A recent Washington Post article details how George Mason University grad student Sean Gorman put together a Ph.D. thesis that mapped “every business and industrial sector in the American economy, layering on top the fiber-optic network that connects them.
“He can click on a bank in Manhattan and see who has communications lines running into it and where,” wrote Laura Blumenfeld. “He can zoom in on Baltimore and find the choke point for trucking warehouses. He can drill a cable trench between Kansas and Colorado and determine how to create the most havoc with a hedge clipper. Using mathematical formulas, he probes for critical links, trying to answer the question,
‘If I were Osama bin Laden, where would I want to attack?’ “
The most stunning aspect of Gorman’s endeavor, however, is this: “Gorman compiled his mega-map using publicly available material he found on the Internet. None of it was classified.”
That’s right. Every bit of information that he used to create his map he found with great ease on the ’Net. Okay, but exactly how dangerous is Gorman’s analysis?
Former White House Cyber Terrorism Chief Richard Clarke said in the article, “(Gorman) should turn [his dissertation] in to his professor, get his grade—and then they should both burn it.”
When Gorman presented his findings to a forum of CIOs from the country’s largest financial services companies, they indicated that Gorman, “should not be allowed to leave the building with his laptop.”
When a reporter showed sample pages of Gorman’s work to John M. Derrick Jr., chairman of the board of Pepco Holdings, Inc. – a major power company – Derrick replied, “This is why CEOs of major power companies don’t sleep well these days. Why in the world have we been so stupid as a country to have all this information in the public domain? Does that openness still make sense? It sure as hell doesn’t to me.”
Derrick’s right. And in Gorman’s case, the CIA or Homeland Security office will most certainly classify his dissertation for national security reasons. But, you say, this is just a smart grad student trying to prove a point. Well, there are enemies of the United States out there who already have Ph.D.s, and who are probably putting together the same information. And the CIA or the Office of Homeland Security has no authority over them, if they even know who they are. What is scarier still, though, is that you don’t have to be that smart.
Want to know where every nuclear reactor is, what size it is, and how much power it produces? Well, there is a prominent government agency that provides all of this information on their Web site. Granted, this information alone is not necessarily enough for a terrorist to plan an attack, but it does provide the exact locations and capabilities of each facility. This information is potentially even more dangerous if it’s combined with information from another Web site, a commercial one that sells “FDA-Approved Potassium Iodide” pills.
Starting with the same map of U.S. nuclear power plants, this site overlays a map that shows “the theoretical radioactive iodine affected area from a reactor accident. Based on Chernobyl statistics.” Basically, large rings emanate from each clearly labeled nuclear reactor, illustrating the radioactive fallout probability for each reactor. For your average terrorist, this shows how far radiation is expected to travel should there be an “accident.”
If that’s not enough, this same site provides a link to another Web site called “The MapScience Center.” There, you can type in any address in the United States and find the nearest route for the shipment of nuclear waste.
And if that’s not enough, that site also provides an extremely terrorist-friendly link to another government agency Web site that provides state-by-state route maps for the shipment of nuclear waste. In addition, this site provides clear, concise maps for shipments on barges, including one route that ironically sports a perfect view of Ground Zero on its regular trip.
Again, this is a U.S. government agency Web site providing this information.
This is only the tip of a very large, frightening iceberg.
Now, I should state that I do not blame the government, the private sector, or people who seek to expand the Freedom of Information Act. And I do not, in any way, wish to curb the amount of information that is made available to the public. Again, the Internet is an evolving thing. And we need to take the next steps in that evolution to ensure our national safety is protected, even as we protect the public’s right to information.
However, the public’s right to know should never compromise national security. We do not need to make information like this readily available – to post this information as Internet billboards – for enemies both foreign and domestic who could conceivably use it against us. So how do we guard national security while keeping public information public?
I will not pretend to have answers to every question concerning information on the Internet. But there are certainly steps we can take, right now, while we develop greater, more strategic solutions, perhaps even a comprehensive national strategy. Certainly, the best place to start is the public sector.
Like the private sector, federal, state, and municipal government entities are proud of what they do. Understandably, they want to tell their constituents about their work. But maybe they shouldn’t, at least not in such great detail. I have discovered in my work as a security specialist that many water utilities, for example, keep their customers updated on system improvements. That’s nothing new. However, in doing so, they often get too specific. Their well-intentioned desire to keep their customers aware of improving service often translates into them detailing information about sensitive equipment or procedures – for example, a new pumping station and how it works.
In fact, the level of detail can be astounding. And while this is done with the best of intentions, they can inadvertently tell potential terrorists exactly where to place an explosive to take out the system at a choke point. So while the ultimate goal is to find a balance between security issues and the availability of information, the first step is to remove from government Web sites sensitive information about vital facilities. After carefully examining information, it can be edited and reposted so it presents factual data without posing a threat.
Another possible solution is to make sensitive information available on a request basis. Basically, if someone wants to know the train schedule for a freight line known to carry nuclear waste, they should submit a name, address, telephone number, e-mail address, and so forth to receive that information. While a terrorist will probably use an alias and fake identification, at least there is an electronic audit trail and the potential to observe connections should a name reappear in several different sensitive Web sites. This type of process is nothing new.
Recently, along with millions of other Americans, I registered with the national “don’t call” telemarketing registry. It took three interactions to complete the process. First I had to supply basic identification information. Then I was sent an e-mail verifying that information. Then I had to follow a link to confirm that information. If it’s this difficult to fend off telemarketers, I think it should be at least that difficult to find out how and where nuclear waste is being transported.
The protocols used can differ, depending on the sensitivity of the information.
With proper training, some sophisticated software, and close communication between the Office of Homeland Security and potential terrorist targets, authorities could be alerted if a pattern is recognized in requests for information. With these types of protocols, though, there is a concern about privacy.
While there are certainly privacy concerns, it is pretty easy to create protocols that will keep private information from being sold to telemarketers, and that will only alert the authorities if suspicious activities are observed. In reality, this is no different than the laws we now have. It’s simply applying them to the Internet. And while this doesn’t completely solve the problem, it does make it harder for terrorists. And that is the key to the problem.
We live in a free society. What makes our country unique is that we do make information about the government and its facilities available to the public, unlike most other countries. I don’t want to change that. But we must learn to approach our world differently; we must change our mindset when it comes to posting information on the international bulletin board that the Internet has become. We must learn to balance security issues with information availability. Because in a post-9/11 world, it seems truly remarkable that government and private-sector Web sites still provide sensitive information that can benefit terrorists.
William G. Sewell, RCDD, is the Washington-based senior vice president and practice manager for DMJM Technology, a division of DMJM – a global architecture, engineering, and security firm.