********* From: "Bridis, Ted" <Ted.Bridisat_private> To: "'declanat_private'" <declanat_private> Subject: Project "Matrix" Date: Fri, 8 Jun 2001 10:03:46 -0400 http://interactive.wsj.com/articles/SB991951198507643529.htm Obscure Team Scans Systems To See Where Enemy May Hit By TED BRIDIS Staff Reporter of THE WALL STREET JOURNAL WASHINGTON -- Once upon a time, the nation's military airfields, missile silos and radio towers were its Achilles' heel. In today's increasingly computerized world, the key vulnerability is likely to be an unlocked computer server, a software bug or a network password too easy to guess. The U.S. government has an excellent sense of where its old-style vulnerabilities lie -- yet hardly any idea what today's weaknesses are. Now, a small team of experts is out to fix that with an effort called Project Matrix. The eclectic, low-profile researchers -- among them, a college physics professor, a nuclear engineer and a veteran of the federal government's Y2K preparations -- are working in near-obscurity at the Commerce Department. The team is trying to map the government's electronic underbelly to identify the systems and services whose failure or disruption by a hacker or foreign enemy could cripple the U.S. military or economy or threaten public health, and to determine how those systems are linked with, or "cascade" upon, others. "We put ourselves in the shoes of our enemy. What part of a nation's infrastructure would bring about cascades?" says team member John Tritak, who heads the office from which Matrix is run, the Commerce Department's Critical Infrastructure Assurance Office. In the past decade, government and civilian computer networks were expanded with little planning or even documentation. "We didn't understand what kind of house of cards we were building," warns Glenn R. Price, who heads Project Matrix. For instance, a crucial weather-forecasting system in a guarded concrete bunker may depend on information from computers hundreds of miles away that aren't as protected. A failure there could cause unanticipated ripples of disruption that cascade across many networks. Mr. Price, on temporary assignment from the secretary of defense, and Mr. Tritak, formerly a State Department analyst and high-paid Washington lawyer, work in musty, sixth-floor offices at Commerce Department headquarters. Much of the Matrix work is done in the building's largely abandoned basement mezzanine; employees joke about mushrooms growing on the carpets. But the real work goes on outside that building -- sometimes using distinctly low-tech methods. When the Matrix team traveled to south Florida to trace the intricate systems of the National Hurricane Center, they spent more than two days at a round oak table in a conference room with top technology experts from the weather service. Their tools of choice: butcher-block paper and felt-tip markers. The computer specialists scrawled out as much detail as they could remember about their systems; some pulled charts and diagrams off their office walls and carried them into the meetings to jog their memories. "We take the chain as far as we can until it doesn't make sense to take it any further," says Matrix researcher Patricia Burt, who taught physics at the U.S. Naval Academy. "Then we start looking at other chains." When they finished, they had produced a chart three feet high and five feet long that for the first time mapped how information flows across private and government systems before it reaches hurricane forecasters, who depend on such data to decide whether to evacuate coastlines. One Matrix researcher, Hilary Lombardo, describes this as pulling on a virtual thread to see what unravels. "There were a few elements we weren't familiar with, sort of outside the weather service and outside the government linkages," says Edward Rappaport, former head of the hurricane center's technical-support branch. "They took it three steps beyond when it enters our field of view." When the Matrix work is done, Mr. Price imagines advisers one day presenting the president with an elaborate digital map of the nation's most important computer networks predicting how a single failure could affect other systems down the line. Skeptics say the enormity of the task undermines its odds for success. "The federal government is connected to the state and local governments, the IRS is connected to everybody else in the banking system, [and] then you connect to the electrical utilities. All those are connected to the telephone system," says Paul Strassmann, who has been a top information officer at the Pentagon and several big corporations. "It's a fair estimate that 30 million to 50 million computers are involved. Even assuming the mapping would be feasible, and it's not, then it would take so long and conditions would change that it would move away from you," he says. The Matrix team says it is concentrating initially on the most essential federal systems. So far, researchers have looked at more than 4,000 systems across 10 U.S. agencies, including the network used by the Treasury Department to track the money supply, the Social Security Administration's setup to send checks and satellites used by the Coast Guard to detect signals from distressed ships. In a sign of the sometimes surprising interrelationships of these systems, parts of this satellite network also are used by the government to covertly track both radioactive materials and federal VIPs around the world. But the team, launched under the Clinton administration, deemed only 50 of the networks it studied to be so critical that they deserve full Matrix-type scrutiny. "What's the alternative?" says Mr. Tritak of the Matrix skeptics. "Throw your hands up and not do it at all?" Though the Bush administration has yet to formally endorse the effort, it is expected soon to urge the largest U.S. agencies to cooperate with Matrix researchers. Administration officials plan to meet later this month to discuss how to keep the Matrix findings secret, since they will, in effect, amount to a detailed, "how-to" guide to bringing down the government. The Commerce Department's Critical Infrastructure Assurance Office budget is tiny, at $4.8 million last year, and Matrix got only part of that, giving it just five full-time staffers. The Bush administration has proposed spending $5 million this year on the CIAO, with about $500,000 of that going to Matrix if the project is endorsed. Write to Ted Bridis at ted.bridisat_private ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 10:59:20 PDT