Eight Years After 9-11: Better Security or Just Luck?

On this anniversary of the 9-11 terrorist attacks, some security practitioners believe America's a safer place. Others say the absence of a major attack in eight years is just a matter of chance. Who's right?

There have been many terrorist attacks around the world these last eight years, but nothing matching the magnitude of what happened on Sept. 11, 2001. In an informal poll of security experts, some say it's a testament to better security at landmark buildings, ports, military installations and elsewhere. Others attribute the stateside peace as a matter of luck.

Recall that before 9-11, the Department of Homeland Security did not exist (although most of its components did). The Transportation Security Administration had not been created; nor had its rules and procedures that have engendered so much debate among security professionals as well as airline travelers. On the cybersecurity side, awareness of real or potential digital espionage and warfare is much higher today, though also subject to disagreement. Cybersecurity leadership in the government has been subject to quite a bit of turnover. Privately-owned critical infrastructure companies and groups have taken some steps, creating security programs and leadership positions.

Unquestionably, then, action has been taken and money spent. Still vulnerabilities remain, and so does the debate over the country's level of safety.

The 'lucky' view is held by Dennis Thibodeaux, director of digital forensics at the American College of Forensic Examiners Institute and chairman of the American Board of Information Security and Computer Forensics. As far as hes concerned, the government has wasted billions of dollars on security theater and largely ignored needed defenses for critical infrastructure.

"We are NOT SAFER since 9-11," he said. "We have been extremely lucky. They wont attack us by air next time, but will take advantage of our weaknesses in port security and commercial shipping. Ports, power plants, dams, bridges—they're all vulnerable. They will get here by simply walking across the border from Mexico or Canada."

Also see CSO's exclusive interview with noted expert Steve Flynn, Port and Cargo Security: How is the USA Doing Now?

John J. Tierney, executive vice president and local membership coordinator for the New York Metro InfraGard, agrees there is still much room for improvement, especially when it comes to securing critical infrastructure. But while luck may have been a factor in the absence of a 9-11-caliber attack these last few years, he believes there have been improvements along the way.

"I think we are definitely safer on various aspects of the information technology and physical security fronts and there have been some significant derailment of terrorist plans over the last several years by law enforcement," he said. "While luck has often been in our favor, it doesn't favor the complacent."

John Michael Schneider, a network security practitioner based in Evanston, Illinois, takes the view of most of those polled for this story -- that there's a combination of luck and better security.

"Many billions of dollars have been spent on improving or implementing 'solutions,' some which were obviously an improvement on previously poor or non-existent efforts; others, complete malarkey," he said. "Of course, those who would do harm to America and its citizenry are subject to the same propaganda as we all are. That being the case, some agents may have demurred from attempting to exploit vulnerabilities that in fact actually do still exist. But are we safer? Only to the extent that our enemies buy into the same rhetoric that everyone else does. The vigilant assailant will proceed undeterred, looking for the vulnerability that remains uncontrolled. In that respect, as always, our luck extends only to the extent that we find and fix them before they have a chance to exploit them (again)."

Giles emphasizes the we need to have security awareness programs that get people to focus on keeping track of what is around them.All employees have to be considered part of the security program, he said—a refrain familiar to any security leader.

In the final analysis, security is an ongoing process in any context. The goal of arriving at some state of 'complete security' is misguided. The urgent need is still the same: to identify the most pressing vulnerabilities and implement the most effective and efficient defenses.

That's what makes the debate useful.

Copyright © 2009 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations