Again last week, a gunman opened fire upon a crowd of people, this time in an airport. You probably heard about it. He had flown in from Alaska. He had checked his luggage, which had a gun in it. Upon retrieving his luggage, he removed the gun and began firing. Several people died, more more wounded.
I was a bit surprised that he could have done this because I didn’t realize that it was possible to ship guns in luggage that you could retrieve upon landing. I then wondered if the powers that be would now pass regulations that forbid the transport of weapons in any luggage. But then, even if they were to do that, there are other kinds of weapons such a person could use, and someone could also cause harm without any weapons.
Later, I realized that, since the baggage area is outside the security zone, this could happen another way. Anybody could drive up to the drop-off or pick-up area with a weapon, enter the building, and begin shooting. That could take place outside, in the baggage or ticketing areas, or anywhere that is accessible without passing through the security screening centers.
To prevent that, one would have to have to have security at every entrance. Can you imagine everybody that arrives on airport property going through security scanning? The cost would be tremendous, the delays would be outrageous. The flow of movement would be severely restricted. Who would pay for all that? We would, of course, through taxes and/or higher ticket prices, or access fees to enter airport property.
Even that wouldn’t prevent problems. Weapons that don’t show up on security scanners would still get through. Items that are allowed, like ball-point pens would be allowed through. A pen or pencil could be a weapon, although that would be more of a close range attack and would be against one victim at a time, even if it affected many people in succession. And someone trained in combat skills (the perpetrator in this instance was trained in combat skills) could do a lot of damage without a weapon.
So, do we begin to treat airports like federal buildings? We screen for weapons at federal courthouses and at the social security office. However, we don’t do that kind of screening at pseudo-government offices like post offices. Should we?
Some might say we should. But the cost alone would be enormous, to say nothing of the negative impact upon our access to the services we need (buying stamps, mailing packages…. or flying to our destination).
What about when we go to the grocery store or the mall. Should we be required to go through a security screening post when we go to buy milk? Or gas? Or when we walk into a bookstore, or when we buy a gift for a baby shower?
Maybe we should put law enforcement on every block and screen people who are out walking their dog? That way, we would be safer! At least the 80 year-old who is trying to maintain their mobility by walking around the block can’t gun us down. Maybe we need to screen all the cars turning onto our street so they can’t execute a drive-by shooting.
Am I getting carried away?
My point is that we can’t prevent bad things like this from happening, much as we might like to. If we try to enforce safety to the maximum extent possible, we would end up in a world that few of us would want. Novels have been written about that: 1984; Brave New World; and more recently, the Divergent trilogy. Even in those novels, there were people that didn’t conform and actions were necessary to prevent their “unlawful activity.” Even if we did have such a world, there would still be incidents! But the consequences of trying to achieve that “safety” would destroy our freedom.
One thing I know is that we can’t regulate the world into a place where these kinds of incidents CANNOT happen. I’m not saying we shouldn’t do anything. But we do seem to like making rules without considering the less obvious consequences, and we often don’t like the consequences. Even then, when we do make rules, incidents still happen. They will as long as people get angry and act on that anger, as long as people are greedy, and even when people just feel threatened. We can work on learning to behave better, but even if EVERYBODY went through training programs to improve their behavior, we would still have problems.
Let’s apply this to online security. I hope I’ve made my point that we can’t prevent bad incidents from occurring in the real world. We can’t prevent bad incidents in the cyber world either.
When we hear about a virus or some other malware that is attacking computers, we think we need some reliable way to stop it.
When we hear about a hacker, we think we need to catch them and lock them up.
When we hear about a breach of personal information, we want that company held accountable.
Here’s my message: We can’t stop these things from happening.
To do so, the world we would create would be one we wouldn’t accept.
Imagine a world where:
* You can no longer post pictures online because they could contain malware or could contain “information” that should not be published
* You can no longer share videos
* Web sites are just text, like a college textbook without pictures
* Your computer no longer goes to many of the web sites you like to go to; those sites are blocked because someone could use that site to attack you. (No more CNN, no more weather, no more Facebook, Pinterest, etc.)
* Your e-mails are returned undeliverable and the e-mail from your friends doesn’t reach you (because someone else who uses the same service as your friends: hotmail, gmail, etc., broke the rules and sent bad e-mails and now that e-mail provider is blacklisted)
And the list could go on and on.
We can’t prevent the things we don’t want unless we make it impossible to do the things we do want.
Regulation won’t solve the problem. Regulation has the following results:
* The worst offenders will ignore the regulations.
* In many cases, regulations make it harder for honest people to operate. (That’s one of the reasons I don’t currently allow comments on my blog. If someone were to make a “bad” comment, to protect myself from liability I have to meet the requirements of regulations. Those regulations have financial and filing requirements, in addition to the measures that I would naturally take without any regulations.)
* Regulation can’t stop attacks and breaches. It can only provide an incentive to people to do something about them.
Most companies would love to do something about them. However, a checklist of steps to take won’t assure you won’t be attacked or have customer data stolen. A checklist can help, but attacks will still be successful and data breaches will still occur. Trying to solve the problem by rules and regulations would be like making it illegal for you to ever make a mistake about anything:
New Federal Law: “From now on, you aren’t allowed to forget things and you aren’t allowed to make mistakes. Penalites for violation: $1000 fine per occurrence; imprisonment after three strikes.”
Most people would love to stop forgetting things and making mistakes. It’s just not possible. Solving security problems is much like trying to prevent mistakes or natural disasters.
The real solution is to:
* Take appropriate measures to make it harder for those bad things to occur
* Learn the warning signs and respond to them, which might keep us out of the line of fire when they occur
* Realize that bad things will still occur despite all efforts
* Have plans of what to do if we do find ourselves in a problem situation and what to do to reduce the damage if something bad does happen (e.g., wear bulletproof vests for an active shooter scenario; have data backups in case of a ransomware attack)
We may have limited options in an active shooter situation. We have better chances of preparation for a cyber scenario.
Doing these things won’t prevent bad things from happening. What it can do is reduce the frequency of occurrences, and reduce the severity of the impact when they do occur.