http://www.theregister.co.uk/2004/11/24/parliament_security_holes/ By John Lettice 24th November 2004 Comment: Yesterday Peter Hain, the Leader of the Commons, was happily telling journalists that the Government's security-heavy legislative programme was intended to frustrate the opposition by "crowding out any place for them on the security agenda". Which one might think a remarkably cynical thing to say on its own, but he went a step further later; speaking to Radio 4, he groomed Labour as the only party that could protect us adequately from terror. And this isn't scaremongering? But leave that one aside, lets just take a little look at how good Peter Hain's and the Government's own security records are. As Leader of the Commons Hain has some considerable responsibility for the security of the premises, and as we've seen in the past couple of years, performance in this area hasn't been exactly stellar. Parliament, other Government premises and the Royal Palaces have all been the scene of embarrassing incidents, and these have provoked much huffing, puffing and outrage from our legislators. But after the huffing, does anything worthwhile happen? Pop your security analysts' hats on for a moment, and we'll go through a couple of them. Weirdos in Palaces and Parliament trigger the huffing, and calls that Something Must Be Done. Usually Something Is Done, but subsequent outrages tend to illustrate that it's not usually the right something. Anyone with a grasp of network security (which is largely, as is more general security, the bleeding obvious) should be able to see what's going on here. The responses tend to address the wrong problem, or a small, possibly not very relevant aspect of the problem. Which suggests that nobody has sat down and figured out what the problem actually was. Result: problem unsolved, next outrage built into system. The something being done about royal security was discussed recently in the House of Lords, and relates to atrocities involving comedians dressed as Osama bin Laden penetrating royal birthday parties, and men dressed as Batman leaping around on Buckingham Palace ledges. Shocking stuff, and indeed Something Must Be Done, as the noble lords opined at some length. Unhappily the something, as the government minister present indicated, is likely to be stiffer penalties for people trespassing on royal property. Brilliant. That's really going to make terrorists think twice before they dress up as Batman and try to blow themselves up on Her Maj's balcony, isn't it? Really, what the noble lords were doing here was not (as many of them seemed to imagine) addressing a security issue but increasing the penalties for embarrassing the security forces. In the case of the comedy Osama, the real security problem was a combination of a perimeter weakness which allowed the initial breach, and failures in access validation which meant he could bluff his way into the event. The answer might be to strengthen the perimeter defence, but the venue, Windsor um, Castle allows a high degree of public access, so strengthening the perimeter to the point of impregnability isn't likely to be either cost-effective or feasible. Introducing more effective validation procedures within the perimeter is likely to be a more fruitful route, as is questioning the sense of using the venue for a major royal bash in the first place. As for Batman at Buckingham Palace, he whipped out a stepladder, scaled a wall, hopped onto a convenient flat roof then shimmied along ledges to one very close to the balcony the Queen waves from. If that is she's in the Palace at the time, and scheduled to wave. Which she wasn't. The network pros will instantly identify that convenient flat roof as a handy quick perimeter fix, and it may well be, fixing it surely can't hurt. But people in various states of attire have been hopping over the Buckingham Palace walls for years, and it's a long time since one of them made it into a Queen's bedroom with an actual Queen in it. So maybe, considering that they don't seem to do a great deal of harm before they get scooped up, it makes more sense to put the resources into making sure you spot them and scooping them up quickly once they're in. You might consider the possibility that the security (even with that roof) is good enough already. Things to factor in while you're considering is whether he'd have got so far if the Queen had been on the balcony (because you should be relating your security posture to the value of the assets protected), and whether he'd have got so far if he'd been a terrorist. Note here that it's at least arguable that a publicity seeker is likely to take bigger risks than your average thinking terrorist, because getting caught is usually one of the objectives, and getting shot while dressed as Batman and waving banners isn't a likely outcome. Closer to home for Hain we have the Greenpeace anti-war protesters who climbed up Big Ben with a banner. This was another 'might have been terrorists', and there's a pretty impressive one of these here [1]. "If two seemingly innocent people can get up there to hang a banner, then terrorists could plant a mobile phone and set this to blow up Big Ben." Oh yeah, right... Analyse this one and the prospect of terrorists climbing up the outside of Big Ben rather than doing something threatening anybody's lives but their own sounds quite positive. Even the stupidest terrorist will have noted that there's not a lot you can do up there, and you're going to be spotted by what one assumes is one of London's largest collections of trained marksmen right after you start climbing. Get inside Big Ben and do something, that's maybe a different matter - but have we looked at this, or have we just got riled about demonstrators climbing up the outside? Big Ben has more recently figured in fevered truck bomb scenarios that result in it crashing down. Which is a possibility, certainly, but if you're going to try to get a lorryload of fertiliser into Whitehall and set it off, you're surely going to do it somewhere in Whitehall where it'll wreak more havoc than just (maybe) knocking over a clock tower. Since the IRA mortared John Major from there, the security services have been pretty careful about suspicious trucks in Whitehall, so there ought to be a perimeter defence for this already. Even factoring in suicide bombers, the thinking terrorist is going to be more worried about the percentages than the demonstrator is. The supply of people smart enough to, say, bluff their way into the House of Commons and blow themselves up is likely to be pretty limited, and such people would be assets that smart terror organisations would be reluctant to expend without a pretty high chance of success. Comfortably-off pro-hunt demonstrators, on the other hand, are well-equipped for the bluffing bit, not worried by a low probability of success (the ones who made it into the Commons chamber said they were surprised they got so far) and don't need to carry any hardware through the metal detectors. So rather than asking loudly, as usually happens, "What if they'd been terrorists?" it would be more useful to ask how might a malicious attacker have exploited the weaknesses exposed by an intrusion, what damage could have been done and what is the likelihood of a malicious attacker using this or similar routes? Parliament itself is a showcase to wrong-headed thinking about security. A security screen fencing off most of the public gallery went in over Easter and in May a group of protesters who had sneakily obtained seats in the unscreened part (for MPs' invited guests) threw a condom filled with purple powder at Tony Blair. Then shortly after that stable door was shut (nobody now gets to sit in the unscreened seats) a bunch of hunt protesters came in through the chamber door instead. The BBC's list of memorable outrages [2] may be helpful here, but we oughtn't to place too much significance on the screen going in just after Tony Blair was shouted at; they'd been planning it for a lot longer. The list might indicate that Tony Blair is the sort of Prime Minister people particularly want to abuse or throw stuff at (makes sense), but noting that Parliament has managed fairly well for over 30 years since somebody lobbed a CS cannister at it (could have been a grenade, and in 1970 it really could have been) gives us a bit of perspective. Yes, the purple powder could have been anthrax, but remember your threat assessment techniques and consider the probabilities. If a terror organisation is going to lose an asset in an attack, it's not going to be wasting its time with a chancy weapon like a condom full of anthrax. It's going to try to get a gun or a bomb in, so the hell with people throwing ordure from the public gallery - that's democracy. Concentrate on making sure people don't get guns and bombs into the public gallery, or indeed anywhere else where they could do damage. The pro-hunt outrage suggests strongly that nobody's been doing joined up security thinking for Parliament. The intruders passed at least two points which should have been properly policed, with passes being checked (Parliament's pass system is notoriously wrecked at the moment, but still...), and they could have been stopped just short of their objective if the default on the commons chamber door had been locked, rather than open, or if the door guards could have locked it with a panic button. Yes yes, they could have been terrorists, they could have been armed, but they weren't, and that should just remind you that stopping people getting bombs and guns in is very important. The prosaic truth is probably that few people actually want to kill a British politician right now, and the people who would like to kill them either don't have the means to do so, or don't think the cost/benefits from their point of view stack up. That will change, and it's been different in recent memory, but it's at least arguable that the Provisional IRA posed a much more serious threat in the UK than those we face in the current 'war on terror.' Unhappily, our security forces seem, if anything, more unglued than our politicians. In response to the killer condom attack, it says here [3], a review by MI5 chiefs recommended erecting a steel barrier around Parliament, and has warned of the perils of the current concrete blocks, which could be dangerous if blown up. That's so weird and disconnected that the Beeb must surely have made some of it up, but probably not enough to make it OK. The killer concrete panic might be an upside though. The US Embassy in Grosvenor Square has always been damned ugly, but it's been more so since the fencing and the concrete went in, so persuading them that the concrete's dangerous might improve matters. Persuading them suicide 4x4s (it has steps, lots of steps) are particularly unlikely doesn't stand much chance. Nor, we suppose, does relocation to Salisbury Plain or Fylingdales (secluded, close to global snooping services), so killer concrete it has to be. [1] http://news.bbc.co.uk/1/hi/uk/3552491.stm [2] http://news.bbc.co.uk/1/hi/uk_politics/3730255.stm [3] http://news.bbc.co.uk/1/hi/uk_politics/3885537.stm _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Wed Nov 24 2004 - 07:56:46 PST