I have long been a critic of many things our current government, as faithful readers are aware. I came across a very insightful interview with Michael Chertoff which I found both surprising and depressing.
The good news is that in some ways, Chertoff has some good ideas. For example,
The larger challenge -- and frankly one that is further out -- is to find a way to partner with the private sector to enable and encourage them with some to the capabilities that we have to increase their defensive capacities, but on a voluntary basis, meaning not making them do it or regulating them into doing it. But instead offering them the opportunity -- much the same in the non-cyber-world, we go to people who run power plants and dams and we share information and best practices that they can use to defend their own assets.
That's a great use of government resources. It's not in private industry's interest to make security a priority, since security is a cost with no immediate return. The government can fund research, encourage secure practices and require security. That makes us all better off and combines the advantages of legislation and free markets.
Next he addresses the recent hubbub about laptop seizures,
The only thing that happened recently is that I ordered the policy to be put online in the interests of openness and transparency. We get about 80 million people a year coming to our airports, and a very small number are put into secondary inspection and that's based on some suspicion that the inspector has about the person.
It is that pool of people in secondary that have their things gone through, they can have their luggage and documents gone through. And nowadays because you can bring contraband through on a laptop, they can have their laptop looked at.
If things are really as he describes, it really doesn't sound that outrageous. What I think is that the policy they posted is written poorly and doesn't indicate what's actually going on. So if this policy only applies to those who are suspected of something and therefore brought in for secondary screening, put that in the policy already! This whole flap would have been avoided.
Now, on for the more interesting bits. Wired asked him about the huge mess knows as the no-fly list. He says,
In the airport environments, supposing there is a terrorist Jim Smith and that person should be on the watch list, the question is how do you distinguish them from the other Jim Smiths and the answer is you need an additional bit of data, such as a birthday.
That would override or eliminate most false positives.
So the solution to a bloated list is to make the list even bigger? Mr. Chertoff, when you realize you're at the bottom of a 10 foot hole, the first thing to do is stop digging. There is no way that 1,000,000+ terrorists are walking around in this country just chomping at the bit for their chance to hop on an airplane and blow it up. It's not realistic. Given that 99% or more of that list is cruft, of course you're going to have false positives. That's all you're going to have and even in the off chance you find a bad guy, everybody will assume it's just another incorrect assessment. The whole no-fly list needs to be junked.
And then the shoe drops. He reveals the true motive for most of the "security" measures deployed of late.
If you stopped using the watch list and basically anybody could get on a plane without knowing their identity, sooner or later something would happen -- and people would lose their lives, and then there would be another 9/11 Commission and we'd hear about how you had this system and you would have kept them off and these people lost their loved ones on a plane.
Let me rephrase that for you. "If something happens, even if I had no way of actually preventing it, my butt is going to be dragged before Congress. I would rather inconvenience hundreds of millions of innocent people than risk that to happen. At least then I would be able to say I had 'done something'."
What we really lack here is a way to effectively measure how well security mechanisms are working because terrorist events are very rare. Between the time the World Trade Center was bombed the first time and when it was attacked on 9/11, we very well could have said "whatever it is we're doing, it must be working". Well clearly it wasn't but how would we know that? Chertoff even gives us a great example of this,
I don't know if they do it anymore, but when I was a kid we all had polio shots, and after a while, you just don't know anyone with polio. And the question was raised was, why are we taking these shots? There's not that much polio around. And one of the reasons there's not that much polio around is that everyone is getting inoculated.
It's very easy to measure whether a polio vaccine is working because it was so widespread and results were quickly available. It's simple to see that spending money on the polio vaccine is worth the money. The same is definitely not true of terrorism. We can spend billions (as we have) and still not know whether we've actually made a difference or not. That's money wasted for no appreciable amount of security, and that folks is the current motto for the Department of Homeland Security.
Recent comments