One day, I am going to get around to writing my magnum opus on the mistaken beliefs that some security people have about threat actors. But today, I’m going to consider one of them: the terrorist with perfect operational security.
There are a whole range of arguments which assume that there is no point is society adopting mechanisms to attempt to defend itself, because our enemies have perfect operational security. There is no point in intercepting communications because they all use encryption, both effective algorithms and with flawless security around key management (a feat few national agencies have managed). There is no point trying even traffic analysis because they all use TOR with flawless, error-free precision (even though there is ample reason to believe this is very difficult). There is no point using ANPR because all criminals drive stolen cars with false plates (although this weekend’s Paris attacks used hire cars). And so on.
There are good reasons to be wary of security service claims as to the efficacy of their boxes of tricks, and certainly we need to balance civil liberties and security agendas. We need to do this all the more in the aftermath of appalling events as happened in Paris this weekend. But we need good arguments. Arguments which presume that terrorists are criminal masterminds with not only access to, but the skills and discipline to use effectively, top-quality crypto and therefore interception is pointless are just wrong. Terrorists have many things to be doing while planning an outrage, and they clearly are not communicating using perfectly-used one time pads.