Marcus Ranum wrote
response to bitter failure, in any area of endeavour,
is to try the same thing that didn't work -- only harder."
It seems that this often applies to the entire security field, not just IT.
Here's a timely example.
There have been calls, in the wake of April's bombing at the Boston
Marathon, for increased surveillance of Americans -- already, arguably,
the most-surveilled and most spied-on citizens on the planet, to such an
extent that ex-Stasi staff are likely envious. In particular, there
have been calls for mass (camera) surveillance from
police department officials in Boston and New York City.
These recommendations clearly raise serious issues about
privacy and the Constitution
and the values we hold as a society. Others have written about those
issues more eloquently than I can. But let me break from their approach and
point out something on a much more pragmatic level:
It didn't work.
Let me ask you to consider for a moment the Boston Marathon and all
the video/still cameras that were focused on it, the ones whose images
were in front of the nation nonstop for days. Anyone who's run in or
been to a major distance running event knows that there are cameras everywhere.
There are race operation cameras at the start and finish.
There are TV news cameras, all over the course -- some fixed, some mobile.
There are family/friends of runners and other spectators,
concentrated at the start and finish,
but scattered everywhere along the course, and nearly
all of them have cameras.
There are official and unofficial
race photographers in multiple locations who try to grab still
shots of every runner and then offer them for sale afterwards.
even some runners wearing cameras from time to time.
And then of course
there are all the now-ubiquitous cameras on
stores, banks, parking garages, traffic
signs, and on all kinds of other structures along the way.
We don't know why the those responsible for the attack
in Boston did it; but what we do know is that the attack required a modicum
of planning and intelligence: they weren't entirely stupid.
I submit that there is no possible
way that they did not know that the finish area of a major marathon is
one of the most heavily-photographed areas of the planet on the day of
the event. Yet they not only selected it as their target, they made no
attempt at all to evade the massive number of lenses focused on it.
Thousands of cameras equated to zero deterrent value.
Yes, those cameras certainly helped identify and locate the suspects:
but that is cold consolation to those who lost life and limb, because
they didn't actually prevent the attack.
prosecution of Dzhokhar Tsarnaev, while it might yield some
answers to troubling questions, is not going to help local runner
Carol Downing's daughters
(Nicole Gross suffered two broken legs; Erika Brannock lost
part of one of hers)
recover and rehab and go on with their lives.
A thousand more, ten thousand more, a hundred thousand more
cameras would not help: cameras have no
deterrent value to people who are prepared to die and/or
don't care if they're identified.
There also remains the distinct, disturbing possibility
that the attackers chose the location because they
knew it was so thoroughly covered with cameras. An attack like this
is clearly directed at those present, but if its real purpose
Bruce Schneier observes,
to attack the minds of hundreds
of millions elsewhere, then it can only reach its targets if the
event is heavily documented and widely disseminated.
To put that point another way: it's entirely possible that adding cameras
to a particular location will decrease public safety -- because
it may make that location more attractive to those who want to make
certain their attacks are captured on video and of course, dutifully
replayed in slow-motion thousands of times
by 24x7 news networks with many hours
of airtime to fill.
This brings up another disturbing point: how is it possible
that senior law enforcement officials don't
recognize such an obvious, major security failure when it's right in front
of them? How can they possibly not grasp the simple concept
that if a thousand cameras failed to stop the Boston Marathon attack,
that ten thousand cameras will fail to stop the next one, and might
even influence the attackers' choice of location?
The answer is thus not to add still more cameras: the answer is to
refuse to give in.
Terrorism doesn't work if its targets -- you, me, and
everyone else -- decline to be terrorized.
Runners have already responded: all over
the country, many of those have never even thought of trying to qualify for
Boston started training for the Boston Marathon 2014 the next morning.
(If there wasn't a qualifying standard for the race, they would probably
receive a quarter million entries next year.)
The One Fund
are being organized at races all over the country;
and there is a common banner that will be at at all of them:
"Run if you can; walk if you must; but finish for Boston".
That's how you fight terrorism: you simply refuse to yield to it.
You don't need more cameras, more wiretaps, more spying, more databases,
more secrets, more intrusion. You don't need to declare the Constitution
NYC Mayor Bloomberg would like to do.
You don't need to cower in fear or to give in to paranoia.
And you certainly don't need to redouble your efforts toward an
approach that's already been demonstrated not to work.
You only need courage. What kind of courage? This kind:
Erika Brannock is the official starter for this Saturday's Baltimore Marathon.