[ISN] How good is UK.gov at its own security agenda?

From: InfoSec News (isn@private)
Date: Wed Nov 24 2004 - 06:00:42 PST


http://www.theregister.co.uk/2004/11/24/parliament_security_holes/

By John Lettice
24th November 2004

Comment: Yesterday Peter Hain, the Leader of the Commons, was happily
telling journalists that the Government's security-heavy legislative
programme was intended to frustrate the opposition by "crowding out
any place for them on the security agenda". Which one might think a
remarkably cynical thing to say on its own, but he went a step further
later; speaking to Radio 4, he groomed Labour as the only party that
could protect us adequately from terror.

And this isn't scaremongering? But leave that one aside, lets just
take a little look at how good Peter Hain's and the Government's own
security records are. As Leader of the Commons Hain has some
considerable responsibility for the security of the premises, and as
we've seen in the past couple of years, performance in this area
hasn't been exactly stellar. Parliament, other Government premises and
the Royal Palaces have all been the scene of embarrassing incidents,
and these have provoked much huffing, puffing and outrage from our
legislators. But after the huffing, does anything worthwhile happen?  
Pop your security analysts' hats on for a moment, and we'll go through
a couple of them.

Weirdos in Palaces and Parliament trigger the huffing, and calls that
Something Must Be Done. Usually Something Is Done, but subsequent
outrages tend to illustrate that it's not usually the right something.

Anyone with a grasp of network security (which is largely, as is more
general security, the bleeding obvious) should be able to see what's
going on here. The responses tend to address the wrong problem, or a
small, possibly not very relevant aspect of the problem. Which
suggests that nobody has sat down and figured out what the problem
actually was. Result: problem unsolved, next outrage built into
system.

The something being done about royal security was discussed recently
in the House of Lords, and relates to atrocities involving comedians
dressed as Osama bin Laden penetrating royal birthday parties, and men
dressed as Batman leaping around on Buckingham Palace ledges. Shocking
stuff, and indeed Something Must Be Done, as the noble lords opined at
some length. Unhappily the something, as the government minister
present indicated, is likely to be stiffer penalties for people
trespassing on royal property.

Brilliant. That's really going to make terrorists think twice before
they dress up as Batman and try to blow themselves up on Her Maj's
balcony, isn't it? Really, what the noble lords were doing here was
not (as many of them seemed to imagine) addressing a security issue
but increasing the penalties for embarrassing the security forces.

In the case of the comedy Osama, the real security problem was a
combination of a perimeter weakness which allowed the initial breach,
and failures in access validation which meant he could bluff his way
into the event. The answer might be to strengthen the perimeter
defence, but the venue, Windsor um, Castle allows a high degree of
public access, so strengthening the perimeter to the point of
impregnability isn't likely to be either cost-effective or feasible.  
Introducing more effective validation procedures within the perimeter
is likely to be a more fruitful route, as is questioning the sense of
using the venue for a major royal bash in the first place. As for
Batman at Buckingham Palace, he whipped out a stepladder, scaled a
wall, hopped onto a convenient flat roof then shimmied along ledges to
one very close to the balcony the Queen waves from. If that is she's
in the Palace at the time, and scheduled to wave. Which she wasn't.

The network pros will instantly identify that convenient flat roof as
a handy quick perimeter fix, and it may well be, fixing it surely
can't hurt. But people in various states of attire have been hopping
over the Buckingham Palace walls for years, and it's a long time since
one of them made it into a Queen's bedroom with an actual Queen in it.  
So maybe, considering that they don't seem to do a great deal of harm
before they get scooped up, it makes more sense to put the resources
into making sure you spot them and scooping them up quickly once
they're in. You might consider the possibility that the security (even
with that roof) is good enough already. Things to factor in while
you're considering is whether he'd have got so far if the Queen had
been on the balcony (because you should be relating your security
posture to the value of the assets protected), and whether he'd have
got so far if he'd been a terrorist. Note here that it's at least
arguable that a publicity seeker is likely to take bigger risks than
your average thinking terrorist, because getting caught is usually one
of the objectives, and getting shot while dressed as Batman and waving
banners isn't a likely outcome.

Closer to home for Hain we have the Greenpeace anti-war protesters who
climbed up Big Ben with a banner. This was another 'might have been
terrorists', and there's a pretty impressive one of these here [1].  
"If two seemingly innocent people can get up there to hang a banner,
then terrorists could plant a mobile phone and set this to blow up Big
Ben." Oh yeah, right... Analyse this one and the prospect of
terrorists climbing up the outside of Big Ben rather than doing
something threatening anybody's lives but their own sounds quite
positive. Even the stupidest terrorist will have noted that there's
not a lot you can do up there, and you're going to be spotted by what
one assumes is one of London's largest collections of trained marksmen
right after you start climbing.

Get inside Big Ben and do something, that's maybe a different matter -
but have we looked at this, or have we just got riled about
demonstrators climbing up the outside? Big Ben has more recently
figured in fevered truck bomb scenarios that result in it crashing
down. Which is a possibility, certainly, but if you're going to try to
get a lorryload of fertiliser into Whitehall and set it off, you're
surely going to do it somewhere in Whitehall where it'll wreak more
havoc than just (maybe) knocking over a clock tower. Since the IRA
mortared John Major from there, the security services have been pretty
careful about suspicious trucks in Whitehall, so there ought to be a
perimeter defence for this already.

Even factoring in suicide bombers, the thinking terrorist is going to
be more worried about the percentages than the demonstrator is. The
supply of people smart enough to, say, bluff their way into the House
of Commons and blow themselves up is likely to be pretty limited, and
such people would be assets that smart terror organisations would be
reluctant to expend without a pretty high chance of success.  
Comfortably-off pro-hunt demonstrators, on the other hand, are
well-equipped for the bluffing bit, not worried by a low probability
of success (the ones who made it into the Commons chamber said they
were surprised they got so far) and don't need to carry any hardware
through the metal detectors. So rather than asking loudly, as usually
happens, "What if they'd been terrorists?" it would be more useful to
ask how might a malicious attacker have exploited the weaknesses
exposed by an intrusion, what damage could have been done and what is
the likelihood of a malicious attacker using this or similar routes?

Parliament itself is a showcase to wrong-headed thinking about
security. A security screen fencing off most of the public gallery
went in over Easter and in May a group of protesters who had sneakily
obtained seats in the unscreened part (for MPs' invited guests) threw
a condom filled with purple powder at Tony Blair. Then shortly after
that stable door was shut (nobody now gets to sit in the unscreened
seats) a bunch of hunt protesters came in through the chamber door
instead. The BBC's list of memorable outrages [2] may be helpful here,
but we oughtn't to place too much significance on the screen going in
just after Tony Blair was shouted at; they'd been planning it for a
lot longer. The list might indicate that Tony Blair is the sort of
Prime Minister people particularly want to abuse or throw stuff at
(makes sense), but noting that Parliament has managed fairly well for
over 30 years since somebody lobbed a CS cannister at it (could have
been a grenade, and in 1970 it really could have been) gives us a bit
of perspective.

Yes, the purple powder could have been anthrax, but remember your
threat assessment techniques and consider the probabilities. If a
terror organisation is going to lose an asset in an attack, it's not
going to be wasting its time with a chancy weapon like a condom full
of anthrax. It's going to try to get a gun or a bomb in, so the hell
with people throwing ordure from the public gallery - that's
democracy. Concentrate on making sure people don't get guns and bombs
into the public gallery, or indeed anywhere else where they could do
damage.

The pro-hunt outrage suggests strongly that nobody's been doing joined
up security thinking for Parliament. The intruders passed at least two
points which should have been properly policed, with passes being
checked (Parliament's pass system is notoriously wrecked at the
moment, but still...), and they could have been stopped just short of
their objective if the default on the commons chamber door had been
locked, rather than open, or if the door guards could have locked it
with a panic button. Yes yes, they could have been terrorists, they
could have been armed, but they weren't, and that should just remind
you that stopping people getting bombs and guns in is very important.

The prosaic truth is probably that few people actually want to kill a
British politician right now, and the people who would like to kill
them either don't have the means to do so, or don't think the
cost/benefits from their point of view stack up. That will change, and
it's been different in recent memory, but it's at least arguable that
the Provisional IRA posed a much more serious threat in the UK than
those we face in the current 'war on terror.'

Unhappily, our security forces seem, if anything, more unglued than
our politicians. In response to the killer condom attack, it says here
[3], a review by MI5 chiefs recommended erecting a steel barrier
around Parliament, and has warned of the perils of the current
concrete blocks, which could be dangerous if blown up. That's so weird
and disconnected that the Beeb must surely have made some of it up,
but probably not enough to make it OK.

The killer concrete panic might be an upside though. The US Embassy in
Grosvenor Square has always been damned ugly, but it's been more so
since the fencing and the concrete went in, so persuading them that
the concrete's dangerous might improve matters. Persuading them
suicide 4x4s (it has steps, lots of steps) are particularly unlikely
doesn't stand much chance. Nor, we suppose, does relocation to
Salisbury Plain or Fylingdales (secluded, close to global snooping
services), so killer concrete it has to be.

[1] http://news.bbc.co.uk/1/hi/uk/3552491.stm
[2] http://news.bbc.co.uk/1/hi/uk_politics/3730255.stm
[3] http://news.bbc.co.uk/1/hi/uk_politics/3885537.stm



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Wed Nov 24 2004 - 07:56:46 PST