Aero News Network has a fascinating story, “ANN Special Report: TSA Memo Suggests That Agency ‘Encourages’ Damaging Behavior.” It covers how a TSA goon climbed up a plane using equipment marked “not a handhold,” damaging it and putting the flying public at risk. It continues:
While this may be terrifying on a number of levels, the situation becomes far more questionable with the release of a recent memo from the TSA in which such damaging and destructive actions are apparently ENCOURAGED. The memo clearly states that, “Aircraft operators are required to secure each unattended aircraft to make sure that people with bad intent cannot gain access to the planes. But during the inspection, TSA’s inspector was able to pull himself inside of an unattended aircraft by using a tube that was protruding from the side of the plane. TSA encourages its inspectors to look for and exploit vulnerabilities of this type.”
There’s a couple of things I want to say about this. The first is that TSA seems to be orienting their “inspectors” towards the idea that no indignity or stupidity is too large. This is a natural result of there being no accountability.
While it’s fun to rage at the TSA like this, I don’t want to be throwing stones from a glass house. In information security, we sometimes tend this way. Security risks are seen as accruing to the career of the CSO. Smart CSOs shift jobs often to avoid having the risk (I forget who pointed this out, or I’d give credit.)
Implementing controls for a set of rare, high impact risks is hard. TSA, DHS and the President ought to be telling Americans not to be scared, and to realize that these things may happen again, despite our best efforts. This was the lesson of societies including the UK, France, Germany and Japan, not to mention Israel.
Fortunately, in information security, we have lots of common risks to go after, if only we’d pay attention.