I've been thinking about security recently, as a result of the foiled London terrorist plots. Many techie websites have been making fun of Britain's and the United States' stringent regulations prohibiting certain types of liquids in carry-on luggage and on your person. Security expert Bruce Schneier says that the only effective way to prevent terrorism is to practice what he calls "anti-terrorism"; that is, don't give in to the terrorists' desire to create chaos and paranoia, ultimately leading to citizens lobbying their government for a change in policy so as to eliminate the terrorist threat. The terrorist's goal is to inspire fear in his or her victims.

This is Schneier's argument, and I've been thinking about it. I like Bruce Schneier; he says a lot of intelligent things about security. But while has considered terrorism as an attempt to instill fear, uncertainty, and doubt (what online types call "FUD"), I don't think he's considered another part of the picture: terror as a publicity stunt.

Mark Jurgensmeyer calls this "theater of terror." In addition to attempting to instill fear in their victims, terrorists will engage in acts that will garner a lot of media attention, focusing the public eye on their cause. Osama bin Laden is considered a master of "theater of terror," as he expertly crafts his own media image so as to portray himself as a single-minded religious militant (have you ever noticed how all of his self-released videos show him brandishing or sitting hear a Kalashnikov assault rifle? Or wearing a camoflauge-colored vest?)

Why do terrorists kidnap high-profile people? Why did terrorists kidnap and behead Americans in Iraq? The only fear it instilled was on the part of family members of the victims; everyone else just avoided traveling to Iraq and the problem was solved. Inspiring FUD requires terrorists to plant in their victims' minds that they could be attacked at any second, no matter where they live. Beheadings were a publicity stunt -- a high-profile action designed to get some demands met. (When terrorists kidnapped journalist Jill Caroll, they wanted something in return for her. Kidnappings aren't just for funsies; there's a pragmatic purpose behind them.)

Schneier has routinely failed to come up with pragmatic security responses to terrorism. In his article, linked above, he says, "[O]ur job is to remain steadfast in the face of terror, to refuse to be terrorized. Our job is to not panic every time two Muslims stand together checking their watches." This is a wonderful idealistic goal for the future -- and one that we should continue to work toward -- but it doesn't speak to what can be done right now. This is not policy, which demands a tangible response -- not a politicized response or one designed to take away our rights (for Schneier seems to believe that any pragmatic response must a priori be designed to take away our rights and instill fear in us so that politicians can gain more control). Imagine that you are the police chief in a city where there has been a rash of burglaries. What if your response to the burglaries were, "Well, we need to enact better social welfare programs in order to create less of an incentive for people to burglarize." Yes, indeed that's a wonderful idea, but, concurrently, there are other things you can do to catch burglars who are, after all, breaking the law. If your only response to this situation were to call for the beginning of a long-term solution, your constituents -- who live in the short-term and don't want to continue to be robbed in the mean time -- would vote you out of office or call for your impeachment.

If heightened security is a knee-jerk reaction to terrorism, then scoffing at heightened security is a knee-jerk reaction to heightened security. This situation plays out day after day on the Internet, at techie websites where contributors and their commenters laugh at the silliness of security.

But is it really silly? What is the other option? If you scoff, then you must believe that there is a better way to go about security. If so, what is your plan?

Today, I read this horror story about an iPod stuck in an airplane toilet that caused the plane to be diverted to Canada due to terrorist threat. Commenters scoffed at the outlandishness of the response to an iPod stuck in a toilet. And, indeed, it's a pretty ridiculous situation. But what if it weren't merely an iPod? What if it were really a bomb? Schneier knows enough about social engineering that he should be leery of scoffing immediately. A good terrorist would play off the iPod as though he accidentally dropped it in the toilet, and then -- kaboom! It's a "you're damned if you do, damned if you don't" scenario. On the one hand, when security is too tight, we condemn it as such. On the other hand, if security were too lax, and the iPod-in-the-toilet really were a bomb, we would lambast security officials for not working hard enough, or not taking the situation seriously enough. Schneier calls this story "[o]verreaction at its worst." An iPod full of C4 might not destroy the entire plane, but it would certainly do a good job of seriously damaging it, causing it to crash, or, at the very least, getting attention with its carnage.

What is the alternative? This is the problem with terrorism: it does create paranoia, such that every situation that is potentially a terrorist threat must be treated as though it were a terrorist threat. And why not? What was wrong with the security officials' reaction to this incident? Hindsight, as they say, is 20/20; it's quite easy for us to deride their responses as silly and overblown, now that we know that the iPod was not a bomb. But imagine being a security official, or a pilot, or a stewardess, charged with the safety of the people on board that plane, as well as your own life. Would you really take the risk that it's not a bomb? Would you believe a person who claims that it's just an iPod that he dropped in the toilet? How would you know that person isn't just using social engineering to get you to drop your defenses?

I submit that, in order for us to have a serious talk about security, we need to stop automatically deriding security. We need to talk about what we can do in the long-term, yes, but more importantly, we need to talk about what measures we can take right now to ensure that people aren't killed or injured while our long-term measures are taking effect.