Saturday, November 17, 2007

On Schneier's notion of CYA Security

Here's a rather rambling bit of sketching out some thoughts:

Bruce Schneier says:

Since 9/11, we've spent hundreds of billions of dollars defending ourselves from terrorist attacks. Stories about the ineffectiveness of many of these security measures are common, but less so are discussions of why they are so ineffective.
His explanation, in short:
much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs.
which he refers to CYA (cover your ass) security.

He gives numerous examples of this. Basically, it's safer for agencies to overreact to things that are out of the ordinary, because if something happens, they can appear to be trying. Or to focus disproportionately on threats in the public consciousness (like what terrorists have tried in the past). Even if these measures are ineffective. And they ignore threat possibilities that don't make the news as much, such as against chemical plants. Or doing focusing on overly specific threats, and not focusing on longer-term investment - e.g. more training in arabic language skills.

There's two comments I want to make on his article.

First, this is another example of systems that have kinds of goals or purposes, where there are various constraints/inefficiencies that impede the system's ability to meet those goals/purposes, as I spoke about recently. In fact, in that post I gave an example of CYA-like force at work in the purchasing of enterprise software.

In this case, that the system is held accountable by government/media/public who aren't necessarily that good at evaluating how well they've done their job, which sets up ineffective incentives/disincentives. Have to remember that in these agencies when they are considering measure to take, they are making a cost/benefit analysis.

Moving onto the second reason.

Despite calling it Cover Your Ass security, he ends up giving the following explanation of the cause of it:
It happens not because the authorities involved -- the Boston police, the TSA, and so on -- are not competent, or not doing their job. It happens because there isn't sufficient national oversight, planning, and coordination.

People and organizations respond to incentives. We can't expect the Boston police, the TSA, the guy who runs security for the Oscars, or local public officials to balance their own security needs against the security of the nation. They're all going to respond to the particular incentives imposed from above. What we need is a coherent antiterrorism policy at the national level: one based on real threat assessments, instead of fear-mongering, re-election strategies, or pork-barrel politics.

Sadly, though, there might not be a solution. All the money is in fear-mongering, re-election strategies, and pork-barrel politics. And, like so many things, security follows the money.
That is, he ends up putting it down to insufficient national oversight, planning, and coordination.

I'm not sure I agree. I think he's closer to the mark with his Cover Your Ass moniker. That is, that the problem is of people needing to cover their asses rather than an issue of coordination.

Except I don't like the term "Cover Your Ass" so much because it makes it sound like the problem is with the agencies. I don't think they really have a choice. Edward deBono coined the term 'ludency' to refer to situations where you're basically forced to play by the rules of the game, and even if you drop out, someone else will come into take your place. So all you can really do is try and find some way of changing the rules.

I think the real culprit here is the way "the general population" attributes responsibility. Typically they want to find a single person to assign the responsibility. If something good happened, that person gets all the praise; if something bad happened, they get all the blame. Even if this is utterly unrepresentative of what actually went on.

There's various reasons why they do this... lack of information about the actual situation... but also it just seems like we're wired to do this. ... a quirk of our psychology.

Here's two of his examples that illustrate this:
CYA also explains the TSA's inability to take anyone off the no-fly list, no matter how innocent. No one is willing to risk his career on removing someone from the no-fly list who might -- no matter how remote the possibility -- turn out to be the next terrorist mastermind.

Another form of CYA security is the overly specific countermeasures we see during big events like the Olympics and the Oscars, or in protecting small towns. In all those cases, those in charge of the specific security don't dare return the money with a message "use this for more effective general countermeasures." If they were wrong and something happened, they'd lose their jobs.
Am I just saying this to assign my own blame to "the general population" for having this attitude? No. I think that to address this problem, we need to create greater awareness of the attitude. It seems so common for people to attribute responsibility poorly like this, and no one seem to blink an eye, so we need some conscsiousness-raising about it.

No comments:

Post a Comment