Slashdot Mirror
Grad Student's Work Reveals National Infrastructure
CodeHog writes "The WP reports about a student working on a PhD and how it relates to national (US) security. Very interesting that he has been able to get all this information. It raises some very challenging questions, should some of this information be classified?"
I work for Transport for London (Transport Authority in London, UK, duh), and, after 9/11 my boss asked me to print out a huge map of the city and put a little sticky label over every "potential terrorist target". Buckingham Palace, Houses of Parliament, the big wheel thing, ministry of defence, big office blocks, army barracks, more palaces....
After three hours I was running out of sticky labels and was very scared.
But hey, look on the bright side, maybe it'll never happen!!!
evil math within Nature's Cubic Creation!
Did anyone else think that this article had a dark undertone of government and corporerations looking to lock down information in the name of security. I mean, some of this information is important and may have benefits to the general public.
The scariest line is that they wanted to burn his research. Flash backs of 1984 flashed in my mind.
--------
Free your mind.
Some people might wonder why in the world you'd need to have maps of electrical grids and fibre lines...
I'm working on the periphery of the emergency response industry, and suffice it to say, any infrastructure data is vital as hell for responding to major natural disasters like quakes, hurricanes and tornadoes.
Tossing all this "scary" data into the classified domain will hammer on emergency responders' ability to effectively map this stuff.
It's vital, and I think the anti-"security through obscurity" comment in the article hits the nail on the head...
The other interesting thing this brings up is the student's right to earn a living and do what he enjoys vs. the national security implications of this. Like he says, putting classified down on a resume doesn't get you very far, especially outside the Military/Intelligence arena.
The other thing is that, yes, he did put all of the together, but according to the article the raw data he used is all available on the internet. Who's to day that Al Qadea hasn't hasn't already done the research to create their own version of his map. In that case this work could very well prove to be a map of what to defend.
"You can't fight in here! This is the war room" --Dr. Stra
the same questions have been asked about some of Tom Clancy's work. I remember reading that he was paid a visit by the FBI asking where he got his classified information, only it turned out everything he used was publicly available. My thought is that suppressing information will not prevent terrorism, only when would-be terrorists change the way they think of the free world will it stop. /rant
At least what this has prompted is a panic attack amongst some CIO's out there, who now understand that 1) too much information has long been left in the public domain, and 2) critical infrastructure security has been neglected for far too long.
Once you can shock the CEO's and CFO's into understanding that a genuine business risk exists out there, action can take place. I think far too many people assumed that the telco/networking companies had this all figured out...
Stop by my site where I write about ERP systems & more
When Tom Clancy published the Hunt for Red October the US Navy wanted to nail him because they thought he stole some confidential info about their submarine ops.
It turned out that he got all his info from public domain sources. And they could not do much about it. He just knew where to search.
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
Cliff S. in "The Cukoos Egg" tails down a spy selling secrets to the russians. Most of the info he steals is *NOT* classified, but by having *ALL* the info, he can piece together something he doesn't know:
1. New fighter being developed
2. Contract awarded to company X
3. Rifle through purchase orders for titanium and other strategic parts.
4. Get shipping info on said parts
5. now you know the facility where it will be built.
6. find airline reservations from company in question
7. look for engineers and test personell.
8. find nearest test base from point of arrival.
9. Fighter X will be built in location A and tested at location B, between arrival date and departure date.
Needless to say, this is why more things have become classified since the early 80's
meh
Well, that's just it: Classifying data is different from making it sensitive and just not handing it out to anyone. Plenty of data is already designated as "sensitive" (see HAZUS at FEMA for example).
Infrastructure data is often sensitive. First responders can certainly get it. However, if DoD and/or DHS go haywire and classify it, only those with Secret (or better) clearance level can get it.
And your average "first responder" fireman isn't going to possess a secret clearance...
As for currentness, you'd be surprised. Much of the interesting infrastructure (major emergency facilities, dams, etc) doesn't change very often.
I thought the whole point of the Internet, being a packet-switched network, was that it could survive damage... like from nuclear war.
So now we're worried that a terrorist with a scissors is gonna bring it down?
He's able to leverage the data so that he can see gains (I'm thinking an entire career) while the folks that have lots to lose (banks, utilities, transportation, US gov) pay for him to help show their achilies heels and bottlenecks.
If 25 telcos happen to be sharing the same 'pipe' of fibre, it may not be a terrorist that breaks that connection... regardless of who severs that line, it ain't good for the telcos -- and the telcos should be using his data to reduce risks.
Insurance companies and actuaries for corporations and governments love this kind of stuff, as do operations research people. Tell me how much it'll cost to reduce risk to this level, or: I have $10,000,000 -- how can I spend it to ensure that the worst case scenario isn't as bad.
Hopefully the information doesn't become classified; hopefully, it's used over the next few years to sure up the bottlenecks and other weak points, making the infrastructure far more robust in the following years.
Support a few technologists in Washington.
The infrastructure is all interconnected... High voltage lines and their rights of way are used for fiber optic cable runs, Oil and gas pipelines and their rights of way are used for fiber optic runs, same for railway rights of way... because they all have the same basic need, to go from point A to point B, without crossing anyone else's properties. Start correllating telco/internet outages with railroad derailings (which tend to dig up the right of way), and you'll see what I mean. I have known for 10 years, the easiest way to cripple "the typical city" (since the fire in chicago, that destroyed the phone Central Office!) -Jazz
-- All That's Evil in the Geek Space
- Who makes that determination?
Not "trolling" - just asking.Who reviews the decisions of the determining body and enforces penalties if the decisions are not in the best interests of the citizens?
Given Pournelle's Law of Bureaucracy ("regardless of the reasons for which they are established, the top priorities of bureaucracies are to survive and to grow") who determines what controls are placed on those doing the classifying?
sPh
From the Clancy FAQ:2 0CIA%20and%20FBI.htm
http://www.clancyfaq.com/Clancy%20contacted%20by%
Sorry, couldn't resist. I grew up in the USSR where everything was classified - so here is a map story for you.
Map information was classified and map publishers were required to add deliberately inaccurate information to their maps. You would have whole cities that were not on the map or shown a couple of hundred km away from their real location. This was done in the name of national security, so the enemy (US) would not be able to use maps to plan a nuclear strike or sabotage military installations.
The enemy of course just used satellite imaging to create their own maps and ended up with better maps of Russia than the Russians had. In the 80s folks who needed maps (geologists, archeologists, hikers, ...) would try really hard to get their hands on foreign made maps, because they were so much more accurate.
Security by obscurity is counterproductive...
Conpanies (i.e. financial institutions) don't mind compiling scads of public information on us until they can tell what brand of hemorrhoid cream you use, but when we do the same thing to them, they scream bloody murder.
Hmmm.....
If you locked up all of the infomation he's compiled, you'd shut down the Economy just as effectively as using that same infomation to blow up critical infrastructure points. The real point of his data is that he also allows the good guys to see just whwre the choke points are so that they can design backup plans and structures.
As Ghandi said (and I'd bet he'd be on the terrorist watch list if he was doing his work today).
Now, at least, these companies are clear that they need to get their ISPs to use different fiber lines to deliver their data. It's not like they couldn't have known this before. It's just that now they have it at their fingertips.
Free Software: Like love, it grows best when given away.
1) As many people have pointed and will continue to point out, classifying the report won't make any difference because people can re-create the work. And this wouldn't take much effort, because an attacker has no need to map the entire US, they can pick whatever area is convenient for them.
2) Slowing down internet connections doesn't scare people. Temporarily cutting corporate offices off from the grid doesn't scare anyone (save, perhaps, the CEO). Think how much more terror-bang a terrorist could get for his buck with a 9mm in mall. That would terrify people and significantly damage the economy. Attacking communications infrastructure isn't "terrorism," it's something else. It's guerilla warfare, directed against an economy rather than a person, I suppose. If our "war" descends to this point, we are totally screwed, as it is impossible to defend (or even think of) all the economically "soft" targets.
3) In the end, the security of all civillians and civillian infrastructure depends on good will. Well, that, and fear of punishment. But the latter doesn't apply to acts of international sabatoge and/or murder. I am sick of all this talk about defending our civillian infrastructure, securing the homeland, etc. It can't happen. Until there is a soldier in body armor with a rifle every few yards down every street in the USA, this goal will not be achieved. That isn't the society any of us want to live in. We haven't put any effort into civillian security up to this point, and I say: Good for us. We didn't need to, because the general good will of human beings was protecting us. Our effort would be better spent restoring *that* state of things, rather than moving toward the soldier-on-every-corner model. For those who would like to call me naive, I ask you: why has there not been an attack on soft infrastructure before? Why has there never been a wave of men with 9mms in malls? These things are undefended. The only reason it hasn't happened is that no one ever wanted to do it.
Three good reasons why it is a waste of time and effort to classify this fellow's dissertation. I'll let others cover the reasons why classifying it is damaging to security, an open society, and democracy.
What's good for the syndicate is good for the country. --Milo Minderbinder