Peter Cochrane's Blog: Blind security

Focus and automate to lift detection rates...

Written in an Edinburgh hotel and dispatched via a free wi-fi service

Recently I've been flying in and out of the UK on a variety of international carriers including some of the so-called low-cost airlines. Airport procedures have been more or less the same - except at London Stansted which excels in exacerbating all forms of traveller misery.

Standing in the security snake I marvel at the calmness and patience of passengers. In particular, I watch the reaction of those passing through the UK who suddenly discover that, unlike elsewhere on the planet, passengers are limited to one bag of hand luggage each. Their fortitude amazes me.

Weary and disoriented, having already passed through all the US security checks eight hours earlier, they have to deal with the irrationality of flying into the UK with two bags only to be told that even on a flight transfer across the airport, they can only carry one.

Worse, the dimensions of the one permitted bag are smaller than anything a self-respecting American would carry. At this point the fun starts - and very often it isn't a pretty sight.

There is only one question to ask: does the UK, one-bag limit improve security? I think not. Since 9/11 many independent tests have shown the size or number of bags makes no difference. The determined can still get through if they are sufficiently cunning.

I have been testing security systems for decades and in my view airport systems are no better or worse than any other that employ humans as the primary agents. And the basic reason is that being vigilant is very hard work.

Since 9/11, only two airports have discovered one of the dozen or so illegitimate test items I deliberately carry. In Austin Texas they confiscated an item with plenty of ballyhoo, while in Paris the French decided I didn't look like a terrorist and gave me back the same item.

At London Stansted security staff became completely diverted by a bottle of shampoo and a few other items because they weren't in the regulation plastic bag and totally missed all my test items.

The really farcical nature of all this is after passing through security at most airports I find it so easy to buy as many bags as I like, many of which bust the UK regulation size, and bottles of whisky and other potential weapons.

Browsing the shelves of the pharmacies on the concourse of airports I often find an assortment of really useful items that would be handy for anyone suddenly deciding to cross over to the dark side.

The fortunate truth is the vast majority of people on this planet are good and well intentioned and airport security systems are not 100 per cent overt.

Of course, the security snake is just one aspect and the reality is security starts much earlier in the day and observation and testing is continual. But it would be good to think we were heading towards a system that was far more reliable, less fallible and less people-based.

My most recent security revelation has been garnered from travelling on the same low-cost airline several times with a clear view of the cockpit door. Each time a hostess or member of the flight crew entered the flight deck I could see the key code used and could therefore have gained entry with ease.

Who designed the system with a keypad in passenger gaze and who briefed the crew to stand back so fingers and keys are visible? Don't these people ever use an ATM?

Some decades ago I formulated the following security laws, which still seem to hold true today:

  1. Resources are deployed in inverse proportion to actual risk.

  2. Perceived risk never equals actual risk.

  3. Security people are never their own customer.

  4. Cracking systems is 100 times more fun than defending them.

  5. Security standards are an oxymoron.

  6. There is always a threat.

  7. The biggest threat is always in a direction you're not looking.

  8. You need two security departments - one to defend and one to attack.

  9. People expect 100 per cent electronic security.

  10. Nothing is 100 per cent secure.

  11. Security and operational requirements are mutually exclusive.

  12. Hackers are smarter than you - they are younger.

  13. Legislation is always more than X years behind.

  14. As life becomes faster and more chaotic, it automatically becomes less secure but the good news is that half-lives are getting shorter too.

  15. People are always the number one risk factor. Machines are perverse but they are not devious or vindictive - yet. /l>