When Bruce Schneier talks about security, I listen. The concepts behind securing a server, a network, a building, or a country are fundamentally the same … the only difference is in scope. Schneir’s advice on how to organize our efforts are worth reading. Anyway, he has a good article in his latest Crypto-Gram that talks about the intelligence failures leading up to 9/11 and how to improve for the future. Here’s his bit on the “Department of Homeland Security”:

All in all, I’m not sure how the Department of Homeland Security is going to help with any of this. Taking a bunch of ineffectual little bureaucracies and lumping them together into a single galumptious bureaucracy doesn’t seem like a step in the right direction. Leaving the FBI and CIA out of the mix — the largest sources of both valuable information and turf-based problems — doesn’t help, either. And if the individual organizations squabble and refuse to share information, reshuffling the chain of command isn’t really going to make any difference — it’ll just add needless layers of management. And don’t forget the $37 billion this is all supposed to cost, assuming there aren’t the usual massive cost overruns. Couldn’t we better spend that money teaching Arabic to case officers, hiring investigators, and doing various things that actually will make a difference?

Let me not fail to quote him on this point, which cannot be stated enough times:

It’s not about data collection; it’s about data analysis. Again from the 30 September 2001 issue of Crypto-Gram: “Demands for even more surveillance miss the point. The problem is not obtaining data, it’s deciding which data is worth analyzing and then interpreting it. Everyone already leaves a wide audit trail as we go through life, and law enforcement can already access those records with search warrants [and subpoenas]. The FBI quickly pieced together the terrorists’ identities and the last few months of their lives, once they knew where to look. If they had thrown up their hands and said that they couldn’t figure out who did it or how, they might have a case for needing more surveillance data. But they didn’t, and they don’t.”