Slashdot Mirror
Grad Student's Work Reveals National Infrastructure
CodeHog writes "The WP reports about a student working on a PhD and how it relates to national (US) security. Very interesting that he has been able to get all this information. It raises some very challenging questions, should some of this information be classified?"
I work for Transport for London (Transport Authority in London, UK, duh), and, after 9/11 my boss asked me to print out a huge map of the city and put a little sticky label over every "potential terrorist target". Buckingham Palace, Houses of Parliament, the big wheel thing, ministry of defence, big office blocks, army barracks, more palaces....
After three hours I was running out of sticky labels and was very scared.
But hey, look on the bright side, maybe it'll never happen!!!
evil math within Nature's Cubic Creation!
Did anyone else think that this article had a dark undertone of government and corporerations looking to lock down information in the name of security. I mean, some of this information is important and may have benefits to the general public.
The scariest line is that they wanted to burn his research. Flash backs of 1984 flashed in my mind.
--------
Free your mind.
Some people might wonder why in the world you'd need to have maps of electrical grids and fibre lines...
I'm working on the periphery of the emergency response industry, and suffice it to say, any infrastructure data is vital as hell for responding to major natural disasters like quakes, hurricanes and tornadoes.
Tossing all this "scary" data into the classified domain will hammer on emergency responders' ability to effectively map this stuff.
It's vital, and I think the anti-"security through obscurity" comment in the article hits the nail on the head...
The other interesting thing this brings up is the student's right to earn a living and do what he enjoys vs. the national security implications of this. Like he says, putting classified down on a resume doesn't get you very far, especially outside the Military/Intelligence arena.
The other thing is that, yes, he did put all of the together, but according to the article the raw data he used is all available on the internet. Who's to day that Al Qadea hasn't hasn't already done the research to create their own version of his map. In that case this work could very well prove to be a map of what to defend.
"You can't fight in here! This is the war room" --Dr. Stra
the same questions have been asked about some of Tom Clancy's work. I remember reading that he was paid a visit by the FBI asking where he got his classified information, only it turned out everything he used was publicly available. My thought is that suppressing information will not prevent terrorism, only when would-be terrorists change the way they think of the free world will it stop. /rant
At least what this has prompted is a panic attack amongst some CIO's out there, who now understand that 1) too much information has long been left in the public domain, and 2) critical infrastructure security has been neglected for far too long.
Once you can shock the CEO's and CFO's into understanding that a genuine business risk exists out there, action can take place. I think far too many people assumed that the telco/networking companies had this all figured out...
Stop by my site where I write about ERP systems & more
The article mentions an interesting website: But even with the wonderous google I am unable to find the website that they are talking about.
Anyone know of it?
--Tim
When Tom Clancy published the Hunt for Red October the US Navy wanted to nail him because they thought he stole some confidential info about their submarine ops.
It turned out that he got all his info from public domain sources. And they could not do much about it. He just knew where to search.
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
Cliff S. in "The Cukoos Egg" tails down a spy selling secrets to the russians. Most of the info he steals is *NOT* classified, but by having *ALL* the info, he can piece together something he doesn't know:
1. New fighter being developed
2. Contract awarded to company X
3. Rifle through purchase orders for titanium and other strategic parts.
4. Get shipping info on said parts
5. now you know the facility where it will be built.
6. find airline reservations from company in question
7. look for engineers and test personell.
8. find nearest test base from point of arrival.
9. Fighter X will be built in location A and tested at location B, between arrival date and departure date.
Needless to say, this is why more things have become classified since the early 80's
meh
Well, that's just it: Classifying data is different from making it sensitive and just not handing it out to anyone. Plenty of data is already designated as "sensitive" (see HAZUS at FEMA for example).
Infrastructure data is often sensitive. First responders can certainly get it. However, if DoD and/or DHS go haywire and classify it, only those with Secret (or better) clearance level can get it.
And your average "first responder" fireman isn't going to possess a secret clearance...
As for currentness, you'd be surprised. Much of the interesting infrastructure (major emergency facilities, dams, etc) doesn't change very often.
I thought the whole point of the Internet, being a packet-switched network, was that it could survive damage... like from nuclear war.
So now we're worried that a terrorist with a scissors is gonna bring it down?
He's able to leverage the data so that he can see gains (I'm thinking an entire career) while the folks that have lots to lose (banks, utilities, transportation, US gov) pay for him to help show their achilies heels and bottlenecks.
If 25 telcos happen to be sharing the same 'pipe' of fibre, it may not be a terrorist that breaks that connection... regardless of who severs that line, it ain't good for the telcos -- and the telcos should be using his data to reduce risks.
Insurance companies and actuaries for corporations and governments love this kind of stuff, as do operations research people. Tell me how much it'll cost to reduce risk to this level, or: I have $10,000,000 -- how can I spend it to ensure that the worst case scenario isn't as bad.
Hopefully the information doesn't become classified; hopefully, it's used over the next few years to sure up the bottlenecks and other weak points, making the infrastructure far more robust in the following years.
Support a few technologists in Washington.
The infrastructure is all interconnected... High voltage lines and their rights of way are used for fiber optic cable runs, Oil and gas pipelines and their rights of way are used for fiber optic runs, same for railway rights of way... because they all have the same basic need, to go from point A to point B, without crossing anyone else's properties. Start correllating telco/internet outages with railroad derailings (which tend to dig up the right of way), and you'll see what I mean. I have known for 10 years, the easiest way to cripple "the typical city" (since the fire in chicago, that destroyed the phone Central Office!) -Jazz
-- All That's Evil in the Geek Space
- Who makes that determination?
Not "trolling" - just asking.Who reviews the decisions of the determining body and enforces penalties if the decisions are not in the best interests of the citizens?
Given Pournelle's Law of Bureaucracy ("regardless of the reasons for which they are established, the top priorities of bureaucracies are to survive and to grow") who determines what controls are placed on those doing the classifying?
sPh
They make it sound like it will be hard for him to get a job because most of his dissertation won't be published. I think that's probably completely wrong.
Even though it does suck that he can't release it in its original form; he'll have absolutely no problems finding a job. If that many large financial corporations were concerned about their communication infostructure surely one (if not all of them) are scratching to hire him.
If all he wants is money and no real academic prestige this is great. Otherwise, it wouldn't be fun to be in his position right now
From the Clancy FAQ:2 0CIA%20and%20FBI.htm
http://www.clancyfaq.com/Clancy%20contacted%20by%
Sorry, couldn't resist. I grew up in the USSR where everything was classified - so here is a map story for you.
Map information was classified and map publishers were required to add deliberately inaccurate information to their maps. You would have whole cities that were not on the map or shown a couple of hundred km away from their real location. This was done in the name of national security, so the enemy (US) would not be able to use maps to plan a nuclear strike or sabotage military installations.
The enemy of course just used satellite imaging to create their own maps and ended up with better maps of Russia than the Russians had. In the 80s folks who needed maps (geologists, archeologists, hikers, ...) would try really hard to get their hands on foreign made maps, because they were so much more accurate.
Security by obscurity is counterproductive...
Conpanies (i.e. financial institutions) don't mind compiling scads of public information on us until they can tell what brand of hemorrhoid cream you use, but when we do the same thing to them, they scream bloody murder.
Hmmm.....
If you locked up all of the infomation he's compiled, you'd shut down the Economy just as effectively as using that same infomation to blow up critical infrastructure points. The real point of his data is that he also allows the good guys to see just whwre the choke points are so that they can design backup plans and structures.
As Ghandi said (and I'd bet he'd be on the terrorist watch list if he was doing his work today).
Now, at least, these companies are clear that they need to get their ISPs to use different fiber lines to deliver their data. It's not like they couldn't have known this before. It's just that now they have it at their fingertips.
Free Software: Like love, it grows best when given away.
I work for Sandia National Labs as a student intern. In August student interns are required to present the projects they've been working on during the summer at a symposium. Each project has to be checked because say a student is working on an airplane lets say or some sort of technology to cover the airplane...well if the student mentions in his presentation that this technology could possibly be used to make an invisible skin for airplanes that presentation all the sudden becomes a classified discussion of possible stealth technologies....just because the student mentioned possible uses... OR say a student is working with X gadget. and He is also working with Y gadget. neither of which are classified in themselves. Then lets say that the student wants to make a silde showing all the gadgets he's been working on. He takes a photograph of X and Y in the same slide and BAM! that's a classified picture because when you combine X and Y you get gadget Z which is classified. that's how it works!
1) As many people have pointed and will continue to point out, classifying the report won't make any difference because people can re-create the work. And this wouldn't take much effort, because an attacker has no need to map the entire US, they can pick whatever area is convenient for them.
2) Slowing down internet connections doesn't scare people. Temporarily cutting corporate offices off from the grid doesn't scare anyone (save, perhaps, the CEO). Think how much more terror-bang a terrorist could get for his buck with a 9mm in mall. That would terrify people and significantly damage the economy. Attacking communications infrastructure isn't "terrorism," it's something else. It's guerilla warfare, directed against an economy rather than a person, I suppose. If our "war" descends to this point, we are totally screwed, as it is impossible to defend (or even think of) all the economically "soft" targets.
3) In the end, the security of all civillians and civillian infrastructure depends on good will. Well, that, and fear of punishment. But the latter doesn't apply to acts of international sabatoge and/or murder. I am sick of all this talk about defending our civillian infrastructure, securing the homeland, etc. It can't happen. Until there is a soldier in body armor with a rifle every few yards down every street in the USA, this goal will not be achieved. That isn't the society any of us want to live in. We haven't put any effort into civillian security up to this point, and I say: Good for us. We didn't need to, because the general good will of human beings was protecting us. Our effort would be better spent restoring *that* state of things, rather than moving toward the soldier-on-every-corner model. For those who would like to call me naive, I ask you: why has there not been an attack on soft infrastructure before? Why has there never been a wave of men with 9mms in malls? These things are undefended. The only reason it hasn't happened is that no one ever wanted to do it.
Three good reasons why it is a waste of time and effort to classify this fellow's dissertation. I'll let others cover the reasons why classifying it is damaging to security, an open society, and democracy.
What's good for the syndicate is good for the country. --Milo Minderbinder
Back in September of 2002, I wrote an essay entitled, Cyberwar: How Terrorists Could Defeat the U.S., and Why They Won't.
www.cryptogon.com/docs/cryptogon_cyberwar.pdf
This brief essay explains how vulnerable information infrastructures are to very simple attacks. I intentionally removed all company names and locations of the critical assets, not because I was afraid my written-in-one-evening essay would be used by terrorists, but because I was afraid the FBI would think I was a terrorist.
After reading about the pressure that Sean Gorman is under, I am convinced that I would have had a (probably not pleasant) sit down with federal agents if I hadn't sanitized my essay.
What we see here is a combination of simple things building up. Information here, information there - but add the tools to combine it all together, and suddenly said information is a lot more meaningful and powerful.
It's not just the data. It's not just the technology. It's what you get when you combine them, mine the data, and find something that isn't there originally.
The problem of regulating this, of course, is that the various sources of information are "innocent," and that information itself can be deceptively harmless until you combine it with something else.
So what do you do? You can't control the information, you can't know what to control, you can't outlaw the process. Welcome to the 21st century, where Data Mining is our new concern.
As an IT professional, I've had to deal with much lesser concerns of the same nature - what happens when you combine and mine data. A simple-to-create synergy can reveal far more than the data sources it uses, and that synergy has to be treated as a completely different thing when it comes to concerns over access, availability, etc.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
Would anyone here be willing to have their usage fees for their net connection go up by %50 to cover the cost of installing and maintaining this additional redundant infrastructure? (Bear in mind that if you say "Stick it to big businesses!", they will indirectly stick it back to you.)
So what are they going to do now, make GIS illegal, what I'm I suposed to do for a job? I'm sure they've gone light on the details but I could make a "super-map" similar to this one in my spare time at work. Any kind of infrastucture information needed for this is readily availible from MapInfo & ESRI.
Jaysyn
There is a war going on for your mind.
One of the issues missed is that this data embarasses a lot of people.
The reason te CIOs and CEOs where worried about their reputations is that in general physical security has and still is as badly neglected as computer security. Their pants are around their ankles. All Gorman has done is taken a photograph.
That being said a terrorist only needs a "single" target. Which means information control must be total, since a single leak or oversight would provide a target.
Take a moment to think about vuranbilities that you know of at your company, town, etc...
You will realize it is impossible to secure all
information or access to sites.
Now you have a choice: Keep everyone (including the customer) in the dark (read -> closed source) except the service provider and trust them to provide security (which interestingly enough their reaction to Gorman's data suggests they haven't).
Or: have aware customers that are aware and have access to information who can help fix problems and as needed put pressure on their providers to make them accountable for security (read -> open source).
I prefer the latter. Given that examples exist already where open source (Linux or BSD as examples) are considered more secure than closed source alternatives.
Full disclosure has always been unpleasant. But problems can only be fixed when identified.