Tuesday, July 8, 2014

Dear TSA, my phone is not a bomb. See? It powers on!

Security Theater: the practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to actually achieve it.
On Sunday the Transportation Security Administration announced new "enhanced security measures" at some overseas airports. (The TSA does not perform security screening overseas, but it does specify requirements for flights entering the US) The new rule? Travelers must power on electronic devices such as cell phones. If the device does not power on, it will not be allowed on board the aircraft - and the passenger will be subject to additional screening. The theory is that if a device does not power on, a traveler may have replaced the batteries with explosives.

This seems a logical progression from old rules requiring passengers to power on laptop computers for a similar reason, and it seems similarly silly. Many electronic devices have some empty space that a crafty terrorist could fill with explosives ... cell phones tend to be pretty tightly packed, but it could still be done, particularly when you take into account bulky cases with built-in storage compartments. More to the point though, the risk being guarded against is fantastically small compared to the time wasted and the dollars spent in the name of airline security.

In the 13 years since September 11, 2001, not a single aircraft has been hijacked over US soil. Some would say the TSA has been quite successful in their mission. But here's the thing: In the 14 years prior to 9-11, not a single aircraft was hijacked over US soil. The previous US hijacking took place December 7, 1987. Before that was a hijacking of a short-hop airplane in Texas in 1983, in which all passengers were released unharmed after the hijacker diverted the plane to Mexico. You would have to look back to the 1970's to find more than a couple of hijackings in a decade.

Statisticians have estimated the odds of dying from a terrorist attack (of any form) during one's lifetime to be about 1 in 9.3 million. That is about 3 times less likely than dying from a snake bite, five times less likely than dying from falling out of bed, a thousand times less likely than dying in an automobile accident, and nearly two million times less likely than dying from cancer. That's the likelihood of dying from any form of terrorist act worldwide. Avoid terrorist-prone locations and the odds are far lower. Lower still are the odds of being affected by an aircraft hijacking specifically.

During the first decade of the 2000's, there were over seven billion passenger enplanements involving flights within or to/from the US. If we assume the typical flight plan involves three legs, that's about 2.5 billion passengers passing through security. Assuming a half hour per passenger (waiting in line, removing shoes, ensuring carry-on items are properly placed on the conveyor belt, re-organizing carry-ons because such and such airport has slightly different rules...), that is over 140,000 person years spent passing through airport security. That doesn't account for the value of items forgotten at security, or discarded because they were not permitted, nor for the embarrassment of pornoscanners. I wonder how many cancer incidents in a few decades could in some part be induced by airport security scanners?

There is no way of measuring the number of hijackings prevented by the TSA since it was formed in 2001, but based on the frequency of attacks before the TSA, it must be very few if any. In fact, I am not aware of a single attempted hijacking that was stopped at the security gate by the TSA. Is the loss of 140,000 person years and untold billions of dollars in a decade really the most effective way to ensure traveler safety?

Airport security serves a purpose. 300 passengers confined in a flying tube with no way of escaping makes for an attractive terrorist target, and such an attack makes for a media sensation. I don't for an instant want to disparage those that lost loved ones in the heinous acts of September 11, 2001, or other murderous acts before and since then. But security is a matter of balancing risk and cost. Securing the cockpit does far more to prevent a hijacking than any other steps. Intelligence gathering to disrupt attacker plans before they reach the airport does far more to prevent terrorism than anything the TSA does at the gate.

Incidentally, if you are at all interested in aircraft crash statistics, planecrashinfo.com is a fantastic resource for crashes of all causes.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.