“Security Engineering”, Amateurs and Dangerous Laymen…

…or, “An answer to Bruce Schneier’s newest essay, which is likely to irk him as much as the last one.”

So. We kind of like it when people are irked by something we say, or when they get pissed off at us for saying what we think about their “expert opinions”. There are a couple of reasons for that; first of all, if they’re pissed about something we wrote, that meant they take us at least a little bit seriously. So there’s that. Also, it means that whatever opinions these “experts” provide will be questioned and debated instead of accepted at face value.

Unfortunately, Bruce Schneier is one of those “experts” whose opinions people simply accept at face value. We know the man is a published author, that he regularly attends conferences and such, but here’s the stark truth; the man is an IT security guy who works for BT. That’s all. He doesn’t have any security certifications, he’s never worked in physical security or airport security or law enforcement. Outside the research he must have done for his books (which are highly derivative…), he doesn’t have the qualifications necessary to speak with any authority on physical security. Cryptography? Sure. IT security? Absolutely – we wouldn’t dare take him on there. But that’s beside the point. We’ll take a look at his latest essay.

“The Importance of Security Engineering”

Bruce writes:

In May, neuroscientist and popular author Sam Harris and I debated the issue of profiling Muslims at airport security. We each wrote essays, then went back and forth on the issue. I don’t recommend reading the entire discussion; we spent 14,000 words talking past each other. But what’s interesting is how our debate illustrates the differences between a security engineer and an intelligent layman. Harris was uninterested in the detailed analysis required to understand a security system and unwilling to accept that security engineering is a specialized discipline with a body of knowledge and relevant expertise. He trusted his intuition.

Our reply:

So. A neuroscientist and a cryptographer walks into a bar… Really – Schneier’s own first sentence reads just as much as the intro to a joke in its original state. We’ll try to overlook that, however, and move on. The neuroscientist and the cryptographer then write 14,000 words on a subject so far outside their fields that they might as well have been discussing the possibility of using Yetis as slave labor.

It’s also hard to discern who is who in that paragraph (and the essay as a whole) – is Schneier the “security engineer” or the “intelligent layman”? We’ve no doubt that these to people are both intelligent men, but that’s hardly the point. If Schneier sees himself as a “security engineer”, that is also somewhat correct… if he’d attached “IT” at the start there. Schneier certainly isn’t qualified to design (engineer) a physical security system for an airport, a federal facility or a hotel, for that matter. Nor should he attempt making (engineering) educational material for physical security officers, federal agents or law enforcement. Neither of these guys are psychiatrists of psychologists either, so why are they attempting to come off as authorities on profiling? The simple fact that they’re even discussing “profiling Muslims”  proves that they’ve both profoundly misunderstood how airport profiling should work if implemented.

Bruce writes:

Maybe this is more up Bruce's alley...

I’m not here to debate the merits of any of these policies, but instead to point out that people will debate them. Elected officials will be expected to understand security implications, both good and bad, and will make laws based on that understanding. And if they aren’t able to understand security engineering, or even accept that there is such a thing, the result will be ineffective and harmful policies.

Our reply:

The policies he’s talking about are information security policies, and where restrictions will stop once they get going, dragging in a strange mix of Hollywood industry and DEA and FBI, movies, guns and drugs. The strange thing here is that Schneier says he’s not here to debate the policies (as a self-proclaimed “security engineer” probably should, if he/she is qualified…), but rather to point at the people debating, saying… there’s a debate…? That makes no sense. Schneier expects elected officials (whoever that is) to understand what’s going on, and the complexities in that field, but he doesn’t want to help with that? Hm.

Bruce writes:

So what do we do? We need to establish security engineering as a valid profession in the minds of the public and policy makers. This is less about certifications and (heaven forbid) licensing, and more about perception — and cultivating a security mindset. Amateurs produce amateur security, which costs more in dollars, time, liberty, and dignity while giving us less — or even no — security. We need everyone to know that.

Our reply:

Security engineering is nothing new. It seems that Bruce thinks he’s coined another term (see our rants on the “security theater” term…) and that this is something completely new and immensely important. And well… it is immensely important. However, engineering security is something trained, educated and experienced professionals have been doing for years, proving their skill, education and experience through established and strict certifications, which Bruce seems to think are unimportant. That’s nothing less than extremely insulting to those professionals who hold CPP or PSP certifications, or the other ASIS certifications, for that matter.

Amateurs do produce amateur security. It’s true. In fact, those two last sentences in the paragraph are just about as accurate as anything can get. It’s strange that Bruce doesn’t realize that his own words also apply to him – isn’t he simply an amateur in the field of physical security? Profiling? Anything but IT and crypto? Yes, that’s exactly what he is. And what kind of security do amateurs produce?

Finally, some readers will no doubt counter with the possibility that Schneier is simply talking about computer security in his essay. It might seem that way if you haven’t read any of his other stuff – which is educational as long as you don’t take use it as a single source. It’s important to understand that Schneier is an accomplished debater, an excellent researcher and at times even eloquent.

At the end of the day, Bruce Schneier proves again that he is an amateur when it comes to physical security, and also profiling. And in the words of Bruce Schneier; “Amateurs produce amateur security.”

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy