Security vs. Security Theatre
After working in the field of biometric identity for almost a decade, I've learned some things about security in general. The first is that human beings are terrible at assessing risk.
We intuitively associate the familiar with safety and the unfamiliar with dangerous. This results in people who will drive a car across the United States instead of getting on an airplane, because they feel it's safer. This is despite numerous studies that show that driving is more dangerous than flying. According to the National Highway Traffic Safety Administration statistics, there are 5.75 fatalities per billion miles driven in cars and trucks versus 0.06 deaths per billion miles flown in commercial aircraft. But flying feels more dangerous because it's unfamiliar. Also, aviation crashes tend toward the catastrophic, which grabs media attention. Lastly, driving gives people more control, which also adds to the feeling of safety.
The second, is that when faced with something dangerous, whether it be terrorists, hackers or industrial espionage, human beings vastly prefer doing something to doing nothing. Even when doing nothing is the logical answer. When people are scared, they need to see something being done that makes them feel safe, even if it doesn't actually make anything better. Politicians know this better than anyone.
And so you get security theater. The TSA is the most obvious example but it's all around you if you care to look. A terrorist put a bomb in his shoe, and now all Americans have to remove their shoes before boarding an airplane. A large company gets hacked, and now you have to reset your password every three months with an overly complicate password scheme that all but guarantees you will write it down. These things don't make you safer, but they make you feel safer, and maybe that's the point.
Fighting terrorists or hackers or practically anything that's dangerous or difficult requires time and the investigations are tedious and mostly invisible. But that's how the real work gets done. Data is collected, sifted, analyzed, discussed and slowly the bad guy is caught. But that all happens long after the media has moved on to the next big thing and everyone has forgotten.
And that brings me to a letter from Senator Ron Wyden (D-Ore) to the Senate's Committee of Rules and Administration that pointed out that the Senate employees are using ID cards with a photo of a chip on them instead of an actual PIV card with an embedded chip. Problems with federal information security are not new. The Government Accountability Office has diligently reported problems including the lack of two-factor authentication for critical federal systems. I assume they are working on it but deploying new technology across an organization as large and slow as the federal government is never going to happen quickly. In the letter, Senator Wyden states:
By mid-2016, eighty percent of all agencies were using PIV cards to log into federal IT systems. Today, the Senate neither requires nor offers two-factor authentication as an additional protection for desktop computers and e-mail accounts. The Senate Sergeant at Arms does not require two-factor authentication for staff who wish to log into Senate IT systems from home, using a Virtual Private Network... Moreover, in contrast to the executive branch's widespread adoption of PIV cards with a smart chip, most Senate staff ID cards have a photo of a chip printed on them, rather than a real chip.
So this sounds really bad, right? These are people who have access to classified information and we know they are targets of cyber espionage.
But is it? A sticker next to your front door announcing that your house is protected by a video surveillance system is almost as good of a deterrent as an actual video surveillance system. The potential thief just has to decide to move along to an easier target. So, yes, they need to get their IT house sorted out but in the meantime, a photo of a chip is better than nothing.