As usual with security, it's a tradeoff between goals, threat models,
economics, and competence.
While the goals of the system, as identified by the GAO, include a
brief phrase about "facilitate legitimate travel and trade", the rest
of the report appears to entirely ignore it.
It focuses on attackers, and bad guys trying to get in, and the
closest the report gets
to anything about reliability or business continuity is a bit about
preventing attackers from
carrying our denial of service attacks. Given the ability of one
bad network card to
take down the network, and given a set of operational plans that keeps incoming
international travelers confined to their airplanes for hours at an
airport the size of LAX
which handles a lot of connections between international and domestic
or other international flights, it appears that the designers of both
the technical and operational sides are also ignoring the goal of
facilitating legitmate travel and trade.
I can't say I'm surprised, either. While treating travellers well
probably won't be one of their goals until there's a major change in
government philosophy, perhaps they can improve service by
anthropomorphizing those evil terrorists named "Father Time",
"Murphy", "Router Bugs", and "Bubba the Backhoe Driver". Certainly
the operational side didn't have processes for supporting travellers
with reasonable-looking papers in the event of a computer failure.
About two decades ago there was a network failure that took out all
three New York City area airports, caused by one guy with wire cutters
who was in the wrong manhole in Newark. If they FAA had a set of dial
backup modems at each of the airports, they could have worked around
it, but they believed strongly that the shared civilian infrastructure
wasn't reliable enough and they needed to have dedicated systems just
for air traffic control.
While the goals of the system, as identified by the GAO, include
a brief phrase about "facilitate legitimate travel and trade", the
rest of the report appears to entirely ignore it.
... it appears that the designers of both the technical and
operational sides are also ignoring the goal of facilitating
legitmate travel and trade.
... Certainly the operational side didn't have processes for
supporting travellers with reasonable-looking papers in the
event of a computer failure.
The problem is that if you have a second path of entry with lesser security protocols, attackers will find a way to get themselves onto that path. For instance, imagine the terrorists have papers that look legit but they know won't pass computer cross-references; any time they want to come in, they would just disrupt the computer network and force the agents to rely on the papers alone. That's why people get stuck on the runways waiting for the computers to come back up.
Such secondary procedures are okay in the banking world, where you can back out transactions that an audit reveals are fraudulent after the fact. The same does not apply to letting persons across a border where you can't retroactively deny them entry after they've killed a bunch of people (and, most likely, martyred themselves). It's the same problem with voting systems, actually: the anonymity requirements mean all security hinges on making sure only authorized people vote, and only once at that; you can't back out fraudulent votes after they're cast, which is why all of the attacks are on the authorization system and being undetected in an audit doesn't matter.
S
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
So what happens when the attack changes from trying to harm/kill people
to disrupting daily life in general? If the attackers (who may or may
not be terrorists, whatever that means) can disrupt our networks
whenever they want why isn't that a bigger problem than the fact they
might slip a few people in?
Remember, almost all of the 9/11 hijackers came into this country
legitimately and had verifiable (if not legit) ID.
To bring this back into the sea of on-topicness, I invite you to
remember the early 90s, when the biggest security problem a network
operator had to face was compromised machines. Everyone "knew" that
this was the only real aspect to computer security, and the fact that
some sites could cram (a lot) more data down a pipe than others was
known, but only crackpots thought it was a problem.
Then a little tool called smurf was released, and the game changed. It
opened our eyes to the fact that not all security problems involve
illegitimate access. We realized that a Denial of Service attack was
just as bad, sometimes even worse, than a system compromise.
This same period gave rise to other tools that became the bane of
network operators and irc users everywhere. Pepsi, winnuke, sping, jolt.
These tools didn't do anything to help the user gain access to a system,
but they allowed the user to cause just as much trouble. How many of you
who were working in any capacity then can honestly say you never spent
hours calling upstream providers to get a flow of packets stopped?
At some point our networks have to remain useful. If they can be shut
down for hours or days at a time are they really secure?
The first question to ask in designing something is what you're trying to accomplish.
This is a mailing list of network operators, meaning that most of us are in the business of forwarding packets, or otherwise seeing that packets get forwarded. It matters very little what those packets are, as long as they get where they're supposed to go. If our networks stop forwarding packets, we've got a problem.
Compare that to somebody designing a bank vault. They've still got to be able to get things in and out, but their most important priority is that stuff that's supposed to stay in the vault stays in the vault. If somebody legitimate can't get the vault open that's annoying, but it's nowhere near the level of problem they'd have if the vault turned out to be openable by somebody who wasn't supposed to open it.
The question for the designers of immigration systems, then, is whether they're designing something like the Internet, intended to forward people through efficiently, or something like a bank vault, intended to keep people out. If the former, they'd presumably want to default to being open in the event of a failure. If the latter, they'd want to default to being closed in the event of a failure. If their goals are somewhere in the middle, it becomes a matter of weighing the costs of the two failure modes and deciding which one will do less damage. But at that point, it becomes a political question, not an engineering question and certainly not a network operations question, so it's beyond the scope of the NANOG list.
