|
Security guru Bruce Schneier coined the term “Security Theater” to describe phony security measures, procedures, or technologies that give the superficial appearance of providing security without actually countering malicious adversaries to any significant degree. As an example, much of the activities undertaken by airport screeners have been characterized by some as little more than Security Theater.
As vulnerability assessors, we frequently find Security Theater across a wide range of different physical security and nuclear safeguards devices, systems and programs. It’s important to realize, however, that Security Theater is not automatically a bad thing. It can present the appearance (false though it may be) of a hardened target to potential adversaries, thus potentially discouraging an attack (at least for a while). Security Theater can reassure the public while more effective measures are under development, and help encourage employees and the public to stay focused on security. In nuclear treaty monitoring, Security Theater can provide an excuse to get inspectors inside nuclear facilities where their informal observations and interactions with host facility personnel can be of great value to disarmament, nonproliferation and international cooperation.
The real problem occurs when Security Theater is not ultimately recognized as such by security officials or the public, or creates cynicism about security, or stands in the way of Real Security, or wastes resources and energy, or is actually preferred over Real Security (because it is usually easier and less painful).
Security Theater and the Real Thing
The best way to determine if a given security technology, measure or program (STMP) is primarily Security Theater is to conduct comprehensive vulnerability assessments and threat assessments to determine how easily the STMP can be defeated, and what threats and attacks it might have to stand up to. But this can be time consuming and expensive.
In our experience, STMPs that eventually prove to be very easy to defeat and/or not particularly effective – to the point of being Security Theater – almost always exhibit certain common attributes. In fact, we can use these attributes to predict fairly reliably how easy it will be for us as vulnerability assessors to demonstrate multiple successful and simple attacks, even before beginning the vulnerability assessment.
As a public service, we offer the following survey that you can take to determine how likely it is that your security technology, measure, or program (STMP) is Security Theater. This survey is about as scientific as a “how’s your love life?” survey in a teen magazine, but we think it may nevertheless have some value. The survey questions being asked, along with our comments associated with some of the questions, can at least help suggest warning signs and countermeasures for Security Theater.
Add up your total points for all 33 survey questions and then see the interpretation for your score below. (If you’re between two choices on any question, split the difference on the points.)
1. Is the security application quite complex and/or challenging?
o A lot 2 points
o A little 1 point
o Not at All 0 points
2. Is (or was) there great urgency from anywhere to get something out in the field or in the marketplace?
o Yes 2 points
o No 0 points
3. Has substantial time, funding and political capital already been spent developing, promoting, or analyzing the security technology, measure, or program (STMP)?
o Yes 2 points
o No 0 points
4. Is there a great deal of bureaucratic, political, or marketing momentum behind the STMP, or a strong push from bureaucrats, a committee, or senior non-security managers?
o Yes 2 points
o No 0 points
5. Is there considerable excitement, exuberance, pride, ego and/or strong emotions associated with the proposed (or fielded) STMP?
o A lot 5 points
o A little 3 points
o Not at All 0 points
6. Is the STMP viewed with great confidence, arrogance and/or characterized as “impossible to defeat,” “tamper proof,” etc.? (Effective security is very difficult to achieve. Generally, if developers, promoters and end users of a given security approach or product have carefully considered the real-world security issues, they will not be in such a confident mood. Fear is, in fact, a good indicator of a realistic mindset when it comes to security.)
o A lot 5 points
o A little 3 points
o Not at All 0 points
7. Does the STMP in question have a feel good “aura” or make people quite comfortable with their security risk? (In general, Real Security doesn’t make people feel better, it makes them feel worse. This is because it is almost always more expensive, time-consuming and painful than Security Theater. Moreover, when security is carefully thought-through – as Real Security must be – the difficulty of the task, the unknowns and the knowledge of the unmitigated vulnerabilities will cause alarm. If you’re not running scared, you probably have bad security or a bad security product.)
o A lot 6 points
o A little 3 points
o Not at All 0 points
8. Do the promoters and developers of the technology or the STMP earnestly – even desperately – want it to solve the security problems at hand, and/or are they highly idealistic? (Strong desires to achieve a valuable goal can sometimes lead to wishful thinking.)
o A lot 3 points
o A little 1 point
o Not at All 0 points
9. Is the STMP a pet technology of the promoters and developers, and/or not chosen from among many candidates via careful analysis?
o A lot 3 points
o A little 1 point
o Not at All 0 points
10. Do the people or organization promoting or deciding on the STMP have a conflict of interest (financial, psychological, collegial, or political), or are they at least unable to objectively evaluate it, and/or are they overly enthusiastic/optimistic?
o Yes 3 points
o No 0 points
11. Do the people developing or promoting the STMP have significant real-world security experience (not just experience as bureaucrats or experience developing security technology)?
o Yes 0 points
o No 3 points
12. Has the person who ultimately decides to field the STMP ever seen a new security technology that they didn’t like, or have they ever found fault with their own security or (publicly) with their employer?
o Yes 0 points
o No 2 points
13. Is the person who ultimately decides that the STMP should be deployed often thought of as naïve, a bureaucrat, or less than astute, and/or did they get most of their information about STMP from promoters and vendors?
o Yes 2 points
o No 0 points
14. Do the people promoting, deploying, or choosing the STMP substantially understand the technology or security strategy?
oYes 0 points
o No 2 points
15. Are the people promoting or deciding on the STMP mostly non-technical and/or limited in their understanding of real-world security?
o Yes 2 points
o No 0 points
16. Are the people developing the STMP mostly engineers? (In our experience, the mindset, culture and practices that make one good at engineering aren’t optimal for thinking like the bad guys.)
o Yes 3 points
o No 0 points
17. Does the STMP rely primarily on complexity, advanced technology, the latest technological “fad” and/or multiple layers? (High technology does not equal high security, and layered security isn’t always better.)
o A lot 3 points
o A little 1 point
o Not at All 0 points
18. Do the people using the STMP on the front lines substantially understand the technology or security strategy?
o Yes 0 points
o No 2 points
19. Are the use protocols, training materials and manuals for the STMP non-existent, vague, poorly written, or ill-conceived, and/or is the terminology sloppy or misleading?
o Yes 3 points
o No 0 points
20. Is the STMP complicated or difficult to use?
o Yes 2 points
o No 0 points
21. Was the STMP forced on the end users from superiors?
o Yes 2 points
o No 0 points
22. Have the end users of the STMP ever been consulted about it? (These are people who understand the real-world implementation issues, and are the ones who will have to make the STMP actually work.)
o A lot 0 points
o A little 1 point
o Not at All 2 points
23. Have vulnerability assessors, hacker types, devil’s advocates, question askers, or creative independent outsiders closely analyzed the STMP?
o No, Weren’t Allowed to 6 points
o No 4 points
o Yes 0 points
24. If anybody questioned/questions the efficacy of the STMP, or raises concerns were/are they (choose one)…
o Attacked Emotionally 7 points
o Attacked Unemotionally 4 points
o Ignored 2 points
o Vaguely Tolerated 1 point
o Listened to but Ignored 1 point
o Enthusiastically Listened to 0 points
25. Are vulnerabilities only considered, and vulnerability assessors only involved, after the development of the STMP has been completed or nearly completed? (At this point, it is usually too difficult to make necessary changes to improve the security for economic, political, timeliness, inertia, or psychological reasons).
o Yes, or Vulnerabilities Aren’t Considered at All 3 points
o No 0 points
26. Does the STMP involve new technology piled on existing STMP in hopes of getting better security, but without actually addressing the Achilles heel of the old STMP?
o A lot 3 points
o A little 1 point
o Not at All 0 points
27. Do considerations of security focus mainly on software, firmware, or cyber attacks, largely ignoring physical security?
o Yes 3 points
o No 0 points
28. Is the main tamper detection mechanism – if there even is one – a mechanical tamper switch, a light sensor, or an adhesive label seal? (This is approximately the same, in our experience, as having no tamper detection at all.)
o Yes 2 points
o No 0 points
o There are no tamper detection mechanisms 3 points
29. Is the STMP directed against a specific, well-defined adversary with well-defined resources?
o Yes 0 points
o No 3 points
30. Is the STMP dominated by the desire to address security compliance, rather than true security? (Compliance-based security is a particularly pernicious type of Security Theater.)
o Yes 3 points
o No 0 points
31. Is deployment of the STMP really motivated more by a desire for control than for real security?
o Yes 2 points
o No 0 points
32. Is the operation of the STMP strongly dependent on rules that only the good guys will follow? (For example, don’t bring thumb drives into the facility.)
o Yes 2 points
o No 0 points
33. Is the effectiveness of the STMP thought to require keeping long-term secrets, or using manufacturing processes that can’t be duplicated? (“Security by Obscurity” doesn’t really work long-term because people and organizations can’t keep secrets. See Manning and Snowden.)
o A lot 4 points
o A little 2 points
o Not at All 0 points
Interpretation
Add up the total points for questions 1-33. If the sum is…
81-100 then:You have so much Theater going on that you ought to charge admission!
61-80 then:You’re pretty heavy into Security Theater, but there’s at least some Real Security.
41-60 then:This appears to be a mix of Security Theater and Real Security.
21-40 then:You apparently have more Real Security than Security Theater, but there’s still plenty of nonsense going on!
0-20 then:Good job! There’s likely still room for improvement but you’ve got serious security!
Countermeasures to Security Theater
Being alert for the presence of Security Theater, knowing its characteristic attributes and applying common sense countermeasures can go a long way towards avoiding it. This survey might be a useful tool to at least get you thinking about some of these issues.
The countermeasures for avoiding Security Theater are relatively straightforward, and some are not much different from countermeasures for groupthink and cognitive dissonance. Perform legitimate (not “rubber stamp”) vulnerability assessments and threat assessments early, often, and iteratively – not only after it is too late to make any changes. Focus on what the purpose is for the security technology/measure/program and on the adversary’s mindset and goals.
Early on, invite independent, skeptical and creative people to analyze your security. Appoint a devil’s advocate if necessary. Don’t let the enthusiasm for solving the security problems steamroll over the realities of the task. The people developing or promoting a given security technology/measure/program should not be the ones to decide whether to implement it.
Always bear in mind that Security Theater is going to be seductive. It is easier, cheaper, and less painful than Real Security, and it takes a whole lot less thought.
Disclaimer
The views expressed here are those of the authors and should not necessarily be ascribed to Argonne National Laboratory or the United States Department of Energy.
About the Authors:
Roger G. Johnston, Ph.D., CPP, is Leader of the Vulnerability Assessment Team at Argonne National Laboratory. He was founder and head of the Vulnerability Assessment Team at Los Alamos National Laboratory from 1992 to 2007. Johnston has assisted more than 50 government and international agencies, private companies and NGOs. Jon S. Warner, Ph.D., is a Systems Engineer with the Vulnerability Assessment Team at Argonne National Laboratory. From 2002-2007 he served as a Technical Staff Member with the Vulnerability Assessment Team at Los Alamos National Laboratory. His research interests include vulnerability assessments, nuclear safeguards, physical tamper/intrusion detection and microprocessor and wireless applications.
