Wednesday, December 30, 2009

Air Travel Security: Practical Industry Suggestions From Us

I am just a security guy, as are many others who will read this. Perhaps it is time us "simple" security guys got together and write some recommendations for air travel security? Get our voice out there as an organized professional group, which can in turn lobby for our professional recommendations.

Then we can edit them, vote on them, and submit them to the government for consideration in the upcoming brouhaha of committee discussions.

Here are mine, just to get the ball rolling:

Strategic:
0. Review useless technologies which are there for beyond the security theater purposes (which do matter) and start eliminating bad projects. Your purpose in security theater was to maintain air travel and keep people calm, right?
1. An investment in better intelligence (no brainer)
2. Create a "always strip-search" list rather than just "no fly" list., so that lesser threats can be dealt with responsibly without compromising the usefulness of the no fly one. I am sure they already have one, but they should layer this rather than deal with extremes.
3. Hire better agents (education/ability... better pay). Should be a small increase per person, but it will cost a lot in total. Then again, how much do all the current b/s additions cost?
4. Yours?

Tactical:
1. Copy Israel's air security training manual for agents. Israel's tactics may not be able to scale to the US level, but the training can.
2. Stop panicking and alienating people, so they are calmer and you can more easily identify suspicious people, so that this new training is more effective. Heck, do it anyway. Send TSA agents to some workshop on being nice. Or make shifts shorter.
3. Put "human sniffer" walk-through machines in every airport, for international flights.
4. Buy the better brand of baggage screening && X-ray machines for international flights (remember the liquid issue with checking for explosives in the last scare?)
5. Some people suggested to start profiling and leave PC behind, but I'm not touching that.
6. Yours?

Some of these are very high cost. Some of these are (on scale) very low cost.
Some of these should replace other high-cost idiocies, such as creating two new mega-airports, which is sound security-wise, but will only add an hop to the threat to jump over, with the same silly tests in yet another airport, rather than add a filter. Or full-body scans which will be of limited help, and insult us all.

What are yours? Join the discussion!

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Friday, December 18, 2009

Spymaster sees Israel as world cyberwar leader

Reuters reports from the Institute for National Security Studies (INSS), a Tel Aviv University think tank, where Major General Amos Yadlin, IDF chief of military intelligence, spoke:

In a policy address, Major-General Amos Yadlin, chief of military intelligence, listed vulnerability to hacking among national threats that also included the Iranian nuclear project, Syria and Islamist guerrillas along the Jewish state's borders.

Yadlin said Israeli armed forces had the means to provide network security and launch cyber attacks of their own.

He further said, as mentioned in this Israeli publication, that other countries, such as the United States and Great Britain, are establishing units for cyber defense, and that Israel has soldiers and officers on the job.

In fact, just today I heard a lecture by the director of the CIA who, as is general United States policy, places cyber security on the map when discussing issues such as proliferation of nuclear weapons and international terrorism.

HaAretz, an Israeli newspaper, quotes Major-General Yaldin as saying:

"Fighting in the cyber dimension is as significant as the introduction of fighting in the aerial dimension in the early 20th century." (my translation)

If this statement is to be believed, Israel is active in cyberspace. And yet, why would Israel admit that, regardless of if it really happens?

One option is that Israel decided it needs to show that its military is on par with other militaries around the world.

"Preserving the lead in this field is especially important given the dizzying pace of change," Yadlin said.

On the surface, disclosing cyber space activity, which your enemies can develop as well, or push to develop more of, seems silly.

After all, Major-General Yadlin said:

"Cyberspace grants small countries and individuals a power that was heretofore the preserve of great states,"

As Israel, much like the Western world, is very advanced technologically, it is more reliant on computers than many of its enemies and neighbors, and is therefore more at risk from potential cyber attacks. With attacks against Israel's internet presence these last few years, it may not be a silly idea after all.

With the world becoming more aware of threats to computer systems, investment in cyber security rising and more and more security incidents being disclosed; countries around the globe invest in cyber capabilities. Indeed, Israel too, which has been under internet attacks for years, needs to buckle up and do more to combat the threats.

Major-General Yadlin also mentioned cyber attacks fit well with Israel's doctrine for military offensives (mistranslated below as defense). This bit is tricky, and I will try and read between the lines.

"I would like to point out in this esteemed forum that the cyberwarfare field fits well with the state of Israel's defense doctrine,"

While Major-General Yadlin in all probability meant something along the lines of being bold and staying ahead of the curve, as in the same sentence he also spoke of Israeli youth and innovation, mentioning how Israel is often referred to as the "start-up country":

"This is an enterprise that is entirely blue and white (Israeli) and does not rely on foreign assistance or technology. It is a field that is very well known to young Israelis, in a country that was recently crowned a 'start-up nation'."

It is possible, although unlikely, that he meant to indeed discuss Israel's defense doctrine, thus possibly speaking about deterrence in cyberspace.

Deterrence is an integral part of Israel's defense doctrine, with the goal, in broad lines, of widening the window between inevitable Arab attacks by a strong response, some would say a disproportionate one, which will score a quick and decisive victory. Hopefully deterring them from attacking again. This strategy has roots in Israel's history all the way back to Ben Gurion's time and the formation of Israel.

Deterrence on the Internet, however, is mostly nonsense. This due to inability to identify who it is actually attacking you, and then if somehow successful, if it is really them or if their computer has been taken over by yet another attacker. Is someone trying to frame another as your attacker? Is your attacker even a nation-state to begin with, rather than an organization that doesn't care about retaliation?

On the internet, you may know who your enemies are rivals are, but you may never find out who is attacking you. The Internet is perfect for plausible deniability.

If this was the thinking behind the announcement, which I'd like to think is not the case, then the strategy was copied from the United States where this silliness has been going on now for a few years. The US strategic experts have been using Mutual Deterrence (or MAD, Mutually Assured Destruction) for over 70 years now, and feel comfortable with it. Therefore, when they needed to tackle the cyber realm, they immediately started pushing for a deterrence strategy even though cyber experts have been warning about it continually.

Deterrence for the most part, doesn't work online. It is my hope Israel does not repeat the American mistake on this matter and that I am right, and Major-General Yaldin was only speaking of Israel's spirit, where commanding officers lead the charge rather than wait behind.

From a completely different perspective, cyber warfare has been recognized as a strategic weapon on par with weapons of mass destruction for at least two decades. Israel does not admit strategic capabilities such as Nuclear Weapons, if it has them. Should it admit cyber capabilities?

"The potential exists here for applying force ... capable of compromising the military controls and the economic functions of countries, without the limitations of range and location."

While cyberspace is certainly strategic, the analogy to nuclear weapons is relatively weak.

There are obvious differences between the nuclear world and the cyber world, such as with tactical cyber uses of a very targeted nature -- without collateral damage, and in international law governing the proliferation of nuclear arms, while the cyber realm is in its infancy. In fact, the United States, Russia and the United Nations arms control committee are as I write these lines engaged in early discussions on securing cyberspace, and limiting military use of this realm.

When I first heard of the speech by Major-General Yaldin, I was highly disappointed with Israel for taking this route of public disclosure. Now, I am not so sure.

Disclosing that Israel is ready to defend itself and potentially engage its enemies in cyberspace right along-side the physical world, certainly has merit considering recent world events such as the attacks against Estonia and Georgia. I am just left wondering if this indeed discloses a real capability, or is just public relations.

I can personally attest from my years of defending Israel's internet, that Israel is under constant attack in cyberspace, and this intensifies whenever political tensions mount.

"At times it would seem," said Major-General Yaldin, "that our enemies would like to give a special award to Western companies whose products can be bought off-the-shelf at a reasonable price." (my translation)

Regardless, putting cyber security on the agenda along-side with Iranian nuclear weapons, Syria and Islamist guerrillas, is a step in the right direction to defending against the threats of cyberspace.

Gadi Evron,
ge@linuxbox.org.


Follow me on twitter! http://twitter.com/gadievron