Perimeter
1/4/2010
05:28 PM
Rob Enderle
Rob Enderle
Commentary
50%
50%

How Obama Could Fix Airline Security

Northwest Airlines' Christmas Day scare showcases why the current airline security program, which potentially violates due process and treats every passenger as a criminal, isn't working. It's time to start over and focus more on substance and apply a fresh set of eyes to this problem. This is one more chance for President Obama to give us a change we can believe in, and it's also a chance for us to look at airline security practices and take them for what they are -- an example of what not to

Northwest Airlines' Christmas Day scare showcases why the current airline security program, which potentially violates due process and treats every passenger as a criminal, isn't working. It's time to start over and focus more on substance and apply a fresh set of eyes to this problem. This is one more chance for President Obama to give us a change we can believe in, and it's also a chance for us to look at airline security practices and take them for what they are -- an example of what not to do.If you read the history of airline security, then you can see how we got into the mess in which some air carriers have been keeping folks out of bathrooms, preventing them from reading magazines, and are planning to install new x-ray "peep show" scanners. (I can't wait to see how long it will take the new naked image of my favorite celebrity who doesn't have a private plane to show up on the Web.)

We don't have this level of pain for buses, trains, or ships, yet each has the potential, with the right explosive device, to cause a catastrophe of even greater proportions. What if a tanker took out the Golden Gate Bridge? We've seen what a truck full of fertilizer can do to a government building, and a bomb in a train effectively changed the government in Spain, so it's not as if they are lower risk.

What happened with the airlines goes back to a policy created in 1972 that treated every passenger as a potential hijacker and evolved into treating every passenger as a potential terrorist. This is stupid because it destroys the related business and is reactive in nature. It clearly doesn't work.

In a free country -- at least this one -- we have something called due process where folks are supposed to be presumed innocent, but that is not how airport security is designed: IT presumes everyone is guilty; as we saw last month, that clearly doesn't work.

It's too costly to do it right. To make it work, you'd have to do in-depth interviews with each passenger, a full body scan, and an orifice probe much like what is done in prison (in-body explosives are already being used). And as recently demonstrated, the current process is severely limited by air travel's security workforce, which often makes this existing security structure ineffective.

The current system is reaching insane levels: Each new security requirement is being layered on top of each previous failure prone process, and the resulting mess has become unmanageable and ineffective. The TSA can't even keep practices secret, currently going after bloggers who, within hours of publishing, had the latest practices up on the Web.

The practices potentially violate our civil rights, yet we continue to act like it both works and is acceptable. Stuff like banning magazine-reading and carry-on luggage just seems insane to me -- and pathetic to others.

I think we need to step back, put emphasis back on identifying and focusing on the actually terrorists and criminals, and go back to the concept of due process. We should think about spending money on making planes safer to travel by making sure they can better withstand disasters, both man-made and natural, and focus back on saving lives on take focus off of treating all of us like criminals.

The lesson here that goes beyond air travel is that absolute security is neither practical nor possible, and you constantly need to reassess how you spend your security dollars to get the most security you can afford.

President Obama's opportunity is to step back and correct the mistakes of the past several decades and help make air travel more popular, more profitable, and more secure. This isn't without risk because any major change runs the risk that a successful terrorist will get though, and his success will be blamed on the change.

But they are currently likely to get through anyway, and the courageous path is to focus on saving lives long-term -- not avoiding hard decisions because they represent personal risk. The fact that the TSA seems to be more focused on nailing reporters who report leaks than in fixing their systems is just plain embarrassing.

I say this with the hope we can all enjoy a better, safer, and smarter decade in what is coming, and that we share a safe, secure, and happy traveling future.

-- Rob Enderle is president and founder of Enderle Group. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report