BKMYHLSC.RVW 20031124 "The Myth of Homeland Security", Marcus J. Ranum, 2004, 0-471-45879-1, U$24.99/C$37.50 %A Marcus J. Ranum mjr@ranum.com %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2004 %G 0-471-45879-1 %I John Wiley & Sons, Inc. %O U$24.99/C$37.50 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471458791/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471458791/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471458791/robsladesin03-20 %P 244 p. %T "The Myth of Homeland Security" Regular readers of the RISKS-FORUM Digest come to know a number of phrases that are repeated over and over again, in assessing risks and problems in technical systems. One is "single point of failure" and another is "cascading failure." Yet another, and the one that Ranum seems to be concentrating on, is "protecting against the wrong threat." The book starts out, in "It's Another Code Orange Day," noting that the vast new machinery of airline security has not caught any terrorists, and also notes that the defenders are completely disorganized. Chapter one asserts that Homeland Security is (along with a number of other similar terms) a convenient invention. Information warfare is derided as such a device, and although I could agree in terms of books such as Erbschloe's (cf. BKINFWFR.RVW), I don't think Ranum gives enough thought to the work by Dorothy Denning (cf. BKINWRSC.RVW). The one myth that the author attacks in chapter two is of superior attackers and defenders. The anti-FBI stance is somewhat overblown, even though there are numerous examples to support it, both in the book and elsewhere. Politics, in chapter three, is mostly about the PATRIOT Act (and finding out that it stands for "Provide Appropriate Tools Required to Intercept and Obstruct Terrorism" is almost worth the price of the book all by itself), although Ranum's seemingly deliberate attempts to avoid being politically pigeon-holed make it difficult to determine exactly what his point is. Merging inefficient agencies is unlikely to help things, as is pointed out in chapter four. Immigration, in chapter five, looks at weak borders (and, rather ironically, Ranum seems to be promoting the myth of terrorist entry through Canada), but the text also admits that the 9/11 attackers all had valid visas, and ultimately suggests no solutions. Chapter six notes that TSA (Transportation Safety Administration) salaries are higher, and hiring requirements more stringent, than before (and the book has previously indicated that TSA personnel are more professional), but Ranum points out a few instances of hiring irregularities, and then flatly states that airport security is a sieve. He is also seemingly inconsistent in his positions, arguing generally against biometrics and profiling, but then apparently endorsing them. The arguments are not reasoned: he is for a national identity system, but admits elsewhere that the 9/11 terrorists had valid identification. Chapter seven says that the army is good, the border patrol is looking for the wrong things (although this is confusingly amended to a position that they have the technology but aren't using it), and the FBI and CIA have an ongoing turf fight. Having stated that he is not interested in media bashing, Ranum spends most of chapter eight anecdotally doing just that. There is a token mention of access to information, and a final assertion that probably nothing can be done about the problem of the media because the public is so gullible. Cyberattacks are an unreal myth, says chapter nine, but our information infrastructure is mostly undefended. The lack of standardization in government systems is seen as making government systems harder to defend (even though homogeneity means that a single attack can penetrate everything). While this material starts off very well, possibly due to Ranum's greater familiarity with strictly technical issues, he makes numerous errors in regard to viruses and malware. His lack of experience in this specific area reappears in chapter ten, where he says that even outdated antivirus scanners should have caught Code Red because the exploit was a known one. However, scanners would not have caught Code Red since it did not write itself out to a file, and also because scanners search for strings or patterns, not exploits. (If anything should have caught Code Red it was more likely to have been the firewalls that Ranum has made his name in designing.) Computer insecurity is put down to being on the cutting edge (advanced technologies being less completely understood), but is also due to foolish government purchasing procedures. Those of us who work in the security field can certainly sympathize with the tone of Ranum's work. Yes, governments (and businesses) are foolish. Yes, the general public sees a complex problem in simplistic terms. Yes, you can find instances of stupidity in any large enterprise. But does any of this have a real bearing on how security can be improved, or how we should look at it? (Particularly to a non- American audience, this book must read like a long string of sometimes whiny complaints.) Yes, Ranum starts off by saying that he is not actually offering solutions, but that bald statement hardly absolves him of not offering anything, including insights. While this work is at least well-informed about the problems, I am at a loss to explain the adulation that has been heaped upon it by many of my colleagues, aside from the fact that we all feel very much the same way. Presumably, however, we are not the target audience, and the book is aimed at demonstrating to the general public that Homeland Security is, as the cover graphically puts it, a house of cards. Pointing out that the Emperor has no clothes does have some merit, although the rewards of the activity are questionable at best. When addressing a non-technical audience, the anecdotal evidence provided is probably more realistic than a closely reasoned argument. However, the lack of clear suggestions for improvement, and inconsistency in positions, detract from the book's value. We can agree that security is a mess, and that governments can create enormous boondoggles. This book is among many that make the point, but does not do much to improve the situation. copyright Robert M. Slade, 2003 BKMYHLSC.RVW 20031124