Is it any surprise that the TSA announced this week that the color-coded threat system it has had in place since post-September 11th is being replaced?
I will refrain from comment on the new system it the details have been fleshed out and give it a chance to better inform us of what real and imminent dangers we may be in store for.
However, last post I made a point about the threat system having 5 different levels, and never having ever been at the two lowest colors - blue and green. Security Expert Bruce Schneier makes this pithy insight:
"The DHS could have lowered the level to something more reasonable, but that would have been politically impossible. If there were a terrorist attack and the threat level had been blue or green, the DHS would have been blamed for not warning us. Keeping the level high might increase the general dread among some people and cause sniggering among others, but it helps protect the jobs of those charged with keeping us safe from terrorism."
Schneier also goes on to make the great point about our ability to be on alert, which in the intention of the colored system. But always having the alert color be at one of the three highest of the colors puts a tremendous burden of responsibility on average travelers. Schneier says "According to scientists, California could experience a huge earthquake sometime in the next 200 years. Even though the magnitude of the disaster will be enormous, people can't stay alert for two centuries."
He's right. We have to be on our guard for sure, and I always like to say that every and any decision we make day-to-day is a risk-based decision, but we cannot be infinitely diligent. Human beings just don't have the mental ability to be that alert at all times. We can't even text and drive at the same time.
Saturday, January 29, 2011
Thursday, January 13, 2011
What hath too much security awareness wrought?
As a creator and purveyor of security awareness, it has always been my position that there is no such thing as too much awareness or the need to be alert and attentive to the possibilities of an untoward or adverse event. So I can appreciate the fact that the TSA or Department of Homeland Security wants to make us aware of new and impending threats to our safety. But in this day of Threat Advisories, patdowns, three ounce liquid limitations, X-Ray scanners and the like, I believe that we have finally crossed the line into the surreal.
Two events this month have made airline security like the annual Simpsons Halloween special. (For non-Simpsons fans, this is the one annual episode where the show takes on a bizarre plot line and completely abandons any pretense of being realistic.)
On January 5th, while over Canada en route to Germany, an airplane's radio went awry, and the pilot thought he put the “No Radio” code (7600) in the transponder but mistakenly entered the code ‘7500’, which means "hijacking or unlawful interference". The crew ultimately confirmed that the issue was a communication issue and not a hijacking. The plane was ultimately diverted to Toronto however. What caused the ruckus? One of the pilots spilled some coffee on the console due to some turbulence, and while trying to clean up the mess the pilot entered the wrong code.
The second story, a day later, was a case where a Florida professor was arrested and removed from a plane after fellow passengers alerted crew members they thought he had a suspicious package in the overhead which was “making suspicious sounds.” That "suspicious package" turned out to be a set of keys, a hat, and a bagel with cream cheese. He was removed from the plane because he took exception to the crew’s questioning, probably reminiscent of the KGB (Where are your papers?!) and was ultimately handcuffed. Note to self: always order the ‘noiseless’ cream cheese.
(I am not even going to tell you about the passenger on a flight from Fort Lauderdale to Denver who was pulled off a plane last week after other passengers said he was “taking too many bathroom breaks”!)
Because of the deluge of awareness warnings and veiled threats to your safety, we have become so prone to over-reacting that now we all jump if we here a loud sound in the airport. Even in the subways in NYC we are urged that if we "see something" we should "say something." Average citizens have become deputized Barney Fife’s with no accountability but plenty of assumed authority, as the bagel and bathroom cases above suggest. Passengers have become the de facto authorities of suspicious or terrorist activities on planes all of a sudden. Now I know that many real threats have been thwarted or suspects captured with the help of average citizens who report tips, but imagine the inundation of false and ridiculous leads law enforcement have to follow-up on when you request the aid of amateurs. As a Muslim man, you almost couldn't get on a plane in the US after 9/11 due to the hysterics that followed. And God forbid if you were flying with a few of your friends.
The Department of Homeland security has five levels of alerts: Low = Green; Guarded = Blue; Elevated = Yellow; High = Orange; Severe = Red. Since the introduction of the system in 2002, we have never had a Green or Blue status, only Yellow, Orange and Red. Do you know how many times it has been changed since 2002? No? Why would you? Do you get to keep your shoes on instead at the airport when the threat is lowered? No. Do you see any real improvement in security after they raise the threat? Not really, but you do see some procedural changes in which the government and TSA react to the last threat - not necessarily a future, possible threat. How many other shoe bombers have we had since Richard Reid? (None) How many additional underwear bombers have we had since the Underpants of Mass Destruction attempt (None) Boxcutters? You get my point... (By the way the Threat Level has been changed 16 times since 2002).
If I have learned anything about security awareness training and campaigns is that though people can deal with the constant reinforcement of subtle awareness messages, people quickly become desensitized to hysterical warnings, especially if they see no immediate crisis to warrant the warnings. The most effective training, in my opinion, is to mete out the awareness with intelligent, well-reasoned arguments about what is the best behavior and what the possible risks might be. Both 'Chicken Little' and 'The Boy Who Cried Wolf' approaches are proven dead-ends.
Sunday, January 2, 2011
The Right to be Forgotten Exists In Some Cases...Like This One.
In these blogs I have often presented the perils that we face if we unthinkingly post pictures, opinions or tweets about activities or events we have engaged in or have experienced. The takeaway has always been that the users must analyze every possible aspect of what his or her post will or may be construed as, not only now, but five years from now when, for example, the adolescent is applying for that position at a respected organization, scholarship at some Ivy League school, or even a prospect for a first date.
Most people rightly have no sympathy for smart individuals who should otherwise know better, and who cannot self-censor. At this stage in the evolution of social media, we all know how data persists forever, and what you post or say online should be something that you should be prepared to live with, or defend, forever. (You do understand this, right?)
But what about those that can't defend themselves?
You may have missed this recent story but it is a frightening example of how, though no fault of their own, two children, 4-and-5 years old, will forever be affected by the ubiquity and persistence of information in the public domain.
Here's the story: an 87 year old woman with a walker was knocked down by accident on a street in New York City by one or both of the two children, 4-and-5-years old ,who were riding their bicycles. The woman had to be taken to the hospital. She subsequently died 3 months later of unrelated causes. The old woman's estate sued the parents of the children claiming negligence: they should have been supervised better, the suit asserts.
A judge in NY state ruled that the kids could be sued in a civil injury context and the names of the children were then made part of the public record, as is customary. Ultimately, the New York Times reported on the case due to its extraordinary nature, and the kid's names have now become more widely distributed. A common practice in the world of public law has now uniquely, and probably permanently identified these children in a less than positive light for the rest of their lives.
Though the parallels between a post on Facebook, LinkedIn, Twitter or MySpace, and the publication of the two children's names may seem unrelated and dissimilar, they have one component in common: the perpetuity of the information. The issue is not that the legal process required the publication of the defendants names in a public record; that procedure has been common practice for hundreds of years. The issue is more the fact that the memory of online databases and search engines is or will be assumed to be infinite.
Ten years from now when the classmates of these two children do Google searches on all their friends, what do you think the top search result will be? How do think teenagers in high school will likely interpret and process that data? (Johnny killed some old lady when he was 5?!!). I doubt that Johnny will see that past experience as a possible résumé enhancer.
It is inevitable and to be expected that a future Human Resource manager will do a Facebook or Google troll on you to see why they might not want to hire you. What do you think the impact will be on the job prospects of these two kids when this case comes up on the search? These two children may always be haunted by the persistence of memory and will not have the privilege or the right to be forgotten.
Thursday, December 23, 2010
Playing dumb worked for Anna Nicole, but doesn't work for a business
I finally had my first experience with the new backscatter x-ray machines at an airport security line last week. I was unable to see what the TSA saw as they looked through my clothes, though I did walk away with a few observations of my own.
First, as I was about to go through the usual metal detector device, a TSA agent asked to remove my belt. How this little piece of a belt buckle could take off a bottle cap, let alone take down an airliner is beyond me. Since I never proactively remove my belt, the time wasted and humiliation element of the experience notwithstanding, it is the inconsistency of the request that most disturbs me and shakes to the foundation my faith and trust in the staff at the TSA.
Since I admittingly gave the TSA agent a little bit of attitude for her asking me to remove my belt, (but allowed me to keep on my chunky, solid steel watch which in addition to weighing 5 times more than my belt buckle, could probably represent a weapon of mass destruction if thrown hard enough), she then asked me to step into the backscatter x-ray machine. The watch did not set off the metal detector by the way. Never does.
Second, though I (hopefully) do not represent an obvious threat to airline safety, as I possess none of the notable, empirical characteristics associated with would-be terrorists (except being a male): young, from middle-eastern or African descent, possibly Muslim, on a watch or do-not-fly list, possessing a one-way ticket, paid for ticket in cash, no checked luggage, sweating or fidgeting in line…I could go on. I am, in contrast, a frequent flyer, family man and in no possession of any radical views or positions (other than privatizing or otherwise banning the TSA.) Had any other terrorist ever boarded a flight with a Kindle?
So I took the request to go though the x-ray scanner as a purely punitive measure on the part of the TSA agent – not a random check, mind you, but a minor punishment as only a petty tyrant with no other power outlet than that at her disposal might inflict.
Finally, I had to remove everything – literally everything – out of my pockets including my wallet and 3 small vitamins before the scanner would work. Isn’t the point of the device to be able to detect stuff in my pocket or in my person?!?
In theory, I am not opposed to security measures to prevent or thwart terrorism on airplanes. I am one of the primary beneficiaries of security since I travel so much and am statistically more likely to incur an incident than your average American. What I do always question however, and I’ve said this before in previous posts, is the seeming lack of consistency and reason behind much the decision and apparatus in place. The response is that it is done intentionally so as not to allow terrorists to get comfortable with the TSA technique’s. Playing dumb so as to allow the enemy underestimate you? Fine. Classic move from the Art of War. I would love that idea if it could ever be true of the TSA.
Playing dumb, however, should not be an operational strategy for a business. It doesn’t work for me at my job, at home or anywhere else in the real world. The market severely punishes any company in the private sector if that is their approach – it does it all the time to drug companies that fail FDA tests or mischaracterize the benefits or uses of their drugs. And these kinds of events kill more people than terrorists have ever done!
Let’s privatize the TSA and hold them to the same standards as a private company. Once we make them play by the same rules and standards of transparency as the private sector, then we can begin to peel away the layers of charade and concentrate on the real measures of security that will ensure flyer’s safety without having to frustrate us into submission. And let us keep our clothes on and our dignity intact.
First, as I was about to go through the usual metal detector device, a TSA agent asked to remove my belt. How this little piece of a belt buckle could take off a bottle cap, let alone take down an airliner is beyond me. Since I never proactively remove my belt, the time wasted and humiliation element of the experience notwithstanding, it is the inconsistency of the request that most disturbs me and shakes to the foundation my faith and trust in the staff at the TSA.
Since I admittingly gave the TSA agent a little bit of attitude for her asking me to remove my belt, (but allowed me to keep on my chunky, solid steel watch which in addition to weighing 5 times more than my belt buckle, could probably represent a weapon of mass destruction if thrown hard enough), she then asked me to step into the backscatter x-ray machine. The watch did not set off the metal detector by the way. Never does.
Second, though I (hopefully) do not represent an obvious threat to airline safety, as I possess none of the notable, empirical characteristics associated with would-be terrorists (except being a male): young, from middle-eastern or African descent, possibly Muslim, on a watch or do-not-fly list, possessing a one-way ticket, paid for ticket in cash, no checked luggage, sweating or fidgeting in line…I could go on. I am, in contrast, a frequent flyer, family man and in no possession of any radical views or positions (other than privatizing or otherwise banning the TSA.) Had any other terrorist ever boarded a flight with a Kindle?
So I took the request to go though the x-ray scanner as a purely punitive measure on the part of the TSA agent – not a random check, mind you, but a minor punishment as only a petty tyrant with no other power outlet than that at her disposal might inflict.
Finally, I had to remove everything – literally everything – out of my pockets including my wallet and 3 small vitamins before the scanner would work. Isn’t the point of the device to be able to detect stuff in my pocket or in my person?!?
In theory, I am not opposed to security measures to prevent or thwart terrorism on airplanes. I am one of the primary beneficiaries of security since I travel so much and am statistically more likely to incur an incident than your average American. What I do always question however, and I’ve said this before in previous posts, is the seeming lack of consistency and reason behind much the decision and apparatus in place. The response is that it is done intentionally so as not to allow terrorists to get comfortable with the TSA technique’s. Playing dumb so as to allow the enemy underestimate you? Fine. Classic move from the Art of War. I would love that idea if it could ever be true of the TSA.
Playing dumb, however, should not be an operational strategy for a business. It doesn’t work for me at my job, at home or anywhere else in the real world. The market severely punishes any company in the private sector if that is their approach – it does it all the time to drug companies that fail FDA tests or mischaracterize the benefits or uses of their drugs. And these kinds of events kill more people than terrorists have ever done!
Let’s privatize the TSA and hold them to the same standards as a private company. Once we make them play by the same rules and standards of transparency as the private sector, then we can begin to peel away the layers of charade and concentrate on the real measures of security that will ensure flyer’s safety without having to frustrate us into submission. And let us keep our clothes on and our dignity intact.
Sunday, November 28, 2010
Have a 'pat down' this holiday season? Don't be afraid to invoke the "P" word for better security.
As the holiday travel schedule ramps up, so does the fervor and objections over pat downs and invasive screenings at airports in the United States. People recently subjected to these "love pats," as a Senator from Missouri innocuously (and ridiculously) referred to them, are in for quite a shock if they fly anywhere where else in the world except, say, Cincinnati or Des Moines.
As any frequent international traveler can corroborate, very intense and 'hands on' searches occur in almost every other international airport in the civilized world. Try flying through Frankfurt and not be subjected to a body search that even your family care doctor would find comprehensive. And these are not new procedures; I can remember the same thoroughness in place at Frankfurt, Heathrow and every Indian airport I have flown through for the last 5 years.
Why are Americans so indignant about the new procedures? Since when is flying a constitutional right? This is not healthcare; if you don't like the scrutiny you are subject to, you are welcome to use a car, train bus or boxcar. Inconvenient? Sure. But so is political correctness, it appears.
In this country we are so terrified to offend any person of any race, creed, religion or origin that we will go out of our way to inconvenience an almost total majority to show how fair and even-handed we are to any minority. This approach to security is 180 degrees different than the one the Israeli's take. You won't see any nuns, 80-year old grandmothers or 4-year olds being body searched. What you will see is a laser focus of their resources on the most likely and foreseeable risks to the safety of their citizens and the airlines. As I love to say, every decision you make is a microcosm of risk management.
In American and European airports, in particular significant volumes of traffic moving through them have required their associated security procedures to rely mainly on technology for screening luggage and detecting passengers with ill intent. Israel’s security philosophy, however, is based on a blend of advanced detection devices and personal interaction with the passengers. Granted, the primary airport in Israel, Ben-Gurion International, handles only about 12% a year of what U.S. airports handle annually, yet here are still some lessons we can learn.
Passengers are questioned from the time they drive up to the airport, until they are ready to board the plane. Usually, each person is questioned two or three times by different security agents, to ensure the story is consistent. Arab or Muslim passengers get extra-thorough screening, as do non-Jewish tourists. The Israeli method does not limit itself to only the profile of the 'typical' terrorist (if they exist anymore), but instead spend time questioning or searching anyone who appears nervous, flustered, inconsistent or just not right.
No airplane has ever been hijacked from Ben Gurion since the Israelis are not shy about deploying the "P" word - profiling. In the U.S. that word is such a hot button since it is typically associated with another taboo word - 'racial.' So when you add 'racial' and 'profiling' together, you have the most volatile term in the American lexicon - racial profiling.
For very good reasons, racial profiling is wrong, and more importantly for security and safety reasons, it is inefficient. Terrorists are not stupid; they have started recruiting other willing accomplishes who are not the once, tried and true terrorist profile: young, middle-eastern, Muslim males. If we continue to focus efforts solely on this cliché of a potential threat, we will always be chasing yesterday's news - with disastrous consequences.
Ironically, since early January of this year, the United States has in fact introduced new requirements based on a travelers’ country of origin or citizenship. Citizen's from 14 countries — including Afghanistan, Nigeria, Pakistan, Saudi Arabia, Yemen and Syria — are now required to undergo an extra search before getting on planes bound for the U.S. America. Profiling? Probably. Racial profiling? Definitely! I would argue that even enunciating and singling out these 14 countries is short-sighted and will ultimately be unproductive. If I was Al Qaeda, I would make sure that all of my next 100 recruits did not have passports from any of these countries. How easy would that be?
So what are your options this travel season? You can subject yourself to the patdowns or get your revealing full body scans (with you assuming the "I surrender" hands position), and "Say nope to the grope." Or, you can start to demand that we drop the inefficient, ineffective and politically correct way of American security screening: treating every traveler as if they were a possible terrorist. And instead, start to incorporate better and more efficient techniques from others who have learned and incorporate the art and techniques of risk management.
Sunday, November 14, 2010
India Gets Into The Identity Race
I have spent the last 10 days in India concluding my 12th visit in 7 years. I have seen quite a noticeable progress in the rickety infrastructure each and every time I go, as India walks away from the past and races to the future. However, this time I saw progress in a different, less obvious way.
Last month, the Indian government rolled out the first country-wide AADHAAR ('foundation' in Hindi ) to an Indian resident. This will be a unique 12-digit identification number, like a social security number that ultimately all Indians will possess. The government hopes to complete and issue at least 600 million IDs to its 1.2 billion citizens by 2014.
Currently, there exists a limited quasi-social security number in India, however the government is intending to reach out to the rural and less connected masses as part of the program. Formalizing and documenting the 'official' identity of millions of the rural poor will, among other things, help them bypass more expensive money-lenders and tap into the formal banking system. What is unique about this initiative though is the format and approach to the effort, and how it dramatically differs from the similar process in the United States.
In the US, as you know, all babies at birth are issued social security numbers, along with a snappy little bluish-white paper card (that some people still bizarrely carry around with them!?) printed with a unique nine-digit number. As easy as it is to counterfeit or replicate it, some places, believe it or not, still ask for the card as some legitimate proof of identification – think of the DMV as you try to renew your driver's license. No surprise there.
The AADHAAR, however, will be printed on a smartcard or other official document that will include 3 factors of identification unique to the person: an iris scan, a photograph and all ten fingerprints. To get a number, Indians will have to physically go to an enrollment agency and submit their credentials that will ultimately be collected in a central repository.
Orwellian fears and privacy concerns aside, what this will mean to the Indian economy is monumental. Soon, millions of Indians who are otherwise prevented from participating in the growth of the sizable economy will now be plugged into the system and able to leverage money and services that were never available to them before. In turn, millions, maybe billions of rupees in revenue that would have gone to the black market or otherwise unreported (and untaxed) can now be put to better use. Think of the number of new jobs that will be created to both implement and support this system once it is effected.
These new jobs won't all be the classic government-teat-sucking positions that you might think they'd be. Software has to be developed and supported; card readers will have to be created and deployed. All areas of the private sector will be prodded to build new ways to accommodate and authenticate their customers across a number different mediums. The US should take note here as the rest of the world moves to smartcard technology, while we stick with traditional magnetic strip technology and easily forged driver's licenses.
India will face many challenges as it attempts to implement a process like this, as it does with almost everything else that happens in that country. What will be most interesting to watch is how and if it is ever able to play catch-up and issue every citizen an AADHAAR. With a target rate of 10 million cards issued every four months, and a population growth of 4 million new people every quarter, it will be a very tough race to win.
Subscribe to:
Posts (Atom)