(A)bort, (R)etry, (I)gnore: Perspectives on Information Security

I just received some spam from the ACM touting some material about Cloud Computing. The email says, in part:

“Cloud computing promises to radically change the way computer
applications and services are constructed, delivered, and managed.
It is a fundamental new paradigm in which computing is migrating from
personal computers sitting on a desk to large, centrally managed
datacenters.”

This got me to thinking: there are actually two paradigm shifts happening in computing, and the other is the move to smaller, powerful, mobile personal devices. Each seems to be heading in the opposite direction, and the desk looks like the loser.

But of course these paradigm shifts are complementary; there is no reason why a smaller, more natural human interface in the form of a mobile device cannot take advantage of the compute and storage power of the cloud while retaining the ability to perform some computationally heavy tasks if called upon (e.g., if the cloud is unavailable, or if you don’t trust the cloud with the data/inputs to perform the calculation).

In fact, we can think of these two shifts as a factoring of the traditional desktop role; you still have a personal computing device, but it is now mobile, and its power is greatly enhanced by remote storage and compute capabilities. Of course, shortcomings exist: in interfaces (thumb typing? come on), in power (battery life, anyone?), in security (store my medical info in the cloud???), in display size (watching movies on 4 inches…eye strain), etc.

Various agencies have heralded the use of backscatter X-ray machines [wikipedia] as a safe, non-invasive technique for scanning airline passengers to detect weapons or devices hidden under clothing or in sensitive areas of the body.

Independent of the security value of these machines, I was curious about how they operated, who developed them, and who sells them.

Steve Smith appears to be a scientist involved in creating similar technology (the “SECURE 1000“); the company Rapiscan seems to sell a variety of these kinds of devices. The SECURE 1000 looks different than backscatter machines I’ve seen at airports. It looks like Dr. Smith has been fairly successful; his research group’s Web site (http://www.spectrumsdi.com/) redirects to SAIC.

The ISU site claims that the risks from radiation of these machines is negligible.

This concept is a pretty hot topic:

“Airport admits ‘strip search’ body scanners WILL show people naked”

“X-ray Body Scanners Arriving at Airports”

Slate, with the salacious title: “Digital Penetration”

The dailymail article above quotes an official saying: “The images are not saved, you literally walk through, the screener hits a button to say clear and the image goes.” The Slate article quotes the TSA: “‘Images will not be printed, stored or transmitted,’ TSA swears on its Web site.” [the link Slate provides is broken, but here is the TSA main page for "Advanced Imaging Technology" and the "Privacy" subtopic. -Ed.]

This claim is what troubles me most. It troubles me because it sounds like officials repeating a marketing line they’ve been handed by companies selling these sorts of systems, with little real proof or assurance for the public that these machines have been certified not to store the images.

Given the requirement to have the personnel looking at the scan be physically removed from the subject being scanned means that these images are captured and transmitted to some computer terminal. This in turn means that the image or file traverses a network and most likely winds up on a commodity PC screen. There is likely some file and temporary storage involved here — making sure that this data is completely wiped from the system and not inadvertently saved (even on hard disk temporary or memory swap space) is a non-trivial programming exercise. And there is a tangible energy cost to proactively deleting information.

The TSA privacy Web page for this technology says: “Advanced imaging technology cannot store, print, transmit or save the image, and the image is automatically deleted from the system after it is cleared by the remotely located security officer. Officers evaluating images are not permitted to take cameras, cell phones or photo-enabled devices into the resolution room.”

While this is an admirable sentiment, as a citizen, I’d like to see proof of these limitations rather than a statement of policy. In fact, given that running wires and cabling is an expensive process (and leads to messy trip hazards), I suspect the transmission of these images is wireless. It would be interesting to observe the wireless frequencies in use at airport checkpoints (something that can be done very surreptitiously, unless laptops are banned completely) and capture the data passing over them.

Also of interest, TSA’s Freedom of Information site: http://www.tsa.gov/research/reading/index.shtm. Among the documents here are PDF scans of citizen feedback on backscatter technology [PDF], ranging from a few well-argued positions to short, barely legible emotional reactions to various TSA practices. Also present are contracts that TSA has with various private companies. Good to see which beltway bandits are hooked up to the TSA teat. Finally, there are also videos of Salt Lake City’s checkpoints.

Threats to privacy exist in a number of forms. What is interesting about the following case is that the government is using the prosecution of someone who is probably guilty of breaking drug laws as a vehicle to expand its surveillance powers over law-abiding citizens. This is akin to the story of the motorcyclist in Maryland who was charged with wiretapping the police that pulled him over simply because he had a helmet cam. If the government can’t tolerate being observed, taped, recorded, and tracked, than why should citizens? Is not the citizen supreme? Doesn’t the government exist to serve the citizen, not the other way around?

http://www.time.com/time/nation/article/0,8599,2013150,00.html?hpt=T2 (Time.com)

It seems like we’ve reached a state in the US where the value proposition of living in a “free” republic has become less meaningful. Four hundred years ago, European settlers were quite willing to live on the frontier, braving the dangers that come with little or no infrastructure in return for the freedom of self-determination. In contrast, modern America seems to have become addicted to too many comforts; in the course of “outsourcing” the maintenance of law and order (so that we can continue ordering Starbucks, sending Tweets, and watching American Idol), we’ve given away extraordinary powers to those “security” institutions.

And here is the irony of it all — these institutions, faced with solving an impossible problem (the security and safety of every citizen) continually request (or seize) even more power, justifying said initiatives by claiming they need yet another power to keep us safe. This gradual process inexorably ends in a police state: there is no other social attractor at the end of this particular road. Only a determined and vigilant effort at reducing the size and scope of government power can combat this tendency. It likely takes civic leaders willing to assume a short, unspectacular political career: they come in, fix the problem, upset some portion of the electorate, and subsequently get voted out.

I was recently cited, among others (including Sal Stolfo and Chris Kruegel), for a Politifact article by Lukas Pleva on whether it was possible for private industry to shut down the Internet as a protection measure during some large-scale cyber attack with or without some form of government involvement:

The article is here:
Glenn Beck Host Says Obama May Soon Be Able to Shut Down the Internet

Although the folks cited in the article generally agree that the technical capability to do such a thing exists in the private sector, the experts question either the wisdom of such a move or the probability of such an action actually occurring without some form of high-level coordination between their corporate overlords and either the military or some civilian government agency.

The question of whether the government should have its hand on an Internet Kill Switch (this phrase itself smacks of hyperbole, and may be an overreaction or misrepresentation of the actual proposed legislation) has been raised largely due to provisions in recently proposed legislation, a previous version of which this blog has commented on before. This new round of media hysteria was prompted by Joe Lieberman’s resurrection of a similar, but more measured (by some accounts) idea. Schneier recently blogged about his take on this whole controversy.

Both obvious and subtle questions exist here, including:

1. What does “shut down” mean?
2. How complete would this shutdown be?
3. Is it desirable to shut down the Internet during a cyber attack?
4. Is it technically possible to do so?
5. Is it administratively or politically possible to do so?
6. Do private Tier 1 ISPs need either government permission or {techincal, logistical, communications} assistance to unplug?
7. How fast can this shutdown event take place?
8. Where should ultimate authority for such a move rest?
9. Under what conditions do we plug back in?
10. Are there alternatives?

We’ll try to deal with these below one at a time. Briefly, the answer depends on what type of threat it is, what “shutting down” the Internet means, and whether we distinguish between an administrative decision to shutdown versus a technical action to accomplish or realize this shutdown.

Disclaimer: There are only a few folks on the planet who fully understand the subtleties of controlling BGP and interdomain routing and working with it on a daily basis; I don’t pretend to be one of them. I’ve studied the basics of Internet routing along with academic research on routing security issues, but I’m willing to take correction or feedback if I’ve gotten something wrong.

1. What Do You Mean by “Shutdown”?

This term may entail a different series of actions and events to different people. I take this term to mean to termination of layer 3 (e.g., IP) connectivity and the termination of the BGP routes between major U.S. & North American ISPs and the rest of the world. Such a termination in connectivity could be accomplished in any number of ways (some of which are more realistic than others), such as (1) physically unplugging or severing border router links, cables, and fiber, (2) setting up traffic filters on border routers using their installed software (e.g., using IOS)…such a step is quite similar to setting up “firewall” rules for network packet filters like BSD pf or Linux iptables/netfilter, (3) stop announcing BGP routes or issue BGP route withdrawal messages, (4) setting a pack of rabid backhoes loose near network POPs and peering points.

“Shutdown” could also entail the activation of a large number of network filters looking for certain flows, content, or source addresses, networks, or routing prefixes (in the core, these are essentially the same data). These filters would have the effect of limiting traffic from flowing without completely disconnecting machinery or routing paths or implying some type of shut off or power outage.

2. How Complete Would the Shutdown Be?

There are private-sector companies (i.e., large Internet Service Providers or ISPs) that control much of the core Internet infrastructure (e.g., interdomain routing and DNS) that could shut down this infrastructure (i.e., the servers running these protocols) during some kind of global conflict. While it is true that there are a large number of ISPs, only a few really big players exist, and if they decide to terminate connectivity, this action would involve a large chunk of the network. Such an action by “US-friendly companies” would take large sections of the US and some other countries offline (the US serves as a transit network for a lot of worldwide traffice simply because many types of communications lines pass through us).

Such a shutdown would necessarily be incomplete. The Internet was designed by DARPA-funded scientists to be resilient even in the face of widespread nuclear attack. Taking the US routing infrastructure offline would still leave the rest of the world connected, and after a period of a few minutes for routers to reconfigure routes, the rest of the world would be exchanging traffic (probably more slowly, since the US contains a lot of high-speed links), but connected nonetheless (modulo some specific unreachable destinations simply due to how the physical and virtual infrastructure are connected). Many smaller regional ISPs have peering agreements and relationships that would still enable some traffic to flow, albeit more slowly (or possibly not very widely).

The bottom line is that no single company (or government) has the ability to shut off the Internet as a whole, but a small number of companies could disconnect large segments of it if they both chose and agreed to do so (which entails some administrative oversight giving permission to such a drastic change, since ISPs are paid to route traffic: no packets moving, no money).

3. Do We Want to Shutdown?

I think legitimate concerns exist as to whether a shutdown provides the right response in any reasonable case. While we have been conditioned by certain software practices that a reboot or reinstall is the standard way of getting back to a known good state, terminating the global instance of BGP (or a large portion thereof) represents a risky (albeit fascinating) and uncontrolled experiment.

Also, in most cases, eliminating this infrastructure would be the absolute worst course of action system defenders could take, as it greatly reduces communications (email, VoIP, social networking) that defenders require to coordinate against a large-scale threat. Even in the most dire of circumstances (i.e., whatever movie-plot scenario one might imagine), such action really isn’t an option — there are many ways to filter or reduce certain types of traffic that would be much more effective than simply severing links.

4. Is it Technically Straightforward to Accomplish This Shutdown?

I claim that it is technically “trivial” to shut down the US part of the Internet. Private-sector companies run this infrastructure, and their network operators have the skill and knowledge to configure it. In fact, accidental misconfigurations that severly disrupt connectivity occur quite often due to simple human error; see, for example, the AS7007 incident. One need not ask the US government for a technical aid to the shutdown process. This process should be as simple as pressing the right buttons — although I don’t know if these technicians actually practice such a maneuver or plan for it. Even if they do, I take it as given that they might make mistakes in the heat of the moment.

5. Is it Administratively or Politically Straightforward to Do So?

I’d say “no” and give as evidence the furor over this topic. I think that the political world tends to view the Internet as akin to any other piece of infrastructure (roads, water system, electrical grid), and I doubt that analogy provides a serviceable one. In the case of an Internet-scale attack on US information infrastructure, I don’t think that the conditions for the President to request a shutdown are clear or at all well-understood: the administration would almost certainly require private-sector analysis to inform its opinion. Furthermore, from a technical standpoint, this is the “nuclear” option, and we have no technology that tells us “how bad” a cyberattack actually is: are we being tickled with a feather, walloped by an anvil, or smacked on the backside with a plastic shovel? A misjudgment and overreaction here could be a cure much worse than the (misdiagnosed) disease.

6. Do Tier 1 ISPs Require Corporate, Political, or Military Involvement?

This answer depends on the definition of “involvement.” Much of the argument on this topic has been phrased in absolute terms: an administration would have sole command authority to issue an “Internet Kill” order. While government has not restrained itself from overreaching in the technical sphere before (see, for example, the downsides of CALEA and its invasion of the academic sphere), I doubt that political authority over the Internet would really assume this kind of authoritarian form (my personal politics make me extremely uncomfortable with this level of government control, so perhaps this is wildly optimistic thinking on my part). I don’t think that the government would either command or require ISPs to seek permission to enact large-scale filtering.

Nor do I think that ISPs would need a government whip to work together. Although ISPs compete with each other in a number of dimensions, and policy dictates the actual routing, ISPs also peer with each other and cooperate on a range of issues.

I don’t think that the ISPs need government assistance in terms of logistics; there is no need for the government to setup a hotline, website, or working groups, committees, panels, etc. to help ISPs talk with each other during such an emergency. Such communication could happen over the channels that ISPs already have established (some of these are informal contacts such as network operators sharing cell phone information) for Internet-scale emergencies (these happen regularly due to simple misconfiguration or failure of physical infrastructure).

In fact, the relationship is almost exactly the other way around: government requires industry assistance in terms of information, data, and analysis in case of such an event.

I do, however, concur that some part of the government would want to be in the decision loop for taking such a drastic step. They may not actually give the go-ahead or command that it be done, but I suspect that they’d want veto power or at least a warning that the business community was about to do this. This organ might be DHS, DOD, DNI, Interior, Commerce, NSA, or some other agency…I doubt the government has a coordinated plan or point of contact for such events (which I suspect was the intent behind the relevant clauses in the Rockafeller-Snowe bill to enable the executive branch to make such a call). I see this legislative attempt as a symptom of a government/administration that is on the verge of “getting it” in terms of the importance of critical information infrastructure, even if the expression of this awareness is to introduce clarity in the form of additional executive branch power over private commerce.

7. How Fast Could the Shutdown Take Place?

Network operators — the actual technicians in charge of routers and other network equipment — are a small, fairly tight-knit community. Even though these engineers work for many different companies, they (at least those working for the major players or Tier 1 ISPs) know each other quite well, and NANOG holds regular meetings. Informal cooperation happens all the time. I expect that in an Internet-scale emergency (as there have been in the past), this community would be in touch with each other quite quickly: so it is conceivable that they could coordinate a response to a major event and terminate basic connectivity within a matter of hours or minutes. Such a move would probably require some cooperation and coordination from both the political/military world as well as corporate approval. I assume that some minimal coordination happens before admins start typing at keyboards…but in a flat-out emergency, shutting off network interfaces can be accomplished very quickly.

Once either corporate leaders (alone or in consultation with civilian or military leaders) reach a decision, the technical difficulty of shutting down routers and other networking equipment can be accomplished within a few minutes. The bulk of any delay in reducing connectivity almost certainly rests in the human and policy decisions necessary to give the green light to such activity. I suspect that Tier 1 ISPs have some business process (independent of government regulation or cooperation) that requires VP or Director-level permission to execute such an action.

Where Should Ultimate Authority for Such a Move Rest?

This is the whole point, isn’t it? The answer depends on your politics. From a technical perspective, this is the difference between “policy” and “mechanism.” The mechanism is in place and sits almost entirely in private hands. The policy is distributed across the private and public sector, and I’m willing to believe that factions exist in both spheres that respectively (1) want and (2) abhor the responsibility for making such a call.

Under What Conditions Do We Plug Back In?

I see this question as more important than the others. Pulling the plug is a decision made under a certain set of circumstances and with a certain set of criteria in mind; have the politicians planned for when it will again be “safe” to plug back into the Internet? How will they know for sure? Do they realize that the Internet is already a very loud and risky battleground, and that we run this risk every day? Should all commerce, community, and information exchange grind to a halt simply because a few politicians and White House advisors got a bit nervous during a particularly loud cyberattack? Can the US financial markets and other information infrastructure be offline for extended periods of time?

This question highlights how (from a technical perspective) the issue of an Internet kill switch (either public or private) seems a bit nonsensical: it is overkill and almost certainly something likely to be used in a knee-jerk fashion with no thought for the recovery complexity. There is probably a good analogy to be made here that illustrates the self-defeating futility of disconnection, but I can’t think of one at the moment.

What Are the Alternatives?

The deployment of “reasonable” alternative defenses or reactions differs based on what type of attack we have to consider. Companies (including large ISPs, but also your “average” Fortune 500) have a variety of other internal defense mechanisms against cyberattack (coordinated or otherwise), but the efficacy of these mechanisms varies widely, and the effect is almost always local or limited to their own network infrastructure.

More Resources

For understanding interdomain routing, a good place to start is Tim Griffin’s page. You can move on to JI’s Fall 2002 Internet Routing course at Columbia and then Radia Perlman’s Interconnection’s book.

The company Renesys also provides deep, wide analysis of Internet-scale phenomena and conditions. At least in the public world, they have no serious competitor.

[Updated 15 July to point to Schneier's blog post. -Ed.]

This recent article about a 3rd-party Trojan’d piece of software for Linux is a bit sensationalist.

If a user purposely installs software of uncertain provenance (STONESOUP anyone?), it doesn’t matter what operating system lurks underneath. Does anyone know of an OS that refuses to execute an application the user commands it to install and execute?

I don’t think the community has found an effective sandboxing technique that provides both precision and accuracy in constraining arbitrary software (i.e., no technique that I know of automatically ascertains what the valid limits of the software should be within the constraints of security policy and user needs).

And it definitely should not be news that Linux is (and has been for a while) a target.

Spaf has a working document on two specific, concrete initiatives for radically improving our national approach to cybersecurity research and education:

Two Proposals on Cyber Security Research (revision 3 at http://transfer.spaf.us/is-prop.pdf)

Specifically, these proposals are:

1. create a significant amount of funding for initializing and maintaining cybersecurity infrastructure for both research and teaching labs
2. create an award (similar to MacArthur “genius grants”) of significant size and prestige for supporting blue sky research by promising faculty in cybersecurity

Also of interest is his blog post on “Having an Impact on Cybersecurity Education“, which says in part:

Of course, it is also a little frustrating, because we could have done more, and more needs to be done. However, the approaches we have used (and are interested in trying next) never fit into any agency BAA. Thus, we have (almost) never been able to get grant support for our educational efforts. And, in many cases, the effort, overhead and delays in the application processes aren’t worth the funding that is available. (The same is true of many of our research and outreach activities, but that is a topic for another time.)

We make similar observations and recommendations in our upcoming CACM Viewpoints essay on producing a cybersecurity workforce out of thin air. Funding for teaching activities is largely looked down on in the research community because you can’t possibly be doing anything innovative in terms of relaying material or creating exercises or infrastructure – right? (End sarcasm.)

[Thanks to T. Candon who spotted Spaf's blog post -Ed.]

Is cyberwar a foregone addition to any future kinetic conflicts (a fancy phrase meaning traditional warfare with troops, bullets, tanks, and bombs)? According to one analysis from James Andrew Lewis at the Center for Strategic and International Studies, cyber war just doesn’t make sense, since the risks of retaliation and retribution are simply too great:

http://csis.org/files/publication/100311_TheCyberWarHasNotBegun.pdf

Lewis says, in part, “Even in a conflict – with China over Taiwan or Russia over Georgia – our opponents would be constrained in launching some kinds of cyber attack.”

I don’t find this statement well justified. If the nation is already engaged in “kinetic” war with the U.S., why hold back? Lewis says for fear of retribution:

“Moving from deployed forces in theater to civilian targets in the homeland risks unmanageable escalation. These risks and uncertainties create implicit thresholds in cyber conflict that nations have so far observed. Just as with missiles and aircraft, our nation-state opponents have the ability to strike the United States using cyber attacks, but they have chosen not to do so because of the risk of retaliation.”

but were I in charge of a nation at war with a superpower, I would hit as hard and as often as possible — and that includes both military and civilian cyber-infrastructure and critical information infrastructure, particularly since the US has a heavy economic and “quality of life” dependence on this technology.

I suppose it depends on the goal of the opponent in launching a conflict. But in any serious kinetic war with a reasonably powerful
adversary (i.e., one that has a chance at winning some aspect of the conflict), why would the engagement stay limited?

The Lewis article does make a good point about the need for agreed-on norms and more clearly defined penalties and sanctions for cyber activity (such as economic espionage or other cybercrime). Understanding the needs and creating relationships with potential opponents is probably a useful activity.

As Larry Wortzel pointed out in 2006 (“Risks and Opportunities of a Rising China“), nations like China and the US require a shared agreement on cyber-security activities, but bridging the cultural and political gaps here may prove quite difficult.

On March 24, DarkReading had this article:

Legislators Propose International Cybercrime Cooperation Laws — With Teeth

which begins: “Two U.S. senators today proposed new legislation that would require the U.S. government to monitor the cybercrime posture of other countries and deliver assistance — or sanctions — to those countries based on the findings.”

[Ed. Updated 24 March with link to DarkReading article]

The DHS is indeed committing to hiring 1000 clearable US citizens over the next three years. If you’re interested, you can “attend” their cyber job fair:

http://www.dhs.gov/xabout/careers/cyberjobfair

They are looking to fill these types of roles:

• Cyber Incident Response
• Vulnerability Detection and Assessment
• Networks and Systems Engineering
• Cyber Risk and Strategic Analysis
• Intelligence and Investigation

I’m glad that this amount of hiring is happening, but I’m still unconvinced that this will bring DHS (and the American people) 300 high-quality cybersecurity professionals per year. I’m guessing 80 to 90 percent of the hires in any given year will be trainable Computer Science and/or Computer Engineering B.Sc. students — those who can gradually obtain cybersecurity skills over the course of their govt. careers. And that’s not necessarily a bad thing, except that in three years, the US cybersecurity defense posture and capabilities won’t be measurably improved.

One thousand extra people does not translate directly into an improvement — not at the rate at which network traffic flows, attacks and exploits of software vulnerabilities happens, the complexity of real systems software increases, new technologies come on line, etc. Most of the roles that DHS is seeking seem to be more on the strategy end of things rather than the tactics or operational side of the house — and I see that as a good thing, but it’s easy to misuse a sudden influx of manpower on the tactical side, even if they’re initially meant to have a strategic, forward-looking focus.

Biometrics as a measure of intent dates at least to the polygraph. Humans often do have physical reactions to stress, but does this kind of system employed as a filter for further screening really buy us much safety?

In the name of finding terrorists before they board an airplane, the TSA has adopted a number of “advanced” personal profiling methods: essentially, agents looking for tells, signs of nervousness, or other vague symptoms that may or may not be harbingers of doom.

There are of course many innocent explanations for a nervous manner, sweaty shirt or face, irritated look, twitchy fingers, etc. They include people just having had arguments with their friend or spouse, hurrying to catch a flight, getting caught in traffic on the way to the airport, being recently fired, being nervous about a first flight, having a sweating problem by nature, or hurriedly typing an emotional blog entry or Facebook post into their cell phone.

The TSA apparently believes so much in this approach that they want to scale it up. And the only way to do that is to make a computer do the scanning for you. CNN had this article on October 6th: “Will Airports Screen for Body Signals? Researchers Hope So.”

I like the title, because it’s likely that only the researchers getting paid to conduct this work are hopeful that it will get adopted. There is a really nice quote from the article:

“I haven’t seen any research that shows that those measures from the autonomic nervous system … measuring blood pressure, measuring breathing, measuring heat on the face, are at all related to intent,” said Stephen Fienberg, professor of statistics and social sciences at Carnegie Mellon University.

Spot on! Identity doesn’t measure intent, and neither does your biometrics, if just for the plain fact that your individual heat signature, heart rate, etc. are exactly that: an individual signature about which the population statistics have nothing to say and no predictive power. Forensic psychology researchers involved in creating risk assessment measures (e.g., for criminal recidivism rates) argue about whether such measures can actually predict an individual’s behavior, since the rates of a population don’t determine what an individual released on parole and able to exercise free will (and subject to both the social support and temptations of the outside world) might actually do. For example, measures like the HCR-20 are instruments for assessing the risk of violence, but mainly with in the context of ongoing psychotherapy sessions in a doctor-patient relationship.

Now, as a researcher who routinely solicits money from Federal agencies to support my work, I understand that the scientists involved in trying to create this technology will have some reasonable claims about its limitations and shortcomings. They’ll have a justification for why it will work well, and they may even had made a few fundamental breakthroughs in terms of gathering data from dark or dimly lit faces, bad angles, and the like. Unfortunately, they are also likely to have adopted the beliefs of their funding agency: that this type of profiling works to pick out those engaged in illegal activities or those intent on causing harm to air or rail passengers.

I’d like to see this system made to work from high up above Grand Central Station’s main floor, or in a high school auditorium, a supermarket, a sports venue, or a crowded student center. These are dynamic, real environments, not controlled lab conditions where the subject peers directly into the camera in good lighting.

All that aside, however, this view stunned me:

Civil liberties groups maintain this screening technology is an invasion of privacy. “Nobody has the right to look at my intimate bodily functions, my breathing, my perspiration rate, my heart rate, from afar,” said Joe Stanley of the ACLU.
…
[Project manager Robert] Burns denied the project is a violation of privacy. “We’re looking at signals you give off naturally. We’re not asking for any personal information. We’re not asking anything about you,” he said.

Burns is entirely correct — they are not asking anything about you: they are taking it forcefully from under your nose without permission. Earlier in the article, Burns states that “We’re looking for those signals that your body gives off naturally.” The problem is that technology is allowing government workers to do something that they didn’t have the power to do before. These properties are subtle and not detectable by the human eye when scanning a large crowd: heart rate, body temperature, perspiration under clothing, eye movement, etc.

Although your body does display these properties, it does not advertise them on a billboard: there is no neon sign with your heart rate plastered to your forehead. Why should government agents have the power to effectively augment their five senses to know your physical condition perhaps more intimately than you know it yourself?

This recent Washington Post article highlights the competition between DHS and NSA in their publically stated goals of hiring 1000 to 3000 new cybersecurity professionals per year over the next few years.

I find it extremely doubtful that this level of expertise even exists. The sum total of “real” cybersecurity expertise (in terms of deep technical knowledge and strategic foresight) is probably only on the order of 1000 people worldwide. Yes, there are many people who are operational security experts (meaning that they stare at screenfuls of log entries and pretty pictures of network traces flying by), but there are very few who actually understand the internal workings of systems, the properties that lead to weaknesses and vulnerabilities, and how to manipulate real systems, hardware, networks, and program execution in order to install malware or subvert system control.

Without a commitment to educating such a workforce, it is impossible to hire such a workforce into existence. And as Gene Spafford notes, the NSA CAE (Centers of Academic Excellence in Information Assurance) program isn’t really effective in this regard (nor, might I add, is the NSF Scholarship for Service program, at least at producing the sheer volume of needed workers).