Profile

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Unixronin

December 2012

S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

Most Popular Tags

Expand Cut Tags

No cut tags

December 23rd, 2010

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Thursday, December 23rd, 2010 08:03 am

Via Bruce Schneier, Adam Shostack on the TSA and threat modeling, and why the TSA's model is completely wrong.

Half of getting the right answer is asking the right questions.  If the question the President is hearing is “what can we do to protect against the threat that we saw in the Christmas day bombing (attempt)” then there are three possible interpretations.  First is that the right question is being asked at a technical level, and the wrong question is being asked at the top.  Second, the wrong questions are being asked up and down the line.  Third is that the wrong question is being asked at the top, but it’s the right question for a TSA Administrator who wants to be able to testify before Congress that “everything possible was done.”

I’ve said before and I’ll say again, there are lots of possible approaches to threat modeling, and they all involve tradeoffs.  I’ve commented that much of the problem is the unmeetable demands TSA labors under, and suggested fixes.  If TSA is trading planned responses to Congress for effective security, I think Congress ought to be asking better questions.  I’ll suggest “how do you model future threats?” as an excellent place to start.

It's not just a problem of asking the wrong questions, though.  The real root of the problem is that Congress and the TSA are not only asking the wrong questions, they're then compounding the error by going for the easy, low-hanging-fruit answers.

But, of course, we are talking about Congress.  So is anyone really surprised?

Current TSA chief John Pistole said, in an Atlantic article that also bears reading (particularly the second page),

I've had members of Congress say, "Look, I am a member of Congress.  I am not a terrorist; This is absurd.  Why do I have to go through a physical screening?  It's an insult."

So, here's my question to Congress:  Why is this an insult you don't think you should have to tolerate, but an insult you're perfectly happy for the rest of us to have to put up with?  Does the sun rise out of your Jockeys every morning or something?

This may come as a shock to you, but we're not terrorists either.  And most of us are apparently better at estimating threats than you are.