I referenced Mr. Schneier in my last blog entry and thought he warranted some more attention esp. on the subject of rational homeland security (vs. the less-than-rational approach we currently have manifested in the U.S.).

Schneier is the Chief Security Technology Officer for British Telecomm.  To quote from his site, Schneier.com, he is also an internationally renowned security technologist and author. Described by The Economist as a "security guru," he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.

His first bestseller, [1] Applied Cryptography, explained how the arcane science of secret codes actually works, and was described by Wired as "the book the National Security Agency wanted never to be published." His book on computer and network security, [2] Secrets and Lies, was called by Fortune "[a] jewel box of little surprises you can actually use." His current book, [3] Beyond Fear, tackles the problems of security from the small to the large: personal safety, crime, corporate security, national security.

Regularly quoted in the media, he has testified on security before the United States Congress on several occasions and has written [4] articles and op eds for many major publications, including The New York Times, The Guardian, Forbes, Wired, Nature, The Bulletin of the Atomic Scientists, The Sydney Morning Herald, The Boston Globe, The San Francisco Chronicle, and The Washington Post.

Schneier also publishes a free monthly newsletter, [5] Crypto-Gram, with over 150,000 readers. In its ten years of regular publication, Crypto-Gram has become one of the most widely read forums for free-wheeling discussions, pointed critiques, and serious debate about security. As head curmudgeon at the table, Schneier explains, debunks, and draws lessons from security stories that make the news.

Bruce Schneier was intereviewed by R U Sirius on [6] 10 Zen Monkeys, and had some very sane and rational things to say about how the U.S. enacts security precautions that don’t do anything at airports, as well as how he would do things differently–I have to say, I agree with him.

Here’s an extract from the 04/2007 interview that I think is particularly relevant:

RU: Even with trained security people, it seems like they make an awful lot of errors. It seems like America, over the past few years, really has that “Can’t Do” spirit. Is there anything you can tell us about trained security people, and how they could improve their efforts.

BS: Well, they’re always going to make errors. Fundamentally, that’s a problem in the mathematics called the base rate fallacy. There are simply so few terrorists out there that even a highly accurate test, whether automatic or human-based, will almost always bring false alarms. That’s just the way the math works. The trick is to minimize the false alarms.

You’ve got to look at the false alarms versus the real alarms versus the real attacks missed — look at all the numbers together. But terrorist attacks are rare. They almost never happen. No matter how good you are, if you stop someone in airport security, it’s going to be a false alarm, overwhelmingly. Once every few years, it’ll be a real planned attack… maybe not even that frequently.

With training, you’re less likely to stop someone based on a dumb reason. When airport security stops a grandma with a pocketknife, that’s a false alarm. That’s not a success. That’s a failure. It’s, of course, ridiculous. So the trick is to alarm on things that are actually suspicious so you’d spend your time wisely. But the fact that almost everybody will still end up being a false alarm — that’s just the nature of the problem.

RU: Most of us experience the so-called “[7] War on Terror” in one place, and that’s at the airport. What are they doing right, and what are they doing wrong at the airports? Are they doing anything right?

BS: (Laughs) Since September 11, exactly two things have made us safer. The first one is reinforcing the cockpit door. That should have been done decades ago. The second one is that passengers are convinced they have to fight back, which happened automatically. You can argue that sky marshals are also effective. I’m not convinced. And actually, if you pretend you have sky marshals, you don’t even actually have to have them. The benefit of sky marshals is in the belief in them, not in the execution.

Everything else is window dressing — security theater. It’s all been a waste of money and time. Heightened airport security at the passenger point of screening has been a waste of time. It’s caught exactly nobody; it’s just inconvenienced lots of people. The No Fly List has been a complete waste of time. It’s caught exactly nobody. The color-coded threat alerts – I see no value there.

RU: A recent BoingBoing headline read “TSA missed 90% of bombs at Denver airport.” (Obviously they weren’t talking about real bombs, but a test.)

BS: And the real news there is it wasn’t even surprising. This is consistent in TSA tests both before and after 9/11. We haven’t gotten any better. We’re spending a lot more money, we’re pissing off a lot more fliers, and we’re not doing any better.

There’s a game we’re playing, right? Think about airport security. We take away guns and bombs, so the terrorists use box cutters. So we take away box cutters and small knives, and they put explosives in their shoes. So we screen shoes and they use liquids. Now we take away liquids; they’re going to do something else. This is a game we can’t win. I’m sick of playing it. I’d rather play a game we can win.