The Myth of Homeland Security

Posted on by Ben Rothke

The Myth of Homeland Security helps you find out if true homeland security is achievable. 

Every decade or so, a book comes out that fundamentally changes the way we look at an issue. Examples include Upton Sinclair's The Jungle, Rachel Carson's Silent Spring, and Ralph Nader's Unsafe at Any Speed; these books are timeless in their influence. The Myth of Homeland Security by noted information security consultant Marcus Ranum (also known as the father of the firewall) has an equally ominous message and deserves equal attention. Like Unsafe at Any Speed, Ranum's book should serve as a fulcrum for change. 

Essentially, Ranum makes the point that buying duct tape by the mile and having elderly women remove their shoes at airports does absolutely nothing to increase homeland security. Ranum details other flaws in the government's approach to counter terrorism, including the huge bureaucracies that exist primarily for the purpose of prolonging their existence. He notes that the very structure of bureaucracies rewards inefficiencies and encourages territorialism and turf warfare. Want proof? More than two years after 9-11, the CIA and FBI still do not have a streamlined method for interdepartmental communications. 

Throwing money (to the tune of tens of billions of dollars) at the problem without first identifying the solutions certainly are not the way to go. So what should we do? 

First, as Ranum notes, we must get practical. From a physical security perspective, it is hard enough to secure a mega-mall with a few hundred stores and tens of thousands of customers. The task is exponentially more difficult, if not impossible, when extended to an entire country spanning millions of square miles of land, including long, unsecured borders, and inhabited by hundreds of millions of permanent and transient, legal and illegal persons, with more entering daily. 

Compounding the challenge of this complex and multifaceted task is the government's penchant for creating and sustaining bureaucracies without regard for whether they make getting the job done easier. For example, the Bureau of Citizenship and Immigration Services (BCIS), formerly the Immigration and Naturalization Service (INS), admits that it can't account for nearly a half-million visitors to this country. 

Given the agency's poor performance historically, it should have been completely dismantled and rebuilt from the ground up. Instead, it was given a new name. If BCIS were a public company, its top management would have been fired long ago. Thus, the second step toward better homeland security would be more accountability for officials spearheading government programs. 

Another issue that complicates the challenge of homeland security is that the average citizen simply does not understand risk, notes Ranum. As a result, most people will overreact to isolated incidents, such as occurred with the Washington, D.C., area sniper, while ignoring threats with a much higher probability of affecting them, such as cancer from smoking or a serious car accident from drunk driving. 

Media coverage that reduces complex issues to sound bites certainly does not help. But even the authorities, who surely do not get their information from media sound bites, seem not to take a big-picture, long-term view. For example, when a shoe-bomber attempted to take down an airliner with a shoe-based bomb attack, security services started making all passengers take off their shoes before embarking. Is this an effective way to deal with the overall risk? No. As Ranum notes, just imagine if this terrorist had stored his bomb in his underwear. 

To address this problem, the third step toward better homeland security would be for officials to take a more professional approach to risk assessment and for security professionals in government and in private industry to work together to educate the public about proper risk assessment and risk management. 

A fourth issue that must be addressed is the government's inability to solve problems expeditiously once they have been identified. One has to wonder, says Ranum, why can grow from a garage to an e-commerce powerhouse in a matter of months, yet CIA and FBI databases still can't effectively share information with each other more than two years after 9-11. A laundry list of other security problems at government agencies has been repeatedly cited by General Accounting Office reports without the problems being addressed. 

Moreover, for homeland security to work, agencies such as INS/BCIS, FBI, CIA, and even the NSA all have to work together. News reports suggest that the FBI and CIA are still not cooperating to the degree they should. 

Then, of course, there is the issue of the insider threat. Even if we permanently sealed our borders, there would be serious risks to homeland security, notes Ranum. Nefarious individuals such as Timothy McVeigh, Aldrich Ames, and Robert Hanssen were all Americans, in some cases with security clearances. In a democracy, there is no easy solution to this problem. 

Homeland security is so big that it may be inherently unsolvable. Yet it is a risk that must be managed. That means government needs to find a reasonable level of countermeasures to establish a reasonable level of security. Instead, it continues to suggest to the American people that a few billion dollars and a reshuffling of the bureaucracy can solve the problem. 

Overall, Ranum does an excellent job of showing what is right and wrong about homeland security issues. The only time the author blunders, is when he takes a somewhat overly simplistic view of the Middle East crisis, and makes some unreasonable comparisons. 

The 9-11 attacks started a giant wheel moving, and that wheel's name is the Department of Homeland Security. The Jungle ushered in a new era within the meatpacking industry, while Unsafe at Any Speed fundamentally changed Detroit, and saved tens of thousands of lives in the process. If The Myth of Homeland Security has but a hundredth of the impact, and if it does nothing more than get the FBI and CIA to work better together, then maybe homeland security won't be a myth after all. 

Ben Rothke

Senior Information Security Manager, Tapad

data security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community