Forwarded from: William Knowles <wkat_private> http://www.washingtonpost.com/wp-dyn/articles/A23689-2003Jul7.html By Laura Blumenfeld Washington Post Staff Writer Tuesday, July 8, 2003 Sean Gorman's professor called his dissertation "tedious and unimportant." Gorman didn't talk about it when he went on dates because "it was so boring they'd start staring up at the ceiling." But since the Sept. 11, 2001, attacks, Gorman's work has become so compelling that companies want to seize it, government officials want to suppress it, and al Qaeda operatives -- if they could get their hands on it -- would find a terrorist treasure map. Tinkering on a laptop, wearing a rumpled T-shirt and a soul patch goatee, this George Mason University graduate student has mapped every business and industrial sector in the American economy, layering on top the fiber-optic network that connects them. He can click on a bank in Manhattan and see who has communication lines running into it and where. He can zoom in on Baltimore and find the choke point for trucking warehouses. He can drill into a cable trench between Kansas and Colorado and determine how to create the most havoc with a hedge clipper. Using mathematical formulas, he probes for critical links, trying to answer the question: "If I were Osama bin Laden, where would I want to attack?" In the background, he plays the Beastie Boys. For this, Gorman has become part of an expanding field of researchers whose work is coming under scrutiny for national security reasons. His story illustrates new ripples in the old tension between an open society and a secure society. "I'm this grad student," said Gorman, 29, amazed by his transformation from geek to cybercommando. "Never in my wildest dreams would I have imagined I'd be briefing government officials and private-sector CEOs." Invariably, he said, they suggest his work be classified. "Classify my dissertation? Crap. Does this mean I have to redo my PhD?" he said. "They're worried about national security. I'm worried about getting my degree." For academics, there always has been the imperative to publish or perish. In Gorman's case, there's a new concern: publish and perish. "He should turn it in to his professor, get his grade -- and then they both should burn it," said Richard Clarke, who until recently was the White House cyberterrorism chief. "The fiber-optic network is our country's nervous system." Every fiber, thin as a hair, carries the impulses responsible for Internet traffic, telephones, cell phones, military communications, bank transfers, air traffic control, signals to the power grids and water systems, among other things. "You don't want to give terrorists a road map to blow that up," he said. The Washington Post has agreed not to print the results of Gorman's research, at the insistence of GMU. Some argue that the critical targets should be publicized, because it would force the government and industry to protect them. "It's a tricky balance," said Michael Vatis, founder and first director of the National Infrastructure Protection Center. Vatis noted the dangerous time gap between exposing the weaknesses and patching them: "But I don't think security through obscurity is a winning strategy." Gorman compiled his mega-map using publicly available material he found on the Internet. None of it was classified. His interest in maps evolved from his childhood, he said, because he "grew up all over the place." Hunched in the back seat of the family car, he would puzzle over maps, trying to figure out where they should turn. Five years ago, he began work on a master's degree in geography. His original intention was to map the physical infrastructure of the Internet, to see who was connected, who was not, and to measure its economic impact. "We just had this research idea, and thought, 'Okay,' " said his research partner, Laurie Schintler, an assistant professor at GMU. "I wasn't even thinking about implications." The implications, however, in the post-Sept. 11 world, were enough to knock the wind out of John M. Derrick Jr., chairman of the board of Pepco Holdings Inc., which provides power to 1.8 million customers. When a reporter showed him sample pages of Gorman's findings, he exhaled sharply. "This is why CEOs of major power companies don't sleep well these days," Derrick said, flattening the pages with his fist. "Why in the world have we been so stupid as a country to have all this information in the public domain? Does that openness still make sense? It sure as hell doesn't to me." Recently, Derrick received an e-mail from an atlas company offering to sell him a color-coded map of the United States with all the electric power generation and transmission systems. He hit the reply button on his e-mail and typed: "With friends like you, we don't need any enemies in the world." Toward the other end of the free speech spectrum are such people as John Young, a New York architect who created a Web site with a friend, featuring aerial pictures of nuclear weapons storage areas, military bases, ports, dams and secret government bunkers, along with driving directions from Mapquest.com. He has been contacted by the FBI, he said, but the site is still up. "It gives us a great thrill," Young said. "If it's banned, it should be published. We like defying authority as a matter of principle." This is a time when people are rethinking the idea of innocent information. But it is hardly the first time a university has entangled itself in a war. John McCarthy, who oversees Gorman's project at GMU's National Center for Technology and Law, compared this period to World War II, when academics worked on code-breaking and atomic research. McCarthy introduced Gorman to some national security contacts. Gorman's critical infrastructure project, he said, has opened a dialogue among academia, the public sector and the private sector. The challenge? "Getting everyone to trust each other," McCarthy said. "It's a three-way tension that tugs and pulls." When Gorman and Schintler presented their findings to government officials, McCarthy recalled, "they said, 'Pssh, let's scarf this up and classify it.' " And when they presented them at a forum of chief information officers of the country's largest financial services companies -- clicking on a single cable running into a Manhattan office, for example, and revealing the names of 25 telecommunications providers -- the executives suggested that Gorman and Schintler not be allowed to leave the building with the laptop. Businesses are particularly sensitive about such data. They don't want to lose consumer confidence, don't want to be liable for security lapses and don't want competitors to know about their weaknesses. The CIOs for Wells Fargo and Mellon Financial Corp. attended the meeting. Neither would comment for this story. Catherine Allen, chief executive of BITS, the technology group for the financial services roundtable, said the attendees were "amazed" and "concerned" to see how interdependent their systems were. Following the presentation, she said, they decided to hold an exercise in an undisclosed Midwestern city this summer. They plan to simulate a cyber assault and a bomb attack jointly with the telecommunications industry and the National Communications System to measure the impact on financial services. McCarthy hopes that by identifying vulnerabilities, the GMU research will help solve a risk management problem: "We know we can't have a policeman at every bank and switching facility, so what things do you secure?" Terrorists, presumably, are exploring the question from the other end. In December 2001, bin Laden appeared in a videotape and urged the destruction of the U.S. economy. He smiled occasionally, leaned into the camera and said, "This economic hemorrhaging continues until today, but requires more blows. And the youth should try to find the joints of the American economy and hit the enemy in these joints, with God's permission." Every day, Gorman tries to identify those "joints," sitting in a gray cinderblock lab secured by an electronic lock, multiple sign-on codes and a paper shredder. No one other than Gorman, Schintler or their research instructor, Rajendra Kulkarni, is allowed inside; they even take out their own trash. When their computer crashed, they removed the hard drive, froze it, smashed it and rubbed magnets over the surface to erase the data. The university has imposed the security guidelines. It is trying to build a cooperative relationship with the Department of Homeland Security. Brenton Greene, director for infrastructure coordination at DHS, described the project as "a cookbook of how to exploit the vulnerabilities of our nation's infrastructure." He applauds Gorman's work, as long as he refrains from publishing details. "We would recommend this not be openly distributed," he said. Greene is trying to help the center get federal funding. ("The government uses research funding as a carrot to induce people to refrain from speech they would otherwise engage in," said Kathleen Sullivan, dean of Stanford Law School. "If it were a command, it would be unconstitutional.") All this is a bit heavy for Gorman, who is in many ways a typical student. His Christmas lights are still up in July; his living room couch came from a trash pile on the curb. Twice a day, Gorman rows on the Potomac. Out on the water, pulling the oars, he can stop thinking about how someone could bring down the New York Stock Exchange or cripple the Federal Reserve's ability to transfer money. On a recent afternoon, he drove his Jeep from the Fairfax campus toward the river. Along the way he talked about his dilemma: not wanting to hurt national security; not wanting to ruin his career as an academic. "Is this going to completely squash me?" he said, biting his fingernail. GMU has determined that he will publish only the most general aspects of his work. "Academics make their name as an expert in something. . . . If I can't talk about it, it's hard to get hired. It's hard to put 'classified' on your list of publications on your résumé." As he drove along Route 50, he pointed out a satellite tower and a Verizon installation. Somewhere in Arlington he took a wrong turn and stopped to ask for directions. It has always been that way with him. He's great at maps, but somehow he ends up lost. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 02:52:05 PDT