[risks] Risks Digest 21.66

From: RISKS List Owner (riskoat_private)
Date: Mon Sep 17 2001 - 20:13:57 PDT

RISKS-LIST: Risks-Forum Digest  Monday 17 September 2001  Volume 21 : Issue 66

   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.66.html>
and by anonymous ftp at ftp.sri.com, cd risks .

11 September 2001 in retrospect (PGN)
Abridged info on RISKS (comp.risks)


Date: Mon, 17 Sep 2001 16:27:43 PDT
From: "Peter G. Neumann" <neumannat_private>
Subject: 11 September 2001 in retrospect

         **       11 September 2001       **

              "THE RISKS ARE OBVIOUS."  

11 September 2001 will be painfully remembered by most of the planet's
population for the coordinated hijacking of four jetliners and the ensuing
surprise attacks on New York City's World Trade Center and the Pentagon,
with thousands of lives lost and enormous consequential after-effects.  Our
hearts go out to everyone close to those who were so irrevocably affected --
including the crash victims, the firemen and other emergency workers in New
York City, and especially the UA93 passengers whose efforts evidently saved
the lives of others.

We are once again reminded how fragile our lives and civic infrastructures
are, and how interdependent we all are.  Although violent and sudden
large-scale termination of people's lives has previously been all too
familiar in many countries of the world, many of us have hitherto largely
taken too much for granted.  Hopefully, the aftermath of this fateful day
will dramatically increase public awareness of some of the vulnerabilities
in our lives and risks to our freedom.

However, the events should come as no surprise, because many warnings have
been widely ignored.  For example, the President's Commission on Critical
Infrastructure Protection of the previous U.S. Administration identified
serious vulnerabilities in telecommunications, electric power and other
energy sources, transportation, financial services, emergency services, and
government continuity.  It noted how interdependent these critical
infrastructures are, and how they are all related to information
technologies.  It also observed difficulties in coordination among and
within different infrastructures, and perhaps most relevant, a general lack
of public awareness.  In many respects, complacency has been seen across the
board in response to that report.  In addition, the White House Commission
on Safety and Security (the Gore Commission) identified many serious risks
in aviation.  (Also, see my paper <http://www.csl.sri.com/neumann/air.html>,
presented at the January 1997 International Conference on Aviation Safety
and Security, co-sponsored by that commission and George Washington
University.)  Various analyses of commercial aviation and air-traffic
control over the past 18 years within the Department of Transportation have
identified potentially serious vulnerabilities that merit closer attention.
More recently, a U.S. General Accounting Office report identified many
serious problems in airport security.  But, perhaps because the risks and
threat levels seemed low, or possibly because institutional bureaucracy is
so deeply entrenched, very little action was deemed necessary.
Unfortunately, some of the issues recognized therein have now come home to

As a society, we in the U.S. seem to be unwilling to take certain prudent
precautions -- perhaps because they would cost too much, or be too
inconvenient, or would seriously degrade service.  Apparently, we suffer
from a serious lack of foresight.

The Risks Forum has persistently considered risks associated with our
technologies and their uses, but we often note that many of the crises and
other risk-related problems have resulted from low-tech events, misguided
human behavior, or malicious misbehavior.  In short, the typical search for
high-tech solutions to problems stemming from social, economic, and
geopolitical causes has frequently ignored more basic issues.  Over-endowing
high-tech solutions is riskful in the absence of adequate understanding of
the limitations of the technology and the frailties and perversities of
human nature.  Whereas there are high-tech solutions that might be effective
if properly used, we should also be examining some low-tech and no-tech

One pervasive theme in the Risks Forum over the past 16 years has been the
ubiquity of systemic vulnerabilities relating to security, reliability,
availability, and overall survivability, with respect to human enterprises,
society at large, and to systems, applications, and enterprises based on
information technologies.  Evidently, we still have much to learn.

Let us seek to build a better world, and remain true to our human values and
constitutional foundations.  Also, let us beware of seeming solutions --
technological or otherwise -- that result in further escalation of the
risks.  Sadly, because of the inherent vulnerabilities in those seeming
solutions, we are always at risk, whether we realize it or not.

Peter G. Neumann


Date: 12 Feb 2001 (LAST-MODIFIED)
From: RISKS-requestat_private
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
 if possible and convenient for you.  Alternatively, via majordomo, 
 send e-mail requests to <risks-requestat_private> with one-line body
   subscribe [OR unsubscribe] 
 which requires your ANSWERing confirmation to majordomoat_private .  
 [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
 this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
 Lower-case only in address may get around a confirmation match glitch.
   INFO     [for unabridged version of RISKS information]
 There seems to be an occasional glitch in the confirmation process, in which
 case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
   .MIL users should contact <risks-requestat_private> (Dennis Rears).
   .UK users should contact <Lindsay.Marshallat_private>.
=> The INFO file (submissions, default disclaimers, archive sites, 
 copyright policy, PRIVACY digests, etc.) is also obtainable from
 http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
 The full info file will appear now and then in future issues.  *** All 
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
 ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
   [volume-summary issues are in risks-*.00]
   [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
 http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
   Lindsay Marshall has also added to the Newcastle catless site a 
   palmtop version of the most recent RISKS issue and a WAP version that
   works for many but not all telephones: http://catless.ncl.ac.uk/w/r
 http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
 http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    http://www.csl.sri.com/illustrative.html for browsing, 
    http://www.csl.sri.com/illustrative.pdf or .ps for printing


End of RISKS-FORUM Digest 21.66

This archive was generated by hypermail 2b30 : Mon Sep 17 2001 - 20:53:48 PDT