FRAMINGHAM (10/08/2003) - Assorted tales from the September news files got me thinking about the reflex to fling gobs of money at a problem.
First, there was the man who shipped himself home to his parents' house in a box (and not a very big, comfy box at that). The fact that he was able to do this undetected--at least until he busted out on the threshold of his parents' Dallas home and startled the delivery guy--raised alarms that, as one commentator put it, "He could have been al-Qaida!"
Somewhat less whimsical and more sobering was the recent ABC News test of U.S. port security. Investigative reporter Brian Ross packed up some depleted uranium in a suitcase and shipped it by boat from Jakarta to Los Angeles. The fact that it journeyed unimpeded to its final destination was offered as alarming proof of the porousness of our ports.
And, finally, there are assorted news reports of disappointing results from various tests of face-recognition systems as a way to identify terrorists and criminals in crowded public places. The Tampa police have abandoned their use of the technology based on its cost (high) versus its effectiveness (low). While some airports and other critical infrastructure facilities continue to invest in pilot deployments of these systems, their use has so far been fraught with high percentages of false positives (that then have to be checked out) and low reliability in identifying members of known populations, such as airport employees.
Events such as these are driving us toward the unhappy conclusion that there may in fact be no economically viable technology solutions for many of the dangers we face. The experience of drug interdiction is instructive. To make a system that would be 100 percent effective at intercepting transborder drug shipments would likely bankrupt the nation. Obviously, we haven't been committed enough to achieving a perfect capability to spend ourselves into that hole (even the rosiest estimates are that interdiction catches only a miniscule percentage of drugs). The same bankruptcy prediction has been made about the more sinister cargoes of explosive or nuclear or biochemical weaponry--a menace for which even a few points short of 100 percent effective interdiction would amount to failure. Is there really money enough to go there? Or do we admit that, in the face of important competing social priorities, some lower-level capability is acceptable?
It is a worrying fact that we have all but relegated drugs to secondary status as national threat, confirming the thesis of author Barry Glassner (The Culture of Fear) that people are often afraid of the wrong things.
Which brings me back to the jobs of CSOs. This month we publish the results of an ambitious global survey on the state of information security (see Senior Editor Scott Berinato's story online). The survey was done by PricewaterhouseCoopers and our sister publication, CIO magazine. It drew responses from more than 7,500 executives in 54 countries and in companies of varying sizes. Among Berinato's most sobering conclusions, after looking at the reams of data, is that investments in stemming the tide of vulnerability seem hardly to have made a dent so far.
Is it possible, therefore, that too much money is being spent on too many of the wrong things? Berinato quotes security eminence Bruce Schneier to that effect: "Computer security folks are always trying to solve problems with technology, which explains why so many computer solutions fail so miserably."
In every area of security, the question to ask at every turn is whether a given quantity of protection is worth what it costs to achieve it. Personally, I don't care if someone wants to be stuffed into a crate and air-freighted around as though he were a bicycle. But it will be harder to decide if I'm up for spending enough to find Brian Ross's little uranium shipment without knowing what the magic number is. Could the ROI of lowering the global animosity quotient turn out to be vastly higher than the ROI of investing in hundreds of back-scan X-ray units?