Security technology alone rarely suffices to defeat every threat, for the same reason that unconsidered infusions of more guards or more money won’t work either. The challenge is too great to dismiss with an easy solution. Besides, the threat usually strikes with some element of surprise. And the more serious the adversary, the greater the attacker’s reliance on surprise to assure victory over defenses.
Like other countermeasures, security technology struggles to keep pace with surprise – no matter how valiant the deployment of its most advanced capabilities. The best defensive technology shares this quality with the worst threat: both are always in beta. They adapt and keep getting better.
Here is a typical sequence. An intrusion alarm reveals itself vulnerable to malfunctioning in wind or rain, so a crafty intruder times strikes to coincide with foul weather or causes so many nuisance alarms attributable to weather that defenders shunt them all and leave a hole in their defenses. Technology vendors look inward to counter this tactic, however, hence the addition of secondary sensors. Now, instead of the same alarm activating upon detecting a windblown tumbleweed, it takes the tripping of an additional sensor – say an infrared detector of body heat – to be triggered in tandem with the original motion sensor before the system annunciates an intrusion alarm. Consequently, an adaptive intruder figures out how to mask heat signature or how to introduce field animals into the protected area to create more nuisance alarms, and the technology contest of thrust and parry goes on and on. Innovation from the defender camp spawns innovation from the aggressor camp, and vice versa.
To the technology aficionado, this soon becomes an ongoing contest where the irresistible temptation leads to the narrow view that defines success in terms of finding and installing the latest security technology faster than adversaries can defeat it. Reality, however, outpaces this approach and reveals it for the illusion that burdens any utopian quest.
One day the sophisticated, costly security system designed to thwart an evil genius ends up compromised by a staggering drunk who stumbles undetected into the protected area to relieve himself. Humiliation ensues. Tempers flare. How could this happen? Next comes a media frenzy accompanied by executive efforts to point the accusing finger of blame. Should the security technology be scrapped and its adherents held to public scorn? Not at all. Why not?
The shortfall is more likely a consequence that is less the fault of the technology than of failures in integrating security devices into a larger security program that the organization’s employees and management actively support. Perhaps a sensor did fail, but it is more common for failure analysis to uncover other, systemic deficiencies.
For example, one vendor may have had a contract to install intrusion alarms while a separate provider – or even in-house staff – had responsibility for supplying surveillance cameras that functioned independently of the intrusion detection system. Result? Rather than working together seamlessly to cause a camera to home in automatically on the area under suspicion at the first activation of an intrusion sensor, the protocol in place calls for a camera operator to manually point the camera in the direction of the suspected penetration. This loses valuable detection time.
Alternatively, the security technology budget ended up paying for so many cameras that no one thought to reserve enough money for a security control room or state-of-the-art monitoring facility. Thus, the image from that alarm point went to a small monitor competing to display images from all the 200 or so other surveillance cameras on site. To make matters worse, an always-beeping alarm panel may have so desensitized the person monitoring this activity that he or she must reflexively shunt alarms before investigating them – just to curb ambient noise and to permit concentration. Worse still, budget economies may have resulted in having this security function performed by a system operator or network administrator as an additional duty that takes lower priority over core business. Thus, if the operator had to make a critical flow change or load shift at the same time as the intrusion alarm went off, the latter would have a lesser claim on attention spans. After all, the operational demands of the core business have to come first. Otherwise, it makes no justifiable sense to give priority to securing an operation whose core needs one may have just neglected to the point of causing more damage than an attack would inflict.
More commonly still, there is often a poor balance between security technology and effective staffing to make the most of the technological dividends. Who is watching the alarms and surveillance cameras? Are they properly trained? Do they have clearly assigned roles? Or do so many people have the capability to view such feeds remotely that no one has responsibility for doing so on a regular basis? Regardless of the training and vigilance of the assigned staff, is the assignment of the job such that one lone individual has to monitor all cameras and alarms for an entire work shift? Such deployments are distressingly common and equally misguided.
A study of control rooms by the Government Accountability Office noted that the most that the average mortal can devote to monitoring such things as surveillance cameras without missing significant activity is not an entire work shift but 20 minutes. The job is at once “boring and mesmerizing” [Source: Keith A. Rhodes, Chief Technologist, National Preparedness: Technologies to Secure Public Buildings, Testimony Before the Subcommittee on Technology and Procurement Policy, Committee on Government Reform, House of Representatives, Washington DC, GAO-020687T, April 25, 2002, p. 65].
Informed security operations address the foregoing vulnerability by rotating monitoring duties between employees several times during a shift. Many aren’t informed.
Systemic security failures are seldom the sole fault of technology. There tend to be contributing factors. Look for flawed integration of technology, staffing, and resources as likely culprits, even if they are unwitting contributors to a debacle. Don't blame technology for implementation failures.
-- Nick Catrantzos