NPR’s article, “Spate Of Bomb Threats Annoys Pittsburgh Students” got me thinking about the unintended consequences of implementing good security. Even ignoring the other issues involved like civil rights violations and creating easily attacked lines.
Reacting to every threat has at least two detrimental effects: denial of service and complacency.
The first, and most immediate, is the ability for an adversary to shut down a system without doing anything but writing a letter, making a phone call, or posting something on the Internet.
In computer security we call this type of attack a denial of service (DOS) attack. With a computer it is usually achieved by making legitimate requests at such a frequency as to bog down the machine and prevent it from responding to normal users.
In this case, however, it’s making threats and forcing law enforcement to respond. This has two effects. The first is that it takes law enforcement away from legitimate calls (denying those people of the service of law enforcement). The second is when law enforcement responds by shutting down or drastically reducing the functionality of the threatened target (denying service to customers of that target).
In the article the students are queued up waiting to go through a security checkpoint in order to get on campus. In airports they might clear the gates and require everyone to go through security again. In either case massive amounts of time and money are wasted. The attacker has done nothing, but still managed to mess with their target.
In this manner terrorists could cause billions of dollars in losses to our economy simply by calling in threats to airports, shopping malls, schools, stadiums, etc. And given our level of unwarranted fear, what law enforcement agency is going to do nothing when they receive a threat like that? If they’re wrong no one will listen to arguments about likelihood, corroborating evidence, etc.
The second detrimental effect is complacency or “the boy who cried wolf” effect. One technique used to bypass an alarm system is to repeatedly trip the alarm, but do nothing else. Eventually the people responding to the alarm may begin to delay responding presuming it’s another false alarm. Or in the best case (from the attacker’s view) they may turn off the alarm altogether.
If they do continue responding to the alarm then they’re faced with a dilemma: How many times do you respond to an alarm at cost $X per response before you can no longer afford to respond? How many airports do you shutdown and flights do you cancel before the airlines begin going bankrupt or flying becomes so unreliable people just stop trying?
In the case of the school in the article, University of Pittsburgh, how many more of these threats are they going to evacuate buildings and run security checkpoints for before the students start leaving looking for schools that actually have time for education?
These are two of the problems that exist from treating every threat seriously and not using risk management techniques to handle threat response. But given that everyone involved would be fired, if not prosecuted, if they were wrong, what alternative do they have?
If we shut down our society because we’re afraid then haven’t the terrorists won without ever doing a thing?