Wednesday, June 18, 2008

Why "Security Theater" Is Always Standing Room Only

The venerable Bruce Schneier (http://www.schneier.com/blog/) is widely accredited for coining the term "Security Theater". Many of you have had the pleasure of experiencing this show of shows in your everyday lives. This is the person at the checkout counter that asks to see your driver's license when you use a credit card, glances at it, and lets you through. I have pointed out to more than one cashier that my name on my credit card does not match the name on my license, just to see what the reaction would be. Most of the time it is something like "We just have to ask to see it.".

Other examples are not nearly as innocuous. Our company has been asked, on more than one occasion, to implement a security chip on a system at the lowest possible cost, and then generate a report for upper level management which would lead them to believe that the system is far more secure than truth would indicate. We, of course, are happy to implement any chip they want. What we will not do is generate a misleading report. In theater lingo it goes something like this: We will build the set, but we will not write the script.

As security consultants, our reputation hinges on the fact that we will not pander to this mentality. It has forced us to walk away from many business deals. What is perhaps the most alarming outcome of our actions is that someone else is inevitably given the job who is more than happy to direct and produce the theatrical production. Perhaps most importantly, technology companies who make claims that their products are secure are NOT HELD LIABLE for failing to deliver on the promise. Just try to sue a company who makes a security tool or appliance that fails, allowing a hacker to get through. Your time (and money) would be better spent trying to get the Middle East to live in peace.

The time and money an organization needs to invest in creating a fantastic "Security Theater" production is absolutely trivial compared to the massive amounts of money collected from unsuspecting theater attendees. What is perhaps the most alarming nuance of all is that once the public finds out that all is not as it appears in the grand production, the organization (or "Theater Company") merely has to create another episode of "Security Theater", perhaps this time bigger, brighter, and throw in some free popcorn (i.e. "Two years of free updates."). Crowds are guaranteed to come in droves.

The late PT Barnum would be so proud.