The Joy of Security
Rough draft, STR, 20061112
Security is a state of balance, harmony, and sufficiency. Think of sitting at home, in a protected space, enjoying life with loved ones, without fear. Security gives a warm feeling, and provides support for all the joys of life. The risks in the environment are sufficiently mitigated or removed. You are free to play and work, to live life to its fullest.
In many persons' minds, security is associated with fear and force, the police, and large-scale systems like the military. The message of this essay is that security isn't really about guns, guards, and garrisons, or exhibitions of fear. It is a state of being, like happiness. that emerges. It emerges from attention to the outside world and positive protective action in life.
Security is a dynamic state in which the risks from threats in the environment are sufficiently mitigated. In this way, it is more like a warm jacket on a cold day than full body armor.
Sufficiency is everything in security. There is no sense living in a castle, fearfully withdrawn, or in an open filed, completely exposed. Security exists in the middle ground.
Security should never be driven by fear, though fear-mongers often try to set the security agenda. Attentiveness is security -- being aware of the environment, making balancing judgments between threats and countermeasures. In this way, security should align to reality. Beware of security theatrics based on appeals to fear, uncertainty, and doubt. When in doubt, evaluate risk dispassionately.
Security is a fundamental biological need, like eating, drinking, breathing, or sleep. If you don't eat, you starve; if you don't sleep, you become lethargic; if you're not secure, you could become a victim and suffer a loss. Security is part of Maslow's Heirarchy of Needs: all of life's joys and actualizations depend on it.
Seen as an integral part of life, security simplifies and releases. Unfortunately, security as currently practiced is often lifeless, associated with endless surveillance, the accumulation of weaponry, and the breach of liberty. Mind-numbing activities like watching intrusion detection systems, reviewing computer logs, configuring counter-measures. The ideas of "national" security predominate, along with a demonization of "the others", impulse to build physical walls and border barriers.
In fact, the large-scale mechanisms of "Big Security" are bound to fail. They are fixed, obvious, and easy for the small-scale attacker to bypass. The United States builds fences and walls along sections of the Mexican border with California, those crossing the border illegally go through neighboring Arizona instead. The Great Wall of China was a significant symbol of security, but it did not stop the Mongolian hordes. The Germans bypassed the Maginot Line through Belgium.
Tellingly, the instruments and agencies of Big Security in the US failed to stop the 9/11 attacks. US attempts to eliminate small-scale insurrections and insurgents in Iraq and Afghanistan fail. Local police can't stop local drug dealers. In computer security, Microsoft and other large corporations are thwarted in their attempts to eliminate computer viruses, spyware, and other forms of malware.
Big Security fails because it searches for a needle-in-the-haystack, the one-in-a-million terrorist.
Security is most effective at small-scale, when it belongs to individual persons and small teams, using simple techniques. The 9/11 attackers were able to defeat the large-scale Big Security systems -- only the passengers of Flight 93, by acting together, were able to thwart the attack vector. The ability of terrorists to take over a plane has been degraded since 2001, not so much by ostentatious and annoying airport security measures like banning drinks, but by the deterrence provided by airline passengers who can see and act against the takeover.
Every security attack requires a threat agent -- could be a terrorist, a virus writer, a criminal -- who plans an attack vector, the series of steps required to acquire the target. In the planning stages, the agent will consider and work around known, fixed, and large security systems that are operated by fixed rules. Individual persons introduce all kinds of unpredictability into any security scenario: during a bank robbery, will the customers lay down when told? Will computer users click on the spam link? Will the home owners return during a burglary?
Attacks are often thwarted by the simplest devices -- door locks, alarms, network firewalls, data encryption -- that are widely deployed
Rather than thinking of security in terms of fear, restrictions, prohibitions, fixed rules, and predictable large-scale systems, think of it in terms of attentiveness, actualization, unpredictability, small systems and individual actors. Multiplicity provides defense in depth.
Take responsibility for security yourself. Minimize your dependence on externalities. The police are vastly outnumbered by criminals: they deter crime but cannot prevent it. Be attentive at home, at work, and while traveling. Beware of security theater, and the risks of a false sense of security.
Take positive protective action in your own life. Defend your own privacy. Refuse to give out personal information unless its required by law or there's a payback for you. Be mindful of surveillance systems that collect information against you that could be used by an attacker. Avoid commercial tracking systems, affinity cards, automated toll collection, junk mail, and junk phone calls. Pay to have your phone number unlisted. Use cash for routine transaction like buying food or fuel.
Develop emergency plans with your loved ones -- how do you get in touch in an emergency?
What if the phones are down? What if you need evacuate -- what is your planned evacuation route?
Imagine an event significant enough to force evacuation. You are separated from loved ones, but you have a plan in place: escape along a preestablished route with set rendez-vous points. Stock emergency supplies in your home and in your vehicle.
Learn the basics of how to manage your information assets. Given the Windows operating system is highly vulnerable, consider switching to a more secure system like the Macintosh. If you must run Windows, consider running the Firefox browser rather than the problematic Internet Explorer program by Microsoft. Restrict access to your home network, especially if it's wireless.
Don't always obey authority. Often when authority says "Don't Panic", that's when you should start to panic. Remain attentive and make your own judgments. If your on an airplance and notice someone lighting his shoe, alert other passengers and jump on him as determined passengers did with Richard Reid, a terrorist who had explosives in his shoe.
Beware of anyone who appeals to fear and recitations of authority. President Bush told the world that the US had to invade Iraq because of intelligence about Weapons of Mass Destruction. The war in Iraq has been expensive in terms of dollars and lives lost -- arguably a bad use of security resources.
If you manage security for others, cultivate whimsy. Change the patterns of patrols. Let security personnel dress like others. From a military perspective, think of special forces like those US soldiers in Afghanistan dressed like locals on horseback, blending in rather than explicitly occupying.
When securing an organization, use a large collection of small measures: set perimeter systems like simple on/off firewalls and building access controls.