Understanding vulnerability: Does hiding information make us more or less safer?
Two years ago, grad student Sean Gorman was researching the question of what parts of the national infrastructure would be most vulnerable to terrorist attack. His dissertation included "detailed maps of the intersections of and weak spots in the power, telecommunications and transportation networks that support the business and industrial sector in the U.S. economy," according to Washington Post columnist Brian Krebs.
Using publicly available information Gorman built an interactive application that showed major vulnerabilities, such as traffic choke points, who has communications lines running into which banks, and so. The project had national security and antiterrorism experts trying to get it classified as a threat to national security. From a 2003 Post article about Gorman:
"He should turn it in to his professor, get his grade -- and then they both should burn it," said Richard Clarke, who until recently was the White House cyberterrorism chief. "The fiber-optic network is our country's nervous system. ... "You don't want to give terrorists a road map to blow that up."
In 2003, the Post had to promise George Mason University, where Gorman was a student, not to publish his information. Now, Gorman has published much of his work in a book, Networks, Security And Complexity: The Role of Public Policy in Critical Infrastructure Protection.
What's changed? For one thing, some of the data he relied on is now classified and more of it is now unavailable through the Internet.
"What I found in general is that there used to be a lot more data that was freely available online, whereas most of that stuff you now have to purchase offline," Gorman said in a telephone interview today. Still, he added, "it is amazing how much of this stuff can still be located with some of the free Internet archiving tools out there," like the Wayback Machine (a.k.a. Archive.org.)
But he says the point of his research wasn't to create an interactive map but to show the interconnectedness of systems, and how a seemingly isolated breakdown can have far-reaching repurcussions.
To that end, he points to the ripple effects from Hurricane Katrina, where a lack of investment in physical infrastructure led to broken levees, which led to power outages, which caused telecommunications failures and darkened oil refineries, prompting oil pumping station shutdowns and gasoline price spikes, which in turn had a huge, distributed impact on the nation's manufacturing and transportation systems.
"As Katrina made clear, there are still lots and lots of issues, and this is not something we can solve in a year or two," he said.
... "I think both the government and the private sector are just now starting to realize the scope [of] effort that needs to be made to create a resilient infrastructure. A lot of that is the government getting the right incentives in place, but even when they've got that part right, the business investments still have to be made."If anything should be obvious from Katrina, it's that it takes strategic planning to coordinate the best defenses for complex, interconnected systems owned by a diversity of public and private entities.
"If we end up just throwing money at the problem, then we’re just doomed to repeat the same mistakes," he said.
But while it may seem prudent to hide information that can expose weaknesses to terrorists, Katrina also makes obvious that it's difficult to fix the problems if they're not widely known. Both public and private organizations are more likely to make difficult decisions and spend money fixing problems if there is public pressure to take care of vulnerabilities.