"The Myth of Homeland Security", Marcus J. Ranum, 2004, 0-471-45879-1,
%A Marcus J. Ranum mjr@...
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%I John Wiley & Sons, Inc.
%O U$24.99/C$37.50 416-236-4433 fax: 416-236-4448
%P 244 p.
%T "The Myth of Homeland Security"
Regular readers of the RISKS-FORUM Digest come to know a number of
phrases that are repeated over and over again, in assessing risks and
problems in technical systems. One is "single point of failure" and
another is "cascading failure." Yet another, and the one that Ranum
seems to be concentrating on, is "protecting against the wrong
threat." The book starts out, in "It's Another Code Orange Day,"
noting that the vast new machinery of airline security has not caught
any terrorists, and also notes that the defenders are completely
Chapter one asserts that Homeland Security is (along with a number of
other similar terms) a convenient invention. Information warfare is
derided as such a device, and although I could agree in terms of books
such as Erbschloe's (cf. BKINFWFR.RVW), I don't think Ranum gives
enough thought to the work by Dorothy Denning (cf. BKINWRSC.RVW). The
one myth that the author attacks in chapter two is of superior
attackers and defenders. The anti-FBI stance is somewhat overblown,
even though there are numerous examples to support it, both in the
book and elsewhere. Politics, in chapter three, is mostly about the
PATRIOT Act (and finding out that it stands for "Provide Appropriate
Tools Required to Intercept and Obstruct Terrorism" is almost worth
the price of the book all by itself), although Ranum's seemingly
deliberate attempts to avoid being politically pigeon-holed make it
difficult to determine exactly what his point is. Merging inefficient
agencies is unlikely to help things, as is pointed out in chapter
four. Immigration, in chapter five, looks at weak borders (and, rather
ironically, Ranum seems to be promoting the myth of terrorist entry
through Canada), but the text also admits that the 9/11 attackers all
had valid visas, and ultimately suggests no solutions. Chapter six
notes that TSA (Transportation Safety Administration) salaries are
higher, and hiring requirements more stringent, than before (and the
book has previously indicated that TSA personnel are more
professional), but Ranum points out a few instances of hiring
irregularities, and then flatly states that airport security is a
sieve. He is also seemingly inconsistent in his positions, arguing
generally against biometrics and profiling, but then apparently
endorsing them. The arguments are not reasoned: he is for a national
identity system, but admits elsewhere that the 9/11 terrorists had
valid identification. Chapter seven says that the army is good, the
border patrol is looking for the wrong things (although this is
confusingly amended to a position that they have the technology but
aren't using it), and the FBI and CIA have an ongoing turf fight.
Having stated that he is not interested in media bashing, Ranum spends
most of chapter eight anecdotally doing just that. There is a token
mention of access to information, and a final assertion that probably
nothing can be done about the problem of the media because the public
is so gullible.
Cyberattacks are an unreal myth, says chapter nine, but our
information infrastructure is mostly undefended. The lack of
standardization in government systems is seen as making government
systems harder to defend (even though homogeneity means that a single
attack can penetrate everything). While this material starts off very
well, possibly due to Ranum's greater familiarity with strictly
technical issues, he makes numerous errors in regard to viruses and
malware. His lack of experience in this specific area reappears in
chapter ten, where he says that even outdated antivirus scanners
should have caught Code Red because the exploit was a known one.
However, scanners would not have caught Code Red since it did not
write itself out to a file, and also because scanners search for
strings or patterns, not exploits. (If anything should have caught
Code Red it was more likely to have been the firewalls that Ranum has
made his name in designing.) Computer insecurity is put down to being
on the cutting edge (advanced technologies being less completely
understood), but is also due to foolish government purchasing
Those of us who work in the security field can certainly sympathize
with the tone of Ranum's work. Yes, governments (and businesses) are
foolish. Yes, the general public sees a complex problem in simplistic
terms. Yes, you can find instances of stupidity in any large
enterprise. But does any of this have a real bearing on how security
can be improved, or how we should look at it? (Particularly to a non-
American audience, this book must read like a long string of sometimes
whiny complaints.) Yes, Ranum starts off by saying that he is not
actually offering solutions, but that bald statement hardly absolves
him of not offering anything, including insights. While this work is
at least well-informed about the problems, I am at a loss to explain
the adulation that has been heaped upon it by many of my colleagues,
aside from the fact that we all feel very much the same way.
Presumably, however, we are not the target audience, and the book is
aimed at demonstrating to the general public that Homeland Security
is, as the cover graphically puts it, a house of cards. Pointing out
that the Emperor has no clothes does have some merit, although the
rewards of the activity are questionable at best. When addressing a
non-technical audience, the anecdotal evidence provided is probably
more realistic than a closely reasoned argument. However, the lack of
clear suggestions for improvement, and inconsistency in positions,
detract from the book's value.
We can agree that security is a mess, and that governments can create
enormous boondoggles. This book is among many that make the point,
but does not do much to improve the situation.
copyright Robert M. Slade, 2003 BKMYHLSC.RVW 20031124
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
God is real. Unless declared integer.