Following the latest news of the attempt to blow up a Delta flight, and the reintroduction of debates about terror and security worldwide, I want to share some random thoughts this incident brought about.
The weakest link
A reliable source is one that provides you data and information you can use with little to no validation; a source you can trust as part of the group of sources you use to evaluate the riskiness of a specific situation. Be it a credit report from Experian, a Whitepages entry from Whitepages.com or a customer calling in to report, you need to know the possibility of your resource being compromised and the information you receive being mistaken or, much worse, maliciously injected by fraudsters. This is the basic malfunction that drives SQL injection attacks, if you don't sanitize DB entries you're most probably in for a big bad surprise. The weakest link – in this case, it seems to be Nigerian aviation security controls – has failed the whole chain. It may be improper screening, low budget security tools or just procedures not permeating through the system, but it let someone with malicious intent onboard and only luck failed him. The fact that Netherlands security just passed the stick on and let all passengers continue shows that the hand-over between security personnel in different airports might need some additional reinforcement, because terror is constantly looking for ways to inject itself in. There should be additional focus around determining the reliability of various airports as a reliable source of validated passengers and acting accordingly.
Lists don’t work
So his name was on a list. So what? Here’s what lists do: they make legitimate people’s lives harder (ever tried boarding a plane in domestic US with an Arab name or with a Middle Eastern passport? Enjoy the ride…) but much worse than that, they transform risk measures into binary checks (on the list? Stop. Not on the list? Carry on), a classic case of “searching under the streetlight”. So he WAS on the list but not under “really bad” but only under “naughty”? Come on. I have preached against black lists in the past (Hebrew only) and this is another case where, clearly, some old fashioned flight track analysis crossed with previous alerts could have made the trick. The data was there – it’s all a matter of interpretation.
I take off my shoes in remembrance of the shoe bomber; I don’t carry liquids in remembrance of the 2006 bomb-as-a-soft-drink plot; and I get sniffed by an automated sniffer every once in a while in a random US terminal. As far as I’m concerned, I should probably stop flying soon and leave air travel to terrorists and security, in an everlasting cat and mouse game. The most important thing about attacks that materialize (even if they fail) is learning from them. If all we get is another restriction, we are missing the point here. Every false positive and false negative (in any automated or manual decision making process) needs to serve as feedback to the system to improve on – in its ability to make better decisions, not in the restrictions it applies on the general population. Hopefully, the conclusions will not end up only bringing another top-dollar cutting-edge new machine to sniff people at airports, but will aid in making flying safer and easier for legitimate travelers while shutting it down for terror.