Senator Kennedy No-Fly Watch List and IDS "False Positives"

It struck me today that Senator Kennedy's no-fly watch list troubles are very similar to our digital security woes. Recently Kennedy said "he was stopped and questioned at airports on the East Coast five times in March because his name appeared on the government's secret 'no-fly' list." The Washington Post reported "a senior administration official, who spoke on condition he not be identified, said Kennedy was stopped because the name 'T. Kennedy' has been used as an alias by someone on the list of terrorist suspects."

"T. Kennedy" reminds me of a content matching IDS rule. Is this a "false positive"? If you consider that airline personnel were making decisions based on the rules they were given -- stop anyone using the name "T. [Ted, in the senator's case] Kennedy," this is not a false positive. Perhaps with more context, like personal recognition that the individual at hand is one of the most famous members of the US Senate, the airline "IDS" would meet more of the "spirit" of its mission and less its "letter."

How did Senator Kennedy handle being flagged when he checked into the airport? According to the Post, "When the senator checked in at the counter, airline employees told him they could not issue him a boarding pass because he appeared on the list. Kennedy was delayed until a supervisor could be summoned to identify him and give approval for him to board the plane." That process reminds me of an investigation by a human analyst. Luckily the analyst had the information he or she needed to make a decision. The "full content data" in the person of Senator Kennedy allowed the decision maker to realize the senator was not a terrorist. Without that data, say only knowing someone named "T. Kennedy" was on board a flight, the decision maker might not be able to take proper defensive actions.

What is better: (1) removing a "bad signature" ("T. Kennedy"), or (2) relying on a scrap of imprecise information that could potentially identify a serious threat? With all of this case's publicity, it's doubtful any terrorist will use that alias again. Whatever your decision, this case reminds security professionals to collect the information analysts need to transform indicators into warnings. Also, don't blame the identification system for making poor decisions if you feed it imprecise signatures.

Comments

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics