On Christmas day 2009, Al-Qaeda in the Arabian Peninsula sent Umar Farouk Abdulmutallab on a flight from Amsterdam to Detroit with a non-metallic IED hidden in his underwear. The terrorists knew in advance that there was no detection of non-metallic bombs in most airport security protocols and regimens in use at the time. We know that they discovered this vulnerability through extensive online research. They also conducted multiple scouting missions to probe and test for vulnerabilities at specific facilities using specific screening methods. It was a sophisticated intelligence-gathering operation. It was fortunate that more people (besides Abdulmutallab himself) were not injured as a result.
This is an extreme example. Other, more common security risks happen every day because of publicly-available information. A simple web search reveals how to disable home alarm systems from the outside, or which potentially dangerous objects can pass unnoticed through a metal detector. Wireless security systems are required to list the frequencies they broadcast on, making them vulnerable to jamming.
The need to provide transparency about the technology used to keep bad actors from getting into venues without helping potential attackers is a fundamental paradox of the security industry. On the one hand, we in the security industry want the public to feel confident that they are safe by demonstrating the efficacy of our technologies, protocols and processes. On the other, if we demonstrate too much — open the curtain too far — people looking to cause harm can use that information to look and test for vulnerabilities.
Government Standards on Transparency
In order to keep bad actors from finding loopholes in airport security, there is a very well-recognized and understood policy around transparency. Essentially, there is no transparency — at least regarding the public release of technical details. Specifications are legally classified by the Transportation Security Administration (TSA) in the U.S. and the European Civil Aviation Conference (ECAC) in the E.U. That specific information is called sensitive security information, and it’s held very closely — to keep bad actors out.
Outside of government, the standards aren’t as clearly defined, but the basic requirement stands. Security personnel must keep sensitive security information away from anybody who might use those details to exploit or attempt to penetrate a physical security system. After all, at the end of the day, the goal is to keep everyone safe.
Like it or not, there are bad actors always searching for security weaknesses to steal, cause chaos or willfully harm people. The risks in providing total transparency for security systems and protocols are very real.
Commercial Obligation for Transparency
As screening technologies become the norm in venues across the U.S., transparency in business is important to establish trust between corporations and consumers. Individuals are increasingly concerned about their privacy. They want to know how data gathered through video footage, facial recognition software or entry logs is stored and used. They may want to avoid an event if a physical search is required to enter.
The distrust of institutions has increased globally. The 2022 Edelman Trust Barometer showed that across the world, 63% of people believe that business leaders are actively lying to them. This is a huge problem for companies asking other organizations to invest significant amounts of money in security systems and personnel. Relationships and trust directly affect sales, public perception, and the ability to retain loyal customers.
Of course, customers must know what they are buying to ensure it will suit their needs. And individuals impacted by physical security installations are entitled to a certain amount of information about what they are walking into. Security providers must balance these needs with the obligation to keep details secure for the sake of existing customers and the general public.
Commercial Standards and Public Responsibility
For security screening businesses selling commercially, absolute transparency must be off the table. So how can we, as an industry, cultivate a measure of trust, both with the customers we serve and the public we are trying to help protect?
Moving into the future, we need a set of defined standards, similar to a government classification system, that corporations voluntarily follow to set up an honest, fair and safe marketplace. The responsibility to keep the public safe requires a delicate balance of maintaining transparency while keeping sensitive security information out of the hands of adversaries.
To begin with, access to the type of information that could potentially help bypass security measures should be restricted, even within the company that develops it, to those who need to know. This has to be a conversation between manufacturers, vendors, customers and their security teams. If one part of the chain is publishing information they should not be, it impacts everyone.
That said, transparency is an important value that should not be disregarded. Security professionals can maintain a level of trust between themselves, their customers and the public without releasing information that could potentially cause harm. General information about how the technology guards against bad actors can all be part of a broader discussion with the public to give people confidence that you have their best interests at heart.
Responsible transparency and public responsibility can co-exist — providers who are judicious with the details but generous in sharing both their reasoning and intent can pave the way for a set of standards that serve the goals of security professionals and the public they are working to keep safe.
This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.