling items (such as drugs, cash or diamonds) in or underneath their clothing or 2) a full body scan which uses X-rays that pass through the body to trace swallowed items. Here is a good article on what Spiegel Online calls “strip search scanners.”

What are they going to think of next?  What if they succeed in putting explosives in ..... um, never mind. 

Banks hire the best hackers money can buy to steal from them—and then show them the holes in their defenses; by compromising their systems, they are able to protect their systems.  Have we done that?  According to this September 2009 GAO report on aviation security, TSA has implemented activities to assess risks to airport perimeters and access controls but has not conducted vulnerability assessments for 87 percent of the nation's approximately 450 commercial airports or any consequence assessments.  We're talking just aviation here, what about the rest?

Why can’t we do the equivalent of hackers when it comes to terrorism and stay one step ahead of potential breaches? The thing is we can't pretend to seal the holes in the boat when we don't know where we are leaking.  Until we know which parts of “us” are vulnerable, we will always play catch up.  And while we are stuck with protecting ourselves for the next shoe-bombing or underpants assault, the enemy may have already imagined other more creative ways to do us harm. The attack may not even have to blow anything up -- just throw us into chaos; at significant costs to our peace of mind and sense of security, and to the taxpayers’ pockets.

You’re going to start thinking Domani Spero has gone bat crazy …

Well, okay, maybe – but hiring T-hackers, for lack of a better word, would be no more expensive than what was already spent on security screenings since 2002, or the inevitable body scanners.  For all that expense and inconvenience, we only get the perception of security.  The shoe bomber was the reason we now take off our shoes at security checkpoints in airports but PETN is a plastic explosive that is not picked up by metal detectors. So... why are we  taking off our shoes, again?

According to another GAO report, the Transportation Security Administration (TSA) and the Department of Homeland Security (DHS) have invested over $795 million in technologies to screen passengers at airport checkpoints since fiscal year 2002. News reports indicate that the cost of body scan machines range from 175,000-250,000 each. 

How many airports are there?  According to the Airports Council International, the United States has over 19,847 airports based on the Department of Transportation’s 2007-2011 National Plan of Integrated Airport Systems (NPIAS). More than 3,364 of those airports are recognized by the Federal Aviation Administration (FAA) as being open to the public.  382 are Primary Airports, defined as having more than 10,000 annual passengers.

I don’t even want to do the math. My head already hurts.

See what I like about those T-hackers? A squad of dark rangers, brainiacs who can imagine the most dastardly attacks, the most unimaginable chaos and destruction, the dark days we do not want to see in the future – they could poke holes at our security portals and blankets now before a lone wolf or some real bad guys get lucky with poking around. 


No comments: