Security Theater is almost universally connoted as a negative term. As used by Bruce Schneier, a premier security expert, Security Theater are measures taken that make people feel more secure without actually improving security. He describes, for example, many post 9/11 security measures enforced by the TSA and others in this way. Some are obvious: National Guardsmen with guns but no bullets are practically security theater by design. But he also describes less obvious examples such as checking ID at entrances to office buildings.

However, I think that Security Theater is actually broader and more nuanced. Many military tacticians believe that “theater” (or deception, perception, and belief) are critical to attack and defense. For example, in the American Civil War, the under-supplied Confederate forces held Munson’s Hill for three months after the first Battle of Bull Run (Manassas) with fake cannons. It was most certainly “Security theater” but it provided an effective counter measure to a more powerful army for that critical period of time.

Consider also the Security Theater knowingly used by the London borough of Newham. In Ross Anderson’s first edition of his book, Security Engineering, he says:

In 1998, the London borough of Newham placed video cameras prominently in the high street and ran a PR campaign about how their new computer system constantly scanned the faces in the crowd for several hundred known local criminals. They managed to get a significant reduction in burglary, shoplifting, and street crime. The system even worries civil libertarians... Ross J. Anderson. 2001. Security Engineering: A Guide to Building Dependable Distributed Systems (2 ed.). Wiley Publishing. P. 265. (Emphasis Added)

that was written in 2001. But Anderson’s second edition, updated about six years later, adds this additional information:

The system even worries civil libertarians — but it worked entirely by the placebo effect [1227]. The police have since admitted that they only ever had 20 or 25 villains’ faces on the system, and it never recognised any of them [871]. Ross J. Anderson. 2008. Security Engineering: A Guide to Building Dependable Distributed Systems (2 ed.). Wiley Publishing. P. 463. (Emphasis Added)

This system was definitely Security Theater; but because it fooled both the crooks (at least some of them) as well as the civilians, it had a measurable impact on the rate of certain crimes.

Nobody should misunderstand me. I am not suggesting that Security Theater is a “good” thing, or that we should build our defenses around it. I am simply pointing out that these issues are complicated.

Moreover, I think that there is a fine line between Security Theater and Not-Yet-Sufficiently-Broken Security. When new security features are put into place, just how much protection they afford, or how much crime they deter, is often not known for some time. Many of our fundamental security mechanisms used on the Internet today have known weaknesses. We only still use them because there hasn’t been enough of a catastrophic failure over a large segment of the population to motivate change.

Consider, for example, the growing rise in “two-factor” authentication that sends an SMS text message to your phone. It turns out that cracking SMS is easier than many people realize and may not be much of an extra protection against a determined adversary. So, is SMS-enabled two-factor authentication security Theater or not? Is it some of both?

Or how about SSL? Many users understand at some level that “https” refers to secured communication. But a very small few understand what that means. SSL is designed to protect the communications with encryption AND to provide some assurance that you’re talking to whom you think you’re talking. After all, it does little good to encrypt your communication to the bank if the bank is actually the Mafia.

The process of determining the identity of the remote party is based on a concept of certificate chains. Think of it like a form of introduction. If your sister introduces you to a friend of hers, you are probably willing to believe that the friend is who they claim to be. The web browser has a couple of trusted certificates known as Certificate Authorities (or CA’s). Any time you connect to your bank over https, the bank is supposed to send a certificate signed by one of these CA’s, or signed by a chain of intermediate CA’s that can be traced back to one of the trusted CA’s.

So far, it’s worked reasonably well. This is the technology keeping billions of dollars of international commerce safe every second of every day.

And yet, the entire system can fall apart with a few clicks of the mouse. All you have to do is convince a user to install a new trusted CA. Once you have a bad CA installed, the browser will trust every certificate signed thereby. This means that the bad guy with the bad CA can direct your browser to a fake and your browser won’t so much as peep a warning.

In 2014, Trend Micro published a whitepaper describing some hackers who broke both of these mechanisms as part of their attack on banking accounts. They convinced users to run malware that installed a fake certificate and directed them to fake sites, including fake banking sites. Then, when they tried to access their bank account, it had them install a malicious app on their phone for receiving fake SMS messages. This app would also subsequently steal real SMS messages sent from the real bank later.

Again, is SSL or SMS two-factor authentication Security Theater? I imagine that many would argue that it is not because it does provide some level of actual protection. But how much security does it actually have to provide in order to be real? How easy do the attacks against a security mechanism have to be before it’s all just for show?