There is much in Bruce Schneier's article that can be disagreed with, but still it's an interesting viewpoint.
Beyond Security Theater
By Bruce Schneier
Chief Security Technology Officer, BT
For full article see http://www.schneier.com/crypto-gram-0911.html
Terrorism is rare, far rarer than many people think. It's rare because very few people want to commit acts of terrorism, and executing a terrorist plot is much harder than television makes it appear. The best defenses against terrorism are largely invisible: investigation, intelligence, and emergency response. But even these are less effective at keeping us safe than our social and political policies, both at home and abroad. However, our elected leaders don't think this way: they are far more likely to implement security theater against movie-plot threats.
A movie-plot threat is an overly specific attack scenario. Whether it's terrorists with crop dusters, terrorists contaminating the milk supply, or terrorists attacking the Olympics, specific stories affect our emotions more intensely than mere data does. Stories are what we fear. It's not just hypothetical stories: terrorists flying planes into buildings, terrorists with bombs in their shoes or in their water bottles, and terrorists with guns and bombs waging a co-ordinated attack against a city are even scarier movie-plot threats because they actually happened.
Security theater refers to security measures that make people feel more secure without doing anything to actually improve their security. An example: the photo ID checks that have sprung up in office buildings. No-one has ever explained why verifying that someone has a photo ID provides any actual security, but it looks like security to have a uniformed guard-for-hire looking at ID cards. Airport-security examples include the National Guard troops stationed at US airports in the months after 9/11 -- their guns had no bullets. It's impossible to defend every place against everything, and it's impossible to predict which tactic and target terrorists will try next.
Security is both a feeling and a reality. The propensity for security theater comes from the interplay between the public and its leaders. When people are scared, they need something done that will make them feel safe, even if it doesn't truly make them safer. Politicians naturally want to do something in response to crisis, even if that something doesn't make any sense.
Often, this "something" is directly related to the details of a recent event: we confiscate liquids, screen shoes, and ban box cutters on airplanes. But it's not the target and tactics of the last attack that are important, but the next attack. These measures are only effective if we happen to guess what the next terrorists are planning. If we spend billions defending our rail systems, and the terrorists bomb a shopping mall instead, we've wasted our money. If we concentrate airport security on screening shoes and confiscating liquids, and the terrorists hide explosives in their brassieres and use solids, we've wasted our money. Terrorists don't care what they blow up and it shouldn't be our goal merely to force the terrorists to make a minor change in their tactics or targets.
Any terrorist attack is a series of events: something like planning, recruiting, funding, practicing, executing, aftermath. Our most effective defenses are at the beginning and end of that process -- intelligence, investigation, and emergency response -- and least effective when they require us to guess the plot correctly. By intelligence and investigation, I don't mean the broad data-mining or eavesdropping systems that have been proposed and in some cases implemented -- those are also movie-plot stories without much basis in actual effectiveness -- but instead the traditional "follow the evidence" type of investigation that has worked for decades.
Unfortunately for politicians, the security measures that work are largely invisible. Such measures include enhancing the intelligence-gathering abilities of the secret services, hiring cultural experts and Arabic translators, building bridges with Islamic communities both nationally and internationally, funding police capabilities -- both investigative arms to prevent terrorist attacks, and emergency communications systems for after attacks occur -- and arresting terrorist plotters without media fanfare. They do not include expansive new police or spying laws. Our police don't need any new laws to deal with terrorism; rather, they need apolitical funding. These security measures don't make good television, and they don't help, come re-election time. But they work, addressing the reality of security instead of the feeling.
We should treat terrorists like common criminals and give them all the benefits of true and open justice -- not merely because it demonstrates our indomitability, but because it makes us all safer. Once a society starts circumventing its own laws, the risks to its future stability are much greater than terrorism. Supporting real security even though it's invisible, and demonstrating indomitability even though fear is more politically expedient, requires real courage. Demagoguery is easy. What we need is leaders willing both to do what's right and to speak the truth.
Today, we can project indomitability by rolling back all the fear-based post-9/11 security measures. Our leaders have lost credibility; getting it back requires a decrease in hyperbole. Ditch the invasive mass surveillance systems and new police state-like powers. Return airport security to pre-9/11 levels. Remove swagger from our foreign policies. Show the world that our legal system is up to the challenge of terrorism. Stop telling people to report all suspicious activity; it does little but make us suspicious of each other, increasing both fear and helplessness.
So many people are surprised that there have been so few attacks in Western cities since 9/11. Certainly intelligence and investigation successes have made it harder, but mostly it's because terrorist attacks are actually hard. It's hard to find willing recruits, to co-ordinate plans, and to execute those plans -- and it's easy to make mistakes.
Counterterrorism is also hard, especially when we're psychologically prone to muck it up. Since 9/11, we've embarked on strategies of defending specific targets against specific tactics, overreacting to every terrorist video, stoking fear, demonizing ethnic groups, and treating the terrorists as if they were legitimate military opponents who could actually destroy a country or a way of life -- all of this plays into the hands of terrorists. We'd do much better by leveraging the inherent strengths of our modern democracies and the natural advantages we have over the terrorists: our adaptability and survivability, our international network of laws and law enforcement, and the freedoms and liberties that make our society so enviable. The way we live is open enough to make terrorists rare; we are observant enough to prevent most of the terrorist plots that exist, and indomitable enough to survive the even fewer terrorist plots that actually succeed. We don't need to pretend otherwise.