[ISN] Dissertation Could Be Security Threat

From: InfoSec News (isnat_private)
Date: Tue Jul 08 2003 - 00:28:07 PDT

  • Next message: InfoSec News: "[ISN] Requiem for a Hacker"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.washingtonpost.com/wp-dyn/articles/A23689-2003Jul7.html
    
    By Laura Blumenfeld
    Washington Post Staff Writer
    Tuesday, July 8, 2003
    
    Sean Gorman's professor called his dissertation "tedious and 
    unimportant." Gorman didn't talk about it when he went on dates 
    because "it was so boring they'd start staring up at the ceiling." But 
    since the Sept. 11, 2001, attacks, Gorman's work has become so 
    compelling that companies want to seize it, government officials want 
    to suppress it, and al Qaeda operatives -- if they could get their 
    hands on it -- would find a terrorist treasure map. 
    
    Tinkering on a laptop, wearing a rumpled T-shirt and a soul patch 
    goatee, this George Mason University graduate student has mapped every 
    business and industrial sector in the American economy, layering on 
    top the fiber-optic network that connects them. 
    
    He can click on a bank in Manhattan and see who has communication 
    lines running into it and where. He can zoom in on Baltimore and find 
    the choke point for trucking warehouses. He can drill into a cable 
    trench between Kansas and Colorado and determine how to create the 
    most havoc with a hedge clipper. Using mathematical formulas, he 
    probes for critical links, trying to answer the question: "If I were 
    Osama bin Laden, where would I want to attack?" In the background, he 
    plays the Beastie Boys. 
    
    For this, Gorman has become part of an expanding field of researchers 
    whose work is coming under scrutiny for national security reasons. His 
    story illustrates new ripples in the old tension between an open 
    society and a secure society. 
    
    "I'm this grad student," said Gorman, 29, amazed by his transformation 
    from geek to cybercommando. "Never in my wildest dreams would I have 
    imagined I'd be briefing government officials and private-sector 
    CEOs." 
    
    Invariably, he said, they suggest his work be classified. "Classify my 
    dissertation? Crap. Does this mean I have to redo my PhD?" he said. 
    "They're worried about national security. I'm worried about getting my 
    degree." For academics, there always has been the imperative to 
    publish or perish. In Gorman's case, there's a new concern: publish 
    and perish. 
    
    "He should turn it in to his professor, get his grade -- and then they 
    both should burn it," said Richard Clarke, who until recently was the 
    White House cyberterrorism chief. "The fiber-optic network is our 
    country's nervous system." Every fiber, thin as a hair, carries the 
    impulses responsible for Internet traffic, telephones, cell phones, 
    military communications, bank transfers, air traffic control, signals 
    to the power grids and water systems, among other things. 
    
    "You don't want to give terrorists a road map to blow that up," he 
    said. 
    
    The Washington Post has agreed not to print the results of Gorman's 
    research, at the insistence of GMU. Some argue that the critical 
    targets should be publicized, because it would force the government 
    and industry to protect them. "It's a tricky balance," said Michael 
    Vatis, founder and first director of the National Infrastructure 
    Protection Center. Vatis noted the dangerous time gap between exposing 
    the weaknesses and patching them: "But I don't think security through 
    obscurity is a winning strategy." 
    
    Gorman compiled his mega-map using publicly available material he 
    found on the Internet. None of it was classified. His interest in maps 
    evolved from his childhood, he said, because he "grew up all over the 
    place." Hunched in the back seat of the family car, he would puzzle 
    over maps, trying to figure out where they should turn. Five years 
    ago, he began work on a master's degree in geography. His original 
    intention was to map the physical infrastructure of the Internet, to 
    see who was connected, who was not, and to measure its economic 
    impact. 
    
    "We just had this research idea, and thought, 'Okay,' " said his 
    research partner, Laurie Schintler, an assistant professor at GMU. "I 
    wasn't even thinking about implications." 
    
    The implications, however, in the post-Sept. 11 world, were enough to 
    knock the wind out of John M. Derrick Jr., chairman of the board of 
    Pepco Holdings Inc., which provides power to 1.8 million customers. 
    When a reporter showed him sample pages of Gorman's findings, he 
    exhaled sharply. 
    
    "This is why CEOs of major power companies don't sleep well these 
    days," Derrick said, flattening the pages with his fist. "Why in the 
    world have we been so stupid as a country to have all this information 
    in the public domain? Does that openness still make sense? It sure as 
    hell doesn't to me." 
    
    Recently, Derrick received an e-mail from an atlas company offering to 
    sell him a color-coded map of the United States with all the electric 
    power generation and transmission systems. He hit the reply button on 
    his e-mail and typed: "With friends like you, we don't need any 
    enemies in the world." 
    
    Toward the other end of the free speech spectrum are such people as 
    John Young, a New York architect who created a Web site with a friend, 
    featuring aerial pictures of nuclear weapons storage areas, military 
    bases, ports, dams and secret government bunkers, along with driving 
    directions from Mapquest.com. He has been contacted by the FBI, he 
    said, but the site is still up. 
    
    "It gives us a great thrill," Young said. "If it's banned, it should 
    be published. We like defying authority as a matter of principle." 
    
    This is a time when people are rethinking the idea of innocent 
    information. But it is hardly the first time a university has 
    entangled itself in a war. John McCarthy, who oversees Gorman's 
    project at GMU's National Center for Technology and Law, compared this 
    period to World War II, when academics worked on code-breaking and 
    atomic research. McCarthy introduced Gorman to some national security 
    contacts. Gorman's critical infrastructure project, he said, has 
    opened a dialogue among academia, the public sector and the private 
    sector. The challenge? "Getting everyone to trust each other," 
    McCarthy said. "It's a three-way tension that tugs and pulls." 
    
    When Gorman and Schintler presented their findings to government 
    officials, McCarthy recalled, "they said, 'Pssh, let's scarf this up 
    and classify it.' " 
    
    And when they presented them at a forum of chief information officers 
    of the country's largest financial services companies -- clicking on a 
    single cable running into a Manhattan office, for example, and 
    revealing the names of 25 telecommunications providers -- the 
    executives suggested that Gorman and Schintler not be allowed to leave 
    the building with the laptop. 
    
    Businesses are particularly sensitive about such data. They don't want 
    to lose consumer confidence, don't want to be liable for security 
    lapses and don't want competitors to know about their weaknesses. The 
    CIOs for Wells Fargo and Mellon Financial Corp. attended the meeting. 
    Neither would comment for this story. 
    
    Catherine Allen, chief executive of BITS, the technology group for the 
    financial services roundtable, said the attendees were "amazed" and 
    "concerned" to see how interdependent their systems were. Following 
    the presentation, she said, they decided to hold an exercise in an 
    undisclosed Midwestern city this summer. They plan to simulate a cyber 
    assault and a bomb attack jointly with the telecommunications industry 
    and the National Communications System to measure the impact on 
    financial services. 
    
    McCarthy hopes that by identifying vulnerabilities, the GMU research 
    will help solve a risk management problem: "We know we can't have a 
    policeman at every bank and switching facility, so what things do you 
    secure?" 
    
    Terrorists, presumably, are exploring the question from the other end. 
    In December 2001, bin Laden appeared in a videotape and urged the 
    destruction of the U.S. economy. He smiled occasionally, leaned into 
    the camera and said, "This economic hemorrhaging continues until 
    today, but requires more blows. And the youth should try to find the 
    joints of the American economy and hit the enemy in these joints, with 
    God's permission." 
    
    Every day, Gorman tries to identify those "joints," sitting in a gray 
    cinderblock lab secured by an electronic lock, multiple sign-on codes 
    and a paper shredder. No one other than Gorman, Schintler or their 
    research instructor, Rajendra Kulkarni, is allowed inside; they even 
    take out their own trash. When their computer crashed, they removed 
    the hard drive, froze it, smashed it and rubbed magnets over the 
    surface to erase the data. 
    
    The university has imposed the security guidelines. It is trying to 
    build a cooperative relationship with the Department of Homeland 
    Security. Brenton Greene, director for infrastructure coordination at 
    DHS, described the project as "a cookbook of how to exploit the 
    vulnerabilities of our nation's infrastructure." He applauds Gorman's 
    work, as long as he refrains from publishing details. "We would 
    recommend this not be openly distributed," he said. 
    
    Greene is trying to help the center get federal funding. ("The 
    government uses research funding as a carrot to induce people to 
    refrain from speech they would otherwise engage in," said Kathleen 
    Sullivan, dean of Stanford Law School. "If it were a command, it would 
    be unconstitutional.") 
    
    All this is a bit heavy for Gorman, who is in many ways a typical 
    student. His Christmas lights are still up in July; his living room 
    couch came from a trash pile on the curb. Twice a day, Gorman rows on 
    the Potomac. Out on the water, pulling the oars, he can stop thinking 
    about how someone could bring down the New York Stock Exchange or 
    cripple the Federal Reserve's ability to transfer money. 
    
    On a recent afternoon, he drove his Jeep from the Fairfax campus 
    toward the river. Along the way he talked about his dilemma: not 
    wanting to hurt national security; not wanting to ruin his career as 
    an academic. 
    
    "Is this going to completely squash me?" he said, biting his 
    fingernail. GMU has determined that he will publish only the most 
    general aspects of his work. "Academics make their name as an expert 
    in something. . . . If I can't talk about it, it's hard to get hired. 
    It's hard to put 'classified' on your list of publications on your 
    résumé." 
    
    As he drove along Route 50, he pointed out a satellite tower and a 
    Verizon installation. Somewhere in Arlington he took a wrong turn and 
    stopped to ask for directions. It has always been that way with him. 
    He's great at maps, but somehow he ends up lost. 
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 02:52:05 PDT