A ‘Belli Portae’ for the Transportation Security Administration (TSA)

Last Updated on Friday, 1 January 2009 03:42 Written by Jeffreycarr Friday, 1 January 2009 03:39

During ancient times, there was a temple inside the Roman Forum called Ianus Geminus or Belli Portae which had two gates on opposing walls. These gates were kept open during wartime, and closed during peacetime (a rare occurence). Inside the temple, priests would perform rituals mean’t to forecast the outcome of Rome’s military adventures.You can probably tell by the name that it was dedicated to the god Janus. The two gates facing in opposite directions symbolized Janus’ ability to look into the future as well as the past; a lesson that TSA would do well to learn.

The Transportation Security Administration seems to be an early adopter of a popular cyber security strategy known as “Offense informs Defense”. Here’s how Allan Paller defined it in June, 2009:

(O)rganizations should prioritize their security investments on actions that can be proven to block known or expected attacks, or that directly help identify and mitigate damage from attacks that get past the defense.

I didn’t care for this strategy when I first saw it applied in 20 Critical Security Controls because it focused exclusively on known threats. I sent an email to The Gillian Group during the public comment period expressing my concern that this strategy excluded modes of attack that we haven’t seen yet but that were sure to be developed. The reply I received said simply that future attacks were beyond the scope of the commission’s work and that they were concerned only with defending against known attack vectors.

I didn’t think about it again until the NWA 253 incident on December 25th. Then it struck me how ludicrous Offense Informs Defense becomes when it’s applied to anything other than cyber security where a reasonable case can and has been made for its adoption. While TSA doesn’t use this terminology, its own backward looking security measures are precisely that. TSA defends against known attacks and seems to be helpless against anything new. This cannot be defended nor sustained, and it certainly should not be tolerated by taxpayers. History is rife with examples of a powerful army using traditional tactics being defeated by a weaker force who is adaptable and innovative.

In fact, the entire U.S. model of airport security needs to be re-examined, perhaps with an eye towards adopting the Israeli method, or at the very least, we need to introduce “Security by Uncertainty” (as terrorists’ uncertainty about airport security measures increases, we become more secure).

Most importantly, TSA needs to emulate the two-headed god Janus in not only looking at what has happened in the past but also anticipating and planning defenses against the new threats that are sure to come.