TSA bans security expert from telling Congress about its faults

Widely respected security guru Bruce Schneier un-invited to oversight committee hearing

There are a lot of consultants, experts, pundits, commentators, researchers, analysts, technologists and yahoos providing information, analysis and recommendations about digital security. It's a growth industry that offers plenty of opportunities for exposure and profit for those who can sound as if they know what they're talking about.

If you're looking for reliable information or advice, you have to look carefully at what each of these potential guides is saying or writing, not just what they seem to be saying or writing. More even than in most areas of IT, answers that seem to be useful or accurate tend to warp into something different when they're pressed closer to the facts. Or the hackers.

Not so the advice of Bruce Schneier, consultant, author and subject of a Chuck-Norris-parody meme ("When Bruce Schneier was a kid he would talk to his friends across the yard using tin cans connected by a string. The messages on that string were 4096-bit RSA encrypted." "The universe exists because Bruce needed a reference platform." "Bruce Schneier expects the Spanish Inquisition.")

Schneier regularly commits the business-consultant-heresy of talking about topics that can be incredibly arcane in language understandable even to those who don't spend Saturday nights on IRC arguing which Ubuntu distro rocks hardest.

He often commits the security-consultant heresy of downplaying security threats simply because he considers them far less a threat than cyberattack hysterics would suggest (the danger from identity theft is "vastly overrated).

He also sometimes points out the kind of political and social issues most security honchos in government or military organizations prefer not to talk much about. Like "the long-range security threat of unchecked presidential power," why universal surveillance and data mining won't protect us from terrorists and "why computer security is fundamentally an economic problem."

Just to point out the obvious: there are points in there guaranteed to piss off every major source of revenue for security consultants, from elected officials to the military to computer vendors to users.

He's still in business and still counts members of all those constituencies as active parts of his audience.

Not impressed that Schneier not only knows what he's talking about and can boil a big complex topic down to the things important enough to worry about and explain them in ways his audience can actually use? You try to write a book called "Applied Cryptography" and make it a bestseller.

Schneier talks as well as writes. He talks to reporters, speaks at conferences and is one of the few IT consultants whose recorded interviews and speeches draw traffic after the event is finished and the A/V is posted.

This week Schneier was scheduled to testify at a House oversight committee meeting about the TSA, it's full-body scanner/x-ray systems, identity cards for airline workers and some other efforts by TSA to look useful at times other than when it's frisking grandmothers for contraband.

Schneier doesn’t like the TSA's full-body scanner. He's said it is ineffective, misleading and that it is used in ways that are undignified and sometimes dangerous to passengers being scanned.

He is involved, along with the Electronic Privacy Information Center (EPIC) in a lawsuit to get the TSA to stop using body scanners.

If I sat on the House Committee on Oversight and Government Reform, which is responsible for reality checking the TSA's policies and minimizing its abuses, I would want someone who understood the reality and the effect of those policies and would be willing to say what they are.

I would especially want that if all the other people testifying were more or less on the side of the TSA or in its employ.

Instead, the committee just nodded when the TSA demanded Schneier be removed from the witness list because of his involvement with the EPIC lawsuit.

Conflict of interest is a legitimate reason for concern. Being in the middle of a lawsuit against the agency about which you're testifying is a pretty clear indication of bias.

The committee hearing is not an open session of Congress, though. It's not a trial or an election or expert testimony in a hearing designed to gather information for further debate.

It's an oversight committee whose job it is to listen to criticisms of the agency, examine evidence that it's doing its job well or badly and punish or praise it accordingly.

In that case, if the lawsuit and Schneier's previous criticisms were noted ahead of time, he would be in the position of offering criticism to the only body in a position to do anything about it, or even question TSA about any of the questions Schneier raised.

Instead they caved, allowing the TSA to remove an unfriendly witness for a reason that looks valid on first glance but which a second look makes clear is empty and deceptive.

"It's pretty clear that the TSA is afraid of public testimony on the topic, and especially of being challenged in front of Congress," Schneier wrote on his blog about the incident. "They want to control the story, and it's easier for them to do that if I'm not sitting next to them pointing out all the holes in their position. Unfortunately, the committee went along with them. (They tried to pull the same thing last year and it failed -- video at the 10:50 mark.)"

In a long, erudite discussion on Ycombinator, security specialists, security wannabes and TSA grope victims mostly backed Schneier.

Odds are that so would the half of Americans who oppose the X-ray scanners the TSA insists on using despite potential health risks and residents of Orlando, whose airport just fired TSA to replace it with private security at higher cost.

Having Schneier testify would almost certainly please Senators angry that TSA replied to their request for better studies on the effect of TSA X-Ray machine health risks by reposting older radiation studies that didn't answer the question in the first place.

Some of the questions Schneier (and the Senate) wants TSA to answer come from a video from anti-TSA blogger John Corbett, who scored a popular hit with a video of himself sneaking metal parts through a TSA X-Ray screener, on which they showed up as the same color as his clothes, making them effectively invisible.

Who would be on TSA's side? Maybe travelling brides, happy that TSA would now allow wedding dresses to be brought on board as carryon luggage, or manufacturers, resellers and installers of the 1,800 full-body scanners TSA is deploying at a cost of $170,000 apiece, despite their evident weaknesses.

Who else?

It's hard to say. Security generally improves when it's tested, questioned or otherwise vetted so inevitable holes can be found and plugged.

That's why software vendors offer bounties to researchers who find security holes in their products before hackers do.

It's why organizations that take security seriously often test with "red teams" who attack their own facility to try to find weaknesses real enemies might otherwise exploit.

It's why the Constitution puts term limits on elected officials and put them in charge of the bureaucracies that actually implement the laws Congress enacts.

Every security plan needs to be tested; every authority needs oversight to make sure its decisions are well supported, its policies are fair and legal and that every time its staff lays hands on citizens it does so in ways that are not at all like sexual assault.

It's unlikely Schneier could raise enough questions to get the TSA to provide solid answers it has so far refused to offer even to the Senate.

Given the number of both security experts and ordinary travelers complaining that TSA is rude, abusive, wasteful and ineffective, as well as its apparent determination to toss critical questions in the same junk bins in which it throws nail clippers, containers with more than 3 ounces of liquid and, until recently, wedding dresses, and I wonder: With the huge chorus of opponents already singing at the top of their voice, how much more damage would there be from just one more?

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon