Perimeter
1/4/2010
05:28 PM
Rob Enderle
Rob Enderle
Commentary
50%
50%

How Obama Could Fix Airline Security

Northwest Airlines' Christmas Day scare showcases why the current airline security program, which potentially violates due process and treats every passenger as a criminal, isn't working. It's time to start over and focus more on substance and apply a fresh set of eyes to this problem. This is one more chance for President Obama to give us a change we can believe in, and it's also a chance for us to look at airline security practices and take them for what they are -- an example of what not to

Northwest Airlines' Christmas Day scare showcases why the current airline security program, which potentially violates due process and treats every passenger as a criminal, isn't working. It's time to start over and focus more on substance and apply a fresh set of eyes to this problem. This is one more chance for President Obama to give us a change we can believe in, and it's also a chance for us to look at airline security practices and take them for what they are -- an example of what not to do.If you read the history of airline security, then you can see how we got into the mess in which some air carriers have been keeping folks out of bathrooms, preventing them from reading magazines, and are planning to install new x-ray "peep show" scanners. (I can't wait to see how long it will take the new naked image of my favorite celebrity who doesn't have a private plane to show up on the Web.)

We don't have this level of pain for buses, trains, or ships, yet each has the potential, with the right explosive device, to cause a catastrophe of even greater proportions. What if a tanker took out the Golden Gate Bridge? We've seen what a truck full of fertilizer can do to a government building, and a bomb in a train effectively changed the government in Spain, so it's not as if they are lower risk.

What happened with the airlines goes back to a policy created in 1972 that treated every passenger as a potential hijacker and evolved into treating every passenger as a potential terrorist. This is stupid because it destroys the related business and is reactive in nature. It clearly doesn't work.

In a free country -- at least this one -- we have something called due process where folks are supposed to be presumed innocent, but that is not how airport security is designed: IT presumes everyone is guilty; as we saw last month, that clearly doesn't work.

It's too costly to do it right. To make it work, you'd have to do in-depth interviews with each passenger, a full body scan, and an orifice probe much like what is done in prison (in-body explosives are already being used). And as recently demonstrated, the current process is severely limited by air travel's security workforce, which often makes this existing security structure ineffective.

The current system is reaching insane levels: Each new security requirement is being layered on top of each previous failure prone process, and the resulting mess has become unmanageable and ineffective. The TSA can't even keep practices secret, currently going after bloggers who, within hours of publishing, had the latest practices up on the Web.

The practices potentially violate our civil rights, yet we continue to act like it both works and is acceptable. Stuff like banning magazine-reading and carry-on luggage just seems insane to me -- and pathetic to others.

I think we need to step back, put emphasis back on identifying and focusing on the actually terrorists and criminals, and go back to the concept of due process. We should think about spending money on making planes safer to travel by making sure they can better withstand disasters, both man-made and natural, and focus back on saving lives on take focus off of treating all of us like criminals.

The lesson here that goes beyond air travel is that absolute security is neither practical nor possible, and you constantly need to reassess how you spend your security dollars to get the most security you can afford.

President Obama's opportunity is to step back and correct the mistakes of the past several decades and help make air travel more popular, more profitable, and more secure. This isn't without risk because any major change runs the risk that a successful terrorist will get though, and his success will be blamed on the change.

But they are currently likely to get through anyway, and the courageous path is to focus on saving lives long-term -- not avoiding hard decisions because they represent personal risk. The fact that the TSA seems to be more focused on nailing reporters who report leaks than in fixing their systems is just plain embarrassing.

I say this with the hope we can all enjoy a better, safer, and smarter decade in what is coming, and that we share a safe, secure, and happy traveling future.

-- Rob Enderle is president and founder of Enderle Group. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.