TCS Daily

White-Hat Terrorism

By Tom W. Bell - November 7, 2003 12:00 AM

The terrorists threatening air travel rely on stealth, creativity, and individual initiative. They face security systems that operate in the open, by the book, and under bureaucratic control. That mismatch puts our safety at risk. The volunteer efforts of Nathaniel Heatwole, a 20 year-old who recently tested airline security and gave it an "F" in keeping box-cutters off of planes, hints at a cure: flying, for-profit, white-hat terrorism.


Notwithstanding Heatwole's good work and good intentions, we cannot rely on "security hackers" like him to improve air security. Such do-gooder ("white-hat") hobbyists are unlikely to do enough of the hard work needed. Nor are they likely to always do it well. They might give cover to real (i.e., "black-hat") terrorists, for instance, or publicize dangerous new techniques.


Instead, we need to spur white-hat security hackers with the prospect of profit and to guide their efforts into safe and useful channels. We need, in other words, to set up a bounty program that will reward both pretend terrorism and real security. Program participants who successfully hack the U.S. air security system would win money for their efforts. Unsuccessful hackers would have to pay the guards who catch them.


Properly structured, such a white-hat terrorism program would cost taxpayers nothing and almost run itself. Government officials need only define the criteria for winning bounties, register program participants, and manage the valuable information that results. The program could fund itself by assessing a toll on all bounties paid.


How Does White-Hat Terror Work?


Consider, for example, how a white-hat terrorism program could improve the safeguards against airline hijackers slipping weapons onto planes. The program would first define a set of mock weapons -- such as stage-prop guns or dull, knife-shaped pieces of metal -- to ensure that they will test security without compromising it. The mock weapons would bear bold markings, such as white and orange stripes, to prevent them being used in mock threats.


The white-hat terrorism program would next assign a bounty to each type of mock weapon, defining how much money the loser of a security test would have to pay the winner. Suppose, for instance, that a mock box-cutter carried a $1000 bounty. Any qualifying white-hat hacker who successfully smuggled it onto a plane would win $1000 from the security system. Conversely, however, the hacker would have to pay $1000 to the security system if he got caught. (He would not suffer prosecution; qualifying program participants would enjoy immunity from that.)


Ideally, a fair amount of any bounty that a caught hacker pays would go to the individual guards who catch him. Perhaps some should go to the guards' direct managers, too. That would help to ensure that those who run the security system have a direct financial incentive in running it well. Staring at x-rays of socks all day can dull the sharpest senses. The prospect of winning the white-hat lottery would keep guards on their toes.


Registering white-hat terrorists' identities would help to ensure that the program does not help black-hat terrorists. A real terrorist might otherwise use mock weapons to test the limits of air security without suffering prosecution, paying cash when caught and keeping successful smuggling attempts secret. Registering program participants would also help to ensure they do not disclose useful but potentially dangerous information about their efforts.


A white-hat terrorism program would generate vital information about the location and size of holes in the air security system. That information could prove very dangerous in the wrong hands. Suppose, for instance, that a creative white-hat hacker discovered a metal alloy suitable for weapons yet invisible to current x-ray machines. We should generously reward that hacker through the white-hat terrorism program -- but also require that she not reveal the secret of her success to anyone outside the air security system.


The white-hat terrorism program need not cost taxpayers much. Properly structured, it might cost them nothing at all. Although administering the program would of necessity require some resources, those might be met by a modest levy on bounty payments. When security guards catch a hacker carrying an authorized mock box-cutter, for instance, they might get only $900 of the $1000 bounty he pays. The rest would go to support the program's administrative costs.


Bureaucrats certainly could -- and probably would -- ask for versions of the white-hat terrorism program that give them more to do. Increasing the government's involvement would risk decreasing the program's effectiveness, however. Having the government manufacture mock weapons, for instance, would encourage far less creativity than merely defining the mock weapons' specifications would. Letting only government employees serve as white-hat terrorists would likewise reduce the freelance entrepreneurship so vital to mimicking real terrorists' methods.


Terrorists already have powerful incentives to crack the security systems protecting air transportation. The people staffing those security systems, however well intentioned and dedicated, simply do not have the same motives. More to the point, even a security guard who shares a terrorist's willingness to die on the job will not share a terrorist's methods. The fight for real security calls for pretend terrorism.


Tom W. Bell is a professor at Chapman University School of Law and an adjunct scholar of the Cato Institute.



TCS Daily Archives