The Bumbling Airline Bomber, Stupid Reactions, and 8 Real Security Takeaways

Ira Winkler on what we should really learn from the failed Northwest Airlines bombing attempt

I am cynical of the recent attempt to bring down the Northwest Airlines flight from Amsterdam to Detroit. The fact that there is a terrorist attempt is nothing new, and is frankly expected. However, the reactions and claimed outrage indicate more incompetence than concern for security.

Looking at the reactions to the failed attack, you would think that this was some brilliantly planned attack by a determined enemy. You would think that there was nothing that could have been done to prevent the attack. Now that we know details about the attempt, you would also think that there is a clear plan to prevent future attacks.

Nothing could be further from the truth.

Also see Winkler's column "I Was Wrong—There Probably Will Be a Digital Pearl Harbor"

Pulling together security bulletins, it appears that the suspect boarded the airplane with an explosive packet sewn into his underwear. Near the end of the flight, he went into the bathroom for an extended period of time, went back to his seat, put a blanket over himself claiming to have a stomachache, and attempted to detonate the explosive. However, the detonator malfunctioned and started a small fire instead.

Many people are second-guessing the sequence of events, and putting ridiculous security measures in place in response. Instead of actually securing air travel, these measures are more like a handbook of what NOT to do. Here are a few of the lessons we should really learn from this incident.

1. Security countermeasures seem intrusive—until something happens.[Editor's note: See the opposing viewpoint in this 2004 Q&A with Jeffrey Rosen.] They would rather people smuggle weapons on board, as opposed to someone seeing they are wearing Spanks to hold in their fat.

First and foremost, this attack could have been easily prevented if airports used full-body scanning. The TSA previously attempted to get full-body scanning implemented at major airports; however, privacy advocates and a grossly ignorant public were afraid of scanners seeing their genitals.

While a full-body scan would have easily detected the explosives, people saw their little self-centered picture instead of the big picture. Unfortunately, it is incidents like this that will make people rethink what is a very useful security tool.

2.There is a practical limit to the usefulness of some tools.

Whether or not the alleged terrorist was subjected to a pat-down search, there is a practical limit to the usefulness of a pat-down. For example, security screeners are trained to lightly tap people with the back of their hands, which have little sensitivity. Many of them are also very hesitant to touch the genital region. It is therefore no surprise that the suspect sewed the explosives in his underwear. When police pat down a suspect, they know that they have to grab the crotch as they are afraid of hidden weapons. To police officers, it is very possibly a life and death situation.

Airport screeners don't want to do a full pat-down, and frankly, in more than 99.99999% percent of all cases, it is unnecessary. Even when it is necessary, people expecting pat-downs are expecting the crotch area will be excluded.

Should airport security actually start properly inspecting the crotch, criminals will put the explosive packs in the butt crack. No matter how pat-downs are executed, they simply have limitations.

3. Low-tech security is usually best.the easiest, the most portable, and the least expensive countermeasure available. I have been through Amsterdam's Schipol airport many times, and have never seen a dog at the airport. This is not unique to Amsterdam.

One countermeasure that was apparently not used was an explosive-sniffing dog. It is

4. Some technology countermeasures go unused.

Apparently an explosives swab would have turned up the fact that the terrorist was exposed to explosives. Given the fact that the terrorist was also on a watch list, he should have received such screening.

5. People have a short memory.London subway bombings.

One of the stupidest questions I hear is, "Why are terrorists focused on attacking airplanes?" The news media and laypeople now believe that terrorists only want to attack airplanes. They seem to forget the recent attack at Fort Hood, as well as the planned and attempted car bomb attacks in Dallas and New York. There are of course the car bombs attacks that have been scattered around the world in recent months. Likewise, people forget the

Why is this a problem? Because the attention is diverted from where people should be looking and putting resources where they don't belong.

6. People are diverted by irrelevant facts.

An issue that came up in the discussion of the alleged terrorist is that the terrorist began his trip in Nigeria, and everyone questioned relying upon the security of a Nigerian airport.

That is a worthless discussion. Amsterdam's Schiphol airport has a complete security screening setup at most gates, and especially at gates for airplanes bound for the US. Likewise, all baggage is screened. Everyone entering the gate area goes through security screening. Security at Schiphol makes no assumption that anyone went through any previous screening. Whether or not the screening in Lagos was acceptable, it is clear that standard security screening procedures at Schipol, following TSA standards, failed.

7. Security programs are set up for the last attack.

In the wake of the attacks, the TSA is requiring or recommending a lot of overly burdensome countermeasures, such as stopping the use of all electronic devices on flights, requiring passengers to stay in seats for the last hour of the flight, and removing blankets and pillows.

Again, there are millions of international fliers every year. One of them used this attack. The ban on electronic devices is supposed to stop people from using GPS systems from tracking where the flight is located. Keeping people in the seat for the last hour is supposed to prevent people from blowing up the plane in the last hour of flight. Again these measures are absurd as at best they only have a minor affect on when a terrorist blows up a plane, not to stop them from blowing up a plane. After all, the pilot has to warn people before they have to stay in their seat. Of course, a would-be terrorist only has to look out the window to see where they are.

8. We must balance the unlikely loss with the real risk.

At some point, we really have to give up the "stop it at any cost" countermeasures, such as keeping people in their seats for the last hour of a flight, and look at where the real risks are. For example, while people are obsessed with the potential for blowing up an airplane—and in this case nobody died—compare that to the 103 deaths that happen every day due to automobile accidents. Corporations must likewise address the real sources of loss that they experience every day, as opposed to the hysteria that comes from an event like the airline incident.

There are clearly many more lessons to be learned from this attack—admittedly, mostly cynical lessons. The fact is that as security professionals, who are really risk management professionals, have to maintain a proper perspective one where loss comes from and the actual scope of the loss. I don't want to downplay the importance of a single life. However, just as we can do things to cut down on the number of highway deaths, and don't, we have to realize what we can and cannot do with regard to potential terrorist attacks against airplanes.

I believe that most of the measures the TSA put in place are not just unwise from a risk perspective—they are actually ridiculous in their effect. Should we implement full body scans? Yes; the arguments against them are as absurd as thinking a terrorist won't blow up an airplane unless it is within the final hour of flight. Should we invest in more explosive sniffing dogs? Definitely yes; it is much less expensive and easier to implement. However, the fact is that most dogs in use at airports are used by Customs police to detect drugs upon arrival, and by security forces to detect explosives upon departure. Priorities.

There were mistakes made on several levels. Let's not make the mistakes worse by implementing useless countermeasures that don't cost-effectively mitigate the risk. What people have to understand is that the goal of terrorism is not to actually blow up an airplane, but to create fear, uncertainty, and doubt to create a political change. By grossly overreacting and putting in place useless countermeasures that make world travel more difficult, you are creating the effects the terrorists want. Whether or not the terrorist brought the airplane down, we have made the attack successful. In the mean time, please stop and consider that at least one person died in an automobile accident while you read this article.

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful cybersecurity companies