Welcome to Volume 3, Issue 17 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
Editor's Corner
The aftermath of the tragic events of September 11, 2001 leaves little doubt that air travel security must be changed to prevent future recurrences of the horrific loss of life and property all have witnessed this week, and many have experienced directly. Our hearts at TISC grieve deeply for the families and friends who have lost loved ones. At a loss for what to do and how to continue "business as usual" at a time when nothing seems less meaningful, I've chosen to devote this issue to pondering the future of air travel security, and to offer comment.
As air travel resumes throughout the United States, security at airports is promised to be considerably more stringent. Listening to NPR as I returned from Network + Interop Atlanta to my home on September 13, I gathered from news reports and interviews that new security guidelines were to include:
While I applaud these efforts, I find the list lacking in several disturbing respects. Questions that nag all network and computer professionals tasked with implementing security immediately come to mindÖ
I can't imagine that no security policy being applied here, but all of the changes that have been reported by the media seem to be the kinds of reactive measures we too often see in firewall administration-close this port, remove this user group, install a proxy to inspect this content. I am hopeful that ongoing investigations will add to the list of countermeasures, but for now, I'd like to suggest an immediate policy review and identification of remedies for at least these two overlooked assets.
In the wake of a succession of hijackings wherein the cockpits of commercial planes were compromised, and pilots and cockpit crew were apparently overwhelmed and possibly killed or coerced, I have to ask why pilots and cockpit crews are not included among the assets to be protected, and why no measures are mentioned to improve the screening of individuals who may receive authorization to learn to fly commercial jets?
I honestly think that protection of crews and equipment in the form "ground controls", even when they include the escalated elimination of weapons that might be smuggled aboard a commercial jet, is like relying on NAT alone to protect a network from attacks. If inmates can fashion weapons from "whatever" material they might find in a prison, how can we be confident that fanatics with paramilitary training aren't capable of the same? In a serious security review, this countermeasure should be considered necessary but not sufficient.
Once airborne, the cockpit crew becomes the most obvious asset to a commercial airline. Without them, passengers and equipment are in dire jeopardy. Protecting them thus becomes a priority.
While the heinous acts of September 11 were not the result of masqueraded credentials, I would like to see an appreciable increase in the screening and credentialing of airline crew members. I would like to see considerable efforts taken to protect airborne cockpit crews. Having Federal Air Marshalls protect the cockpit door on every flight is much more appealing to me than having them disguised and randomly seated among passengers on select flights. I would also be greatly comforted if cockpits were physically secured so that, once airborne, access from the passenger compartment would be measurably difficult. Forced entry should engage an alarm and response system on the jet as well as at ground monitoring stations.
Attackers with piloting skills likely acquired or improved from U.S. training altered the courses of the largest commercial jets, redirected the jets towards predetermined targets, and used these and their fuel to destroy thousands of lives, billions of dollars of property, and to inflict humiliation, grief, and outrage upon millions and millions of Americans. I cannot help but believe in the wake of such disasters that we need to impose more stringent screening and credentialing for individuals before they are allowed in jumbo jet simulators or advanced flight training schools in the United States.
To some, this may appear to fly in the face of rights guaranteed in our Constitution. I can't disagree more. Our forefathers couldn't have conceived of situations like this. I truly believe that September 11 will force us to be more careful to distinguish privileges from wonts and entitlements.
The security measures I've suggested will certainly be costly and inconvenient. Some might say they've been proposed in the heat of emotion and sorrow, and that separation from the event and more data will help to arrive at more cost effective countermeasures to terrorism. What could be more costly than repeat events wherein 5000 lives might be lost and an additional twenty to forty billion dollars of property are destroyed? Convenience? My close friend Fred Avolio reminds me of a statement originally made by Bill Stout on the firewalls mailing list back in 1999: Fast is what airline travelers want when passing through airport security, secure is what they want when they tumble through the air after their plane blows up.
Life is precious. I'll forsake convenience and pay more so that I might never see the horror and experience this sort of national grief again.
© 2001 - 2006 Core Competence & Mactivity, Inc.