Roger Johnston spends his workday thinking like a criminal.
He isn’t one, of course. As the head of the Vulnerability Assessment Team at Argonne National Laboratory, it’s Johnson’s job to play bad guy and hack into areas and things deemed “secure.”
Once he cracks it — and he usually does — he spends the rest of the day retracing his steps to figure out what happened.
I spoke to him about the dangers that technological progress brings to security, from electronic voting machines to global positioning satellites.
SmartPlanet: How concerned should we be about the vulnerabilities found in voting machines?
RJ: I’m very concerned for states with no voter-verified paper record, less so for other states. A VVPR isn’t an absolute guarantee of election integrity, but it complicates things for would-be vote tamperers, and makes audits and recounts more believable.
Internet voting would be totally crazy at this point in our understanding of security.
SmartPlanet: What about GPS?
RJ: I’m real concerned about the possibility of crashing national networks for utilities, telecommunications and computers.
I am less concerned for spoofing GPS to tamper with financial transactions, GPS cargo tracking, or security video time stamps, but these things are still of concern. If GPS is used more for nuclear shipments, however, that could become quite scary. DoD’s possible changes to GPS in 2013 may help.
SmartPlanet: So then what about other security devices?
RJ: Most access control devices, biometrics, electronic locks, tamper-indicating seals and product anti-counterfeiting tags are designed quite poorly. Many have no significant security built-in. That is pretty scary and ridiculous because these things are protecting important assets.
Selling a security product with little or no security is outrageous.
DHS’s lack of interest in better tamper-indicating cargo seals is particularly disturbing, as is the presence of significant amounts of “security theater” in nuclear safeguards. “Security theater” is fake security for show that doesn’t provide much real security, but sounds reasonable to bureaucrats.
SmartPlanet: What do you mean real security is thinking how bad guys think? Is this because there are more vulnerabilities than we know about?
RJ: There are always more vulnerabilities than we or the bad guys will ever figure out. They just seem to go on endlessly. The best we can do is hope we figure out the ones the bad guys will figure out and be able to exploit before they do, and then beat them to the punch with countermeasures, which are often pretty simple and inexpensive once you understand the vulnerability.
Security has to involve thinking proactively about how the bad guys will attack, not just being reactive or setting up generic barriers in hopes they will somehow be sufficient or getting caught up in security theater.
SmartPlanet: How long have you been doing this for? What drives you? What inspires you?
RJ: I’ve been doing vulnerability assessments since 1992. Physical security is a really interesting, multidisciplinary, challenging, important field. It is in much worse shape even though it is thousands of years older than cyber security and much harder.
In many ways, it is not a real field at all. For example, while you can get a degree in cyber-security from most major four-year research universities, try doing that with physical security. Maybe you can get some kind of administration degree in homeland security. There are at least 33 peer-reviewed journals in cyber-security — and seven in astrology, which isn’t even a real field! There were no peer-reviewed journals devoted to physical security until we started one, The Journal of Physical Security.
SmartPlanet: What’s a typical day like for you? You spend your time trying to hack security systems? What type of security loop hole worries you the most?
RJ: Every day is different. It beats working for a living, for sure. We study security devices, systems, and programs, reverse-engineer them, figure out how we can beat them, demonstrate attacks, then devise countermeasures.
All that is the easy part.
The hard part is getting people to acknowledge the problem and implement fixes. Unlike in cyber-security, making a change in physical security or nuclear safeguards is often thought of as a kind of admission that somebody has been screwing up. The challenge is always in the organizational sociology and human psychology of security. The technology is a detail.
What worries me most are organizations and security mangers that have poor security culture, cognitive dissonance when it comes to security, that love security theater, and that cannot even envision security failures. Thus, Mahbubani’s Maxim: organizations and security managers who cannot envision security failures will not be able to avoid them.
SmartPlanet: What implications do these security loopholes have in our growing dependency on electronic systems? Should the average person be worried about these threats?
RJ: Yes. Customers of electronic systems are not demanding good security — often not even any security — and manufacturers are not providing it. The federal government has been fairly useless on this score, and some of the security standards that people are trying to create actually makes things worse.
SmartPlanet: Cyber-security and physical security are different. Why is physical security more important?
RJ: One of the most important assets we try to protect with physical security is people. It’s way more important that some lost data off a computer, or a virus or denial of service attack so you can’t get on Facebook 38 times a day.
SmartPlanet: And finally: what’s the last book you read?
RJ: I just finished the Art Forger’s Handbook by Eric Hebborn. It has lots of useful psychological tips for vulnerability assessors in there.
Also The World’s Columbian Exposition: The Chicago World’s Fair of 1893, by Norman Bolotin and Christine Laing. A fascinating event from a Chicago, scientific, engineering, historical and cultural perspective. We’ve lost some of the sense of wonder, innocence, optimism, and possibilities associated with the fair.