Primer: The next act for security theater

The day after DefCon concluded this year, a prominent cybersecurity researcher and hacker known as the brain behind hacks featured on hit TV show Mr. Robot offered his resignation as the head of its security operations.

Marc Rogers, vice president of cybersecurity strategy for identity management company Okta and a recognized voluntary leader of the world’s largest hacking conference, expressed surprise at Caesars Entertainment’s statement that it had “briefed” the “organizers of DefCon” about its new room-search policy, a source of hacker community anger and outrage. He said he would have informed attendees that hotel security personnel planned to regularly inspect their rooms, had he known.

The details of the hotel policies, which Caesars and MGM Resorts International formed in response to the deadliest mass shooting in U.S. history, in October, are not entirely clear. The two companies own most of Las Vegas’ hotel-casinos; MGM owns the Mandalay Bay Resort and Casino, from which Stephen Paddock massacred attendees of a country music festival on the Strip.

Caesars claimed in a statement that its policy, which it instituted in January, involves only “visual checks” of guest rooms; it does not include opening closets or drawers, or peering under beds or mattresses.



READ MORE PARALLAX PRIMERS

Why Google is pushing HTTPS
Why are Androids less secure than iPhones?
What’s in an APT?
Why people are flocking to messaging app Signal
How to protect your payment apps
Why (and how) to stop cryptojacking


The Parallax, however, has seen video recordings made by DefCon attendees of hotel security personnel using flash photography and video-recording equipment to document hotel guests’ in-room belongings. Numerous unverified reports by DefCon attendees on Twitter allege that hotel personnel had confiscated or moved personal possessions attendees had left in their rooms, including bags. Other reports allege that hotel personnel entered rooms while guests were changing clothes, showering, or laying in bed ill, all under the pretense of conducting security checks.

Such beyond-visual hotel room checks pose more than a privacy concern for hackers, many of whom are professionally responsible for securing sensitive government and business organization information, including secrets such as usernames and passwords.

“I do not support or endorse these room searches, or how they are executed. I sympathize with the challenge these hotels are facing but believe they need to take a harder look at the efficiency, impact, and long-term cost of this strategy,” Rogers wrote in an open letter to the hacker community. “We MUST NOT let our hotels become like our airports. If we do, then the terrorists win.”

Rogers wrote that he understands “why hotels need to adapt to a new threat vector. I had friends caught up in the horror of October. However, as a security practitioner and hacker, I hate security theater.”

Security theater. Cryptographer and security technologist Bruce Schneier coined the term in 2004 to describe the practice of implementing social changes—often at a high cost—that are designed to make people feel safer but that do not necessarily increase security.



READ MORE ON BLACK HAT AND DEFCON

In post-massacre Vegas, security policies clash with privacy values
Why current funding to secure U.S. elections ‘doesn’t cut it’ (Q&A)
Black Hat attendees are surprisingly lax about encryption
Google’s ‘Security Princess’ calls for stronger collaboration
App nutrition labels? Hackers disagree on software bill of materials


Such implementations rose into public consciousness, Schneier said, in the wake of the September 11, 2001, terrorist attacks in the United States. At airports around the country, travelers soon started to see National Guard soldiers armed with machine guns. The guns, he reported, were not always loaded; in those cases, the federal government simply used the soldiers to put on a “show” that responded to security fears.

In addition to commonly cited subsequent examples of security theater at airports, such as forcing travelers at security check points to remove their shoes, dispose of liquid containers larger than 3.4 ounces, and undergo full-body scans, the term has cropped up elsewhere.

Many government and office buildings now require photo identification at their entrances, Schneier said during a recent conversation with The Parallax, despite a lack of evidence demonstrating how ID checks make people safer. People have also ascribed the term security theater to pre-employment urine tests for drug use, as well as pat-downs and bag searches at concerts and movie theaters.

Exposure to liability plays a big role on the security theater stage. Because of a perceived expectation of greater security within certain facilities, David Corbin, director of police, security, and parking at Brigham and Women’s Hospital in Boston, wrote in June, poorly maintained or dummy security equipment such as nonoperational or fake surveillance cameras, can expose organizations to more legal liability. The average negligent-security award is more than $3 million, he estimates; it’s no surprise that organizations use security theater tactics to demonstrate that they’re taking steps to reduce risk to consumers.

It remains difficult, however, to differentiate a security “play” from a measure that actually makes you safer, Schneier says, because the average consumer lacks the expertise to tell the difference. Likewise, without extensive medical training, consumers are hard-pressed to tell when drugs or procedures are necessary or even effective.

In either case, consumers are often willing to try something new (a prescription or operation) or trade something in (personal privacy) in order to feel healthier or safer.

“That’s perfectly reasonable because they’re not experts,” Schneier says, adding that people are often most afraid of things about which they know very little. “You’re scared of shark attacks, and they [almost] never happen, but they make the news.”

Similarly, he warns that statistically, consumers are at greater risk of injury from “the taxi ride to the airport” than anything that might happen to them between take-off and landing. There were an average of 102 motor vehicle deaths per day in the United States in 2016, part of an upward trend; over that entire year, there were only 631 deaths in U.S. plane crashes as part of a downward trend.

On the other hand, a 2017 test of TSA effectiveness found that its airport screeners failed to stop contraband weapons 95 percent of the time. And by the hotel’s own reckoning, Mandalay Bay housekeeping and room service personnel interacted with Paddock at least 10 times over the three days prior to his shooting rampage, says Brian Martin, vice president of vulnerability intelligence at Risk Based Security.

“It still seems like there’s too many ways to get contraband into a hotel,” he says. The hotels’ new room-check policies might seem like a good way to ensure that guests aren’t stockpiling semiautomatic weapons and bullets, as Paddock had, “but ultimately, it’s theater to shift liability off of themselves.”

Scanning guests’ luggage, a practice already in limited use around the world, would be one way to actually check whether guests are carrying weapons, Martin says. Entering and visually scanning a room for contraband won’t accomplish much, he adds, if security personnel are not looking in obvious hiding places: under beds and mattresses, or in closets and drawers.

Security theater is no stranger to the digital world, either. Many cybersecurity compliance regulations present the appearance of securing corporate and government systems without adding much (if any) protection, James Scott and Drew Spaniel wrote in a January 2017 report on security theater in cybersecurity for the Institute for Critical Infrastructure Technology.

“Comprehensive cybersecurity and cyberhygiene can only be achieved when organizations transition from cybersecurity compliance to cybersecurity competency,” they wrote.

To be clear, the man behind the phrase believes that there are times when security theater is helpful. Schneier cites the psychological benefit hospital RFID bracelets give new parents. An RFID tag can’t necessarily prevent an infant abduction; a kidnaper could simply remove it before leaving a maternity ward. And infant abduction itself is extremely rare; there have been only 325 abductions of U.S. infants since 1965, according to a 2018 report by the National Center for Missing and Exploited Children. Newborn bracelets, Schneier says, simply provide “a low-cost way to ensure that the parents are more relaxed when their baby was out of their sight.”

The use of RFID bracelets is beneficial security theater, Schneier argues, because it helps bring parents’ “feeling” about security in line with the reality. He also says Las Vegas hotels have legitimate reasons to check rooms for the antics of “drunken frat boys” and “the kind of crap” that Hunter S. Thompson would do in the 1960s.

Ultimately, Schneier says politics are to blame for the proliferation of security theater—in airports, hotels, office buildings, cineplexes, concerts, or public-transportation hubs.

If you don’t like it, he says, “elect better representatives.”