Perimeter
1/4/2010
05:28 PM
Rob Enderle
Rob Enderle
Commentary
Connect Directly
RSS
E-Mail
50%
50%

How Obama Could Fix Airline Security

Northwest Airlines' Christmas Day scare showcases why the current airline security program, which potentially violates due process and treats every passenger as a criminal, isn't working. It's time to start over and focus more on substance and apply a fresh set of eyes to this problem. This is one more chance for President Obama to give us a change we can believe in, and it's also a chance for us to look at airline security practices and take them for what they are -- an example of what not to

Northwest Airlines' Christmas Day scare showcases why the current airline security program, which potentially violates due process and treats every passenger as a criminal, isn't working. It's time to start over and focus more on substance and apply a fresh set of eyes to this problem. This is one more chance for President Obama to give us a change we can believe in, and it's also a chance for us to look at airline security practices and take them for what they are -- an example of what not to do.If you read the history of airline security, then you can see how we got into the mess in which some air carriers have been keeping folks out of bathrooms, preventing them from reading magazines, and are planning to install new x-ray "peep show" scanners. (I can't wait to see how long it will take the new naked image of my favorite celebrity who doesn't have a private plane to show up on the Web.)

We don't have this level of pain for buses, trains, or ships, yet each has the potential, with the right explosive device, to cause a catastrophe of even greater proportions. What if a tanker took out the Golden Gate Bridge? We've seen what a truck full of fertilizer can do to a government building, and a bomb in a train effectively changed the government in Spain, so it's not as if they are lower risk.

What happened with the airlines goes back to a policy created in 1972 that treated every passenger as a potential hijacker and evolved into treating every passenger as a potential terrorist. This is stupid because it destroys the related business and is reactive in nature. It clearly doesn't work.

In a free country -- at least this one -- we have something called due process where folks are supposed to be presumed innocent, but that is not how airport security is designed: IT presumes everyone is guilty; as we saw last month, that clearly doesn't work.

It's too costly to do it right. To make it work, you'd have to do in-depth interviews with each passenger, a full body scan, and an orifice probe much like what is done in prison (in-body explosives are already being used). And as recently demonstrated, the current process is severely limited by air travel's security workforce, which often makes this existing security structure ineffective.

The current system is reaching insane levels: Each new security requirement is being layered on top of each previous failure prone process, and the resulting mess has become unmanageable and ineffective. The TSA can't even keep practices secret, currently going after bloggers who, within hours of publishing, had the latest practices up on the Web.

The practices potentially violate our civil rights, yet we continue to act like it both works and is acceptable. Stuff like banning magazine-reading and carry-on luggage just seems insane to me -- and pathetic to others.

I think we need to step back, put emphasis back on identifying and focusing on the actually terrorists and criminals, and go back to the concept of due process. We should think about spending money on making planes safer to travel by making sure they can better withstand disasters, both man-made and natural, and focus back on saving lives on take focus off of treating all of us like criminals.

The lesson here that goes beyond air travel is that absolute security is neither practical nor possible, and you constantly need to reassess how you spend your security dollars to get the most security you can afford.

President Obama's opportunity is to step back and correct the mistakes of the past several decades and help make air travel more popular, more profitable, and more secure. This isn't without risk because any major change runs the risk that a successful terrorist will get though, and his success will be blamed on the change.

But they are currently likely to get through anyway, and the courageous path is to focus on saving lives long-term -- not avoiding hard decisions because they represent personal risk. The fact that the TSA seems to be more focused on nailing reporters who report leaks than in fixing their systems is just plain embarrassing.

I say this with the hope we can all enjoy a better, safer, and smarter decade in what is coming, and that we share a safe, secure, and happy traveling future.

-- Rob Enderle is president and founder of Enderle Group. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.