“Security Theater”, Obscurity, Secrecy and other Confusions
We sometime get questions about a term that has been much used to describe airport security over the last eight years or so. “Security theater” (or theatre) is a term which has been in use within security circles for many years, and has in general been seen as a positive strategy when combined with other measures.
That changed in 2003, when Bruce Schneier used the term in one of his books, claiming at the same time to have coined the term himself. He used the term to describe security measures that were put in place “for show” only, and which have no real impact on the actual securty of a person, a location or operation. Now, while that definition may not be entirely off, it fails to include the nuances that were bundled in when the term was used in internal security circles only. We’ll try to explain.
First Encounter
We first came across this term in 2000, before the TSA and before the major terror attacks of September 11, 2001. It was then used in a military setting, to describe and elaborate on military secrecy and security in military installations and on navy vessels, and the link between the two. “Security by obscurity” is another term that have been frequently used to describe certain security measures, and is really just an unnecessary difficult way of saying “keeping it secret”. Security by obscurity and security theatre are two different methods that are frequently confused, possibly by the general ignorance that surrounds the security industry, and definitely by misunderstandings that are prevalent and hard to get rid of.
Let’s clarify some more.
Think of security – the “real” security measures that you put in place – as your armor. It’s going to protect you from a lot of things, especially those things that it was design specifically to protect you from, and it’s probably going to shield you from quite a few other methods of attack too. That’s the nature of armor – it’s going to hold up very well against some things, while being less effective against others. Anyone who’ve ever been required to wear body armor of some kind knows, however, that no armor is “proof” against anything. You don’t have “bullet proof” vests, you have “bullet resistant” vests. If someone comes along with a big enough (or fast enough) bullet, you’re in trouble no matter what. This is where the secrecy part comes in, and it is also where security theatre comes in, even though they’re not the same things.
Armor & Camouflage
Security measures are your armor – secrecy and theatre are your camouflage. The idea is to make your enemy (or enemies) think that your security measures are more extensive, more efficient, thicker if you will, than they really are. To make them think that you can stop bigger and faster bullets than you really can, and it is also to make it harder for them to target you in the first place. Assailants are like predators – they will target the weakest link, weakest unit – the easiest prey they can find. If you seem bigger and stronger than you are, chances are they will target someone else, or give up entirely if you were their only target.
One of the most dangerous misconceptions, however, is that obscurity is security. That couldn’t be farther from the truth. Indeed, you might get away with it for a while, but once your location has been compromised, your camouflage identified and you can’t hide anymore, then you’re done for. A good soldier will wear both armor and camouflage, so if the camouflage is compromised and someone takes a shot at him (or her), then the armor will be there to protect them.
“Security theatre” is a form of camouflage. It serves a definite purpose, while it can never be the one and only part of security. The consistent “bashing” that “experts” like Bruce Schneier deals out to this security method shows that the misunderstandings surrounding its purpose are very resiliant indeed, and their lack of understanding is the same. This narrow view is nothing that is kept to security theatre only, however. We’ll talk briefly about that.
General Confusion
Schneier, and other security “experts” have long been talking about increasing the amount of, and focusing on, intelligence in order to protect society. At the same time, intelligence measures such as data collection and confirmation have been bad-mouthed by the same people. They talk warmly about scaling down security measures while still encouraging the use of “clandestine” methods in order to make security more efficient. The confusion here is evident, but the main issue is a failure to understand that it’s not a question of either/or – it’s a question of prioritizing and combinations.
Secrecy (yes, we mean “obscurity”) must be the lesser of the security methods. Why? Well, it doesn’t lead to progress and it doesn’t lead to improvement. Those two aren’t the same, by the way. Also, it’s very hard to keep some things secret and other things open – i.e. it’s not very scalable. This applies especially to security systems that are in the public, of course – a small, local system can be kept a secret and is a lot easier to scale. That doesn’t make it “bullet proof”, however.
Combinations are the key to efficient security, and that is why it is risky to discount or remove any single method from the equation. Those familiar with basic math know that removing a part of an equation usually makes the whole thing useless.