Sunday, December 27, 2009

A man on a plane

Following the latest news of the attempt to blow up a Delta flight, and the reintroduction of debates about terror and security worldwide, I want to share some random thoughts this incident brought about.




The weakest link

A reliable source is one that provides you data and information you can use with little to no validation; a source you can trust as part of the group of sources you use to evaluate the riskiness of a specific situation. Be it a credit report from Experian, a Whitepages entry from Whitepages.com or a customer calling in to report, you need to know the possibility of your resource being compromised and the information you receive being mistaken or, much worse, maliciously injected by fraudsters. This is the basic malfunction that drives SQL injection attacks, if you don't sanitize DB entries you're most probably in for a big bad surprise. The weakest link – in this case, it seems to be Nigerian aviation security controls – has failed the whole chain. It may be improper screening, low budget security tools or just procedures not permeating through the system, but it let someone with malicious intent onboard and only luck failed him. The fact that Netherlands security just passed the stick on and let all passengers continue shows that the hand-over between security personnel in different airports might need some additional reinforcement, because terror is constantly looking for ways to inject itself in. There should be additional focus around determining the reliability of various airports as a reliable source of validated passengers and acting accordingly.

Lists don’t work

So his name was on a list. So what? Here’s what lists do: they make legitimate people’s lives harder (ever tried boarding a plane in domestic US with an Arab name or with a Middle Eastern passport? Enjoy the ride…) but much worse than that, they transform risk measures into binary checks (on the list? Stop. Not on the list? Carry on), a classic case of “searching under the streetlight”. So he WAS on the list but not under “really bad” but only under “naughty”? Come on. I have preached against black lists in the past (Hebrew only) and this is another case where, clearly, some old fashioned flight track analysis crossed with previous alerts could have made the trick. The data was there – it’s all a matter of interpretation.

Hindsight’s 20:20

I take off my shoes in remembrance of the shoe bomber; I don’t carry liquids in remembrance of the 2006 bomb-as-a-soft-drink plot; and I get sniffed by an automated sniffer every once in a while in a random US terminal. As far as I’m concerned, I should probably stop flying soon and leave air travel to terrorists and security, in an everlasting cat and mouse game. The most important thing about attacks that materialize (even if they fail) is learning from them. If all we get is another restriction, we are missing the point here. Every false positive and false negative (in any automated or manual decision making process) needs to serve as feedback to the system to improve on – in its ability to make better decisions, not in the restrictions it applies on the general population. Hopefully, the conclusions will not end up only bringing another top-dollar cutting-edge new machine to sniff people at airports, but will aid in making flying safer and easier for legitimate travelers while shutting it down for terror.

4 comments:

cantonpi said...

Your comments may be 'random' but quite relevant. Here too are my random thoughts on this subject.

When I was a Special Agent with the U. S. Secret Service I was very active in airport and flight security matters. This was in the 1970's era of "skyjackings" and the PLO blowing up aircraft on the ground etc. President Nixon appointed retired General Benjamin Davis to head up a "sky marshal" program wherein agents were assigned to to (mostly) overseas flights of American carriers. We had some training but mostly depended on our investigative and protection skills learned from our regular assignments as federal agents. The reason I mention this is what I learned about thinking out of the box before that was even an iconic term. All of us were encouraged to add our personal experience on a daily basis to improve the quality of the operational assignments. It was a team effort and everyone had a voice in making our performance better on each flight. I don't recall the word 'profiling' as part of the lexicon. Our job was to thwart "skyjackers" and we paid most attention to those who fit the model of known "skyjackers".

I don't recall searching old women in wheel chairs. We had a targeted mission and, as far as I know, we successfully carried it out.

Today I feel too many super grades in government do not even know what is important, how to establish priorities, realize that our enemies are serious and dangerous and treat the general public like a bunch of buffoons.

When the head of Homeland Security announced that the "system worked" on Christmas Day, I was truly dismayed. Does she think we are ignorant or does she truly believe it worked? Neither answer bodes well.

From what I have read, it appears the Christmas Day terrorist (1) paid cash for his ticket and (2) had no luggage. I do not know if the ticket was round trip or one way. These have been warning signs for over 30 years. With all of the government's IT capabilities, I am surprised these factors cannot be integrated into the security system for further scrutiny.

Our government continues to be in a crisis management, reactionary, defensive mode and not able to think ahead of new potential threat scenarios. I don't feel secure with our government officials' skill level or their conceptual grasp of the enemy.

The ability to be flexible and innovative in our air security polices will soon be further hampered by the administrations interest in unionizing all of the TSA. The rigid, bureaucratic encumbrances placed on employees by a union will certainly stifle any innovation and thinking "outside the box" that may have surfaced from the rank and file.

Until we get dedicated, well trained and experienced people at the top of our government who are not beholden to internal political pressures, personal career over doing the right thing and American's security first, the security situation will not improve.

Respectfully submitted by Mike Robertson.
http://www.robertsoninvestigations.com

Ohad Samet said...

Thank you for your comment. I didn't know the details about the payment and luggage - with interesting and very relevant to the post's theme.

Anonymous said...

Ohad, Mike, great reading your comments. It seems this guy tried to board the plane without the passport: http://www.mlive.com/news/detroit/index.ssf/2009/12/flight_253_passenger_says_at_l.html

Questions for you: Are you saying profiling is not the way to go here? Seems like there is a "very good profile" of people fitting the scene.

I believe the prior administration handled it quite well and was not reactionary, put some good policies in place (unfortunately people in the US elected a government not up to the task). This administration is very PC not very likely to embrace tough measures. Rather they seem to be going after those who protected the country for the past 8 years...

Ohad - How do you define system failure in this instance? The father went to the US embassy with some fairly reliable information. I mean they took Ivana Trump off the plane for screaming, three days ago (much lesser terrorist activity indicator). Bottom line, there was abundant information available. Not sure if the first most important thing is to call out the Nigerian aviation security control. By the time the case gets to them its too late - this should have been handled upstream. Also, I think there is a gravity difference here between transaction risk and terrorism risk. Since this is more than transaction risk I am inclined to vote for a much wider net. I think building the wall in the West Bank will not prevent all attacks but probably the majority of them, right? In our case, how about not letting those 550,000 on the list fly?

Ohad Samet said...

I'll answer your points as I understand them one by one:
- I'm not the right person to discuss US internal affairs as I'm too new to the country. I do, however, think that PC might get in the way of proper risk management/terror fighting (for example, being unable to explicitly "profile" people) but on the other hand, there's a big difference between dumping PC as a constraint and adopting an aggressive policy against human rights (also see my 3rd bullet)
- Yes, the failure was probably upstream, good point. I should have related to the supporting intelligence operation (where profiling is relevant) more explicitly. Agree, it's not the job of the security guy at the airport to make this decision.
- To the wall point, I'm far from a supporter of the wall. Yes, terror risk calls for more false positives to achieve less false negatives resulting i harm, but the wall is a punitive measure taken against a whole population without any profiling or differentiation. I don't buy this idea exactly as I don't buy blocking regiongs from ecommerce because there are more fraudsters there. The analytic reasoning just doesn't make sense.