SECURITY THEATER

 

Security Theater is the practice where security teams implement superficial measures that may not ensure actual safety but may only achieve an atmosphere of high security (Fitzgibbons, 2019). A security policy is a document that expresses at a high level what security protections are to achieve and can typically be compiled onto one page or less (Anderson, 2020). Political language is designed to make lies sound truthful and murder respectful (Orwell, 2021). Political language is often used in a security policy, where the security goals are agreed upon by the entire organization. Keeping these security goals vague makes sure that all affected parties agree on the content. The more detailed protection mechanisms that provide specific implementations and how they relate to a list of control objectives are further laid out in detail in the Security Target document (Anderson, 2020).

Security Theater is often practiced to provide a vague idea of security implementation and not give away key security details. For example, sometimes software security companies’ brag about their customers online, they tend to think if they name some of their more respected customers, like the US Department of Energy, US Military, and others, new customers will see them as a safe and trusted company, and be more inclined to give them their business. However, this could have a negative impact on their current customers. For example, if the software company Solarwinds did this, when they were recently being hacked, it would give the hackers a pretty good list of high value targets to go after. This is an example of why it is important in the security realm to remain vague about customers, software, security measures, capabilities, etc.

All of us have been a victim of someone, somewhere playing Security Theater. Some of these scenarios include security guards who have unloaded weapons, fake security cameras, building access that is granted via identification badges, and even computer systems that hide their system features to make them seem less vulnerable to attacks (Fitzgibbons, 2019). A decade ago, when I was working as a biometric engineer in Iraq, we gave the US Soldiers and Iraqi Kurdish security guards hand held biometric scanners to use on people attempting to enter the military base. A military order was issued to make sure these devices were being used on everyone entering American military bases. My job was to train the soldiers and Iraqi guards how to use these devices, I would also make sure these devices were charged at all times, fully functioning, and were collecting the expected amount of daily biometric scans. I quickly realized they were not scanning very many people entering the base, when I investigated why this was. The Kurds said, “Why would I scan my brothers, cousins, uncles, friends I grew up with, etc.?” The American soldiers said they weren’t using the biometric scanners because they didn’t want to offend the personnel entering the base. This is an example of Security Theater, hoping that the sheer presence of these biometric scanners would deter anyone from trying to illegally enter base. This absolutely provides a false sense of security but also may deter attackers by simply seeming to be a tougher target then they really are.

References

Anderson, R. (2020). Security Engineering (3rd Edition). Wiley Professional Development (P&T). https://coloradotech.vitalsource.com/books/9781119642817

Fitzgibbons, L. (2019, April 15). What is security theater? - definition from whatis.com. WhatIs.com. Retrieved March 4, 2022, from https://whatis.techtarget.com/definition/security-theater

Orwell, G. (2021, August 27). Politics and the English language. The Orwell Foundation. Retrieved March 4, 2022, from https://www.orwellfoundation.com/the-orwell-foundation/orwell/essays-and-other-works/politics-and-the-english-language/