Security Theater Comes Home

Stop me if you’ve heard this one before: Much of the security we encounter at airports is, optimistically, reactive to past threats. The Transportation Security Agency (TSA) exists and runs checkpoints because of the failure of privatized security to stop the 9/11 hijackers; we take our shoes off at security because Richard Reid tried to bomb a flight with explosive-soled sneakers; we can’t bring bottles of water past the screening checkpoint because of a liquid explosives plot from 2006; we can’t put electronics in our luggage because of a printer cartridge bombing plot in 2010. Those measures may have some grounding, but anyone who has waited in line for an indeterminate amount of time while TSA agents dismantle a toddler’s backpack might well wonder what the exchange rate between inconvenience and actual security is.

Computer security expert Bruce Schneier described the visible but not especially effective security measures employed in the wake of 9/11 as “security theater.” More recently, as the coronavirus pandemic took hold, Derek Thompson in The Atlantic identified another variant: hygiene theater. Reading this in 2021, you will be familiar with the concept. Hotels, rental car companies, restaurants, and other commercial shared spaces advertise “enhanced cleaning” to deal with the threat posed by the novel coronavirus. Surfaces are sprayed and re-sprayed with alcohol-based cleansers; temperatures are taken at entryways; and hand sanitizer is deployed by the gallon. This all continues despite the fact that we now know that SARS-CoV2, the virus that causes COVID-19, is primarily transmitted by airborne particles and raised temperatures are only present in a fraction of infectious individuals.

While not a perfect analogy, both phenomena reflect a real dynamic. Institutions – both public and private – need not only to secure themselves against threats, but to demonstrate that they have secured themselves against threats. It also reflects a way of grappling with a fundamental management difficulty: It is far easier to give large, distributed groups of people (say, employees) a checklist of measures that, taken universally, will bring down risk somewhat than to ask them to exercise perfect judgment in the face of constantly shifting levels and types of threats.

With that in mind, it is worth considering what that dynamic might look like in the future.

It is, of course, a losing game to predict the next big crisis. But let us assume, for the sake of argument, that we are indeed entering a world of enhanced strategic competition, with a significant element of electronic surveillance, espionage, and technological intrusion into all aspects of commerce and life. That has many impacts, but among other things, it fundamentally changes the nature of espionage and counterespionage. In previous eras, intelligence agencies generally needed to find witting agents to help them collect protected information: Someone who was either ideologically simpatico, bore a grudge against the target, or could be tricked, blackmailed, or coerced into cooperating.

Today, in the age of networks, that is not the case. Almost all of us carry around a highly capable intelligence-gathering device on our persons, and we all produce and share exponentially vaster quantities of data than even our recent predecessors. Compromising our electronic devices and our accounts gives in some ways more access than even the most enthusiastic spy. Consider, as an example, the fact that the release of data – an intentional data release, not even a hack – from the fitness app Strava a few years ago allowed open-source researchers to identify the locations and dimensions of undisclosed U.S. military facilities thanks to the app’s use by special operators out for runs. Or look to the various successes of open-source researchers and activists able to identify and track Russian spies and soldiers through their personal social media profiles.

The obvious solution is to severely limit the use of social media by people entrusted with sensitive professions, but that, too, has its limits. The proliferation of personal data has become so ubiquitous that someone who does not share might be even more conspicuous than someone who shares only carefully selected, informationally barren updates.

Maintaining such good discipline is exhausting, even for professionals, and it only takes a single lapse in vigilance for an attacker to gain access to a network – as has been demonstrated with increasing frequency and increasingly dire impacts over the last few years. To make matters worse, the questions of attribution, proportionate response, and deterrence in that field remain highly unsettled.

So as cyber operations take a more central role in geopolitics, we can reasonably expect theatrical displays of cybersecurity to follow. To some extent, we are already there – perhaps you have worked for an organization that compels you to change your password every 90 days, despite the extremely limited evidence that doing so offers a measurable security benefit. These efforts will become more intense over time.

Ironically, they are likely to become more intrusive as well, as remote and hybrid working, contract employment, and other related trends blur the distinction between the personal and the professional. A security requirement that seems inconvenient on a work device might well be an invasion of privacy on a device that is used for both professional and personal tasks. Unlike hygiene and security theater, cybersecurity theater will reach far deeper into our lives, and may well prompt a rethink of how to best provide true security at scale.