Schneier on Security
A blog covering security and security technology.
« Fighting Fraudulent Transactions |
| New DMCA Exemptions »
November 27, 2006
Interesting Bioterrorism Drill
Earlier this month there was a bioterrorism drill in Seattle. Postal carriers delivered dummy packages to "nearly thousands" of people (yes, that's what the article said; my guess is "nearly a thousand"), testing how the postal system could be used to quickly deliver medications. (Here's a reaction from a recipient.)
Sure, there are lots of scenarios where this kind of delivery system isn't good enough, but that's not the point. In general, I think emergency response is one of the few areas where we need to spend more money. And, in general, I think tests and drills like this are good -- how else will we know if the systems will work the way we think they will?
Posted on November 27, 2006 at 1:44 PM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Fire drills (or actually evacuation drills) in office or government buildings would be a good way to make things safer also without inventing whole industries of expensive technology that will be misused.
This reminds me of when they rebuilt the pentagon after 9/11, they put little arrow indicators on the baseboard moulding (kind of like european highways where they have arrows on each distance marker post [every 100m] pointing to the nearest emergency phone so you dont walk in the wrong direction) showing the direction to the nearest exit, in the event that you were crawling around on the floor staying below toxic smoke. This was in response to dead bodies they found suffocated at the 'wrong' end of (literally) dead-end hallways.
This would also be an effective way to provide more security at little cost, and should be incorporated into all future buildings.
Q: "how else will we know if the systems will work the way we think they will?"
A: By how well it does on eBay?
...quoted from Alexfandra's blog:
"I am going to save mine until it's worth at least $1,000 on Ebay."
I am also fascinated that a) he doesnt have 3 days worth of water and a blanket and b) he expects the government to provide them.
I think New Orleans gave us a good example of how these systems fail in practice. I'm more interested in the things that work on paper and in drills, but fail catastrophically in real life since they expect people to be altruistic.
If there were a real biological attack, would enough police officers and postal workers show up to do the work? We'd all like to think they'll do their part for the good of the community, but would you leave your family to fend for themselves while you try to help others? In a biological attack, it seems like anyone out and about would be further exposing themselves to the problem.
Though, it's better to test a system that might not work as expected than sit around contemplating something more foolproof.
"We'd all like to think they'll do their part for the good of the community, but would you leave your family to fend for themselves while you try to help others?"
People *not* doing their jobs is the main reason human civilization falls apart during a zombie apocalypse.
Professionals of all types all showed up for work on 9/11, so I don't think that's going to be an issue.
Have you seen any of the mock emergencies that New York City Emergency Management has been doing? http://www.nyc.gov/html/oem/html/home/home.shtml
An EMT friend of mine who has been involved tells me that at one point they simulated what would happen if someone set off a bomb on the Staten Island Ferry.
They actually set one of the ferries on fire and had to notify the 911 call centers that it was a drill to prepare for people on the bridges to or from Manhattan calling to report it.
I think disaster preparedness drills are great. They give you a good opportunity to discover shortcomings of plans BEFORE the real pressure is on. That being said, no "battle plan" survives first contact with the enemy, right? It's just a plan...however if it is a tested plan then you are going into battle with trained people who already know some of the issues they will encounter, and how to funnel chain-of-command decisions to help streamline "change requests" and communicate adaptave measures. This CAN help when things are flying from the fan blades.
The major failure in New Orleans whas that a hurricane disaster plan was being utilitzed for rescue, when the real disaster had already become a widespread flood. Distinctly different issues. The former called for relief efforts, the latter called for evacuation...and switching those gears took way too much time and ended up being much too costly in terms of human lives.
Why did this fail? Likely no one had ever tested the need to "switch gears" from Hurricane recovery to flood recovery. Levee failure was deemed too unlikely, and the Feds, State, and local authorities (all of them) weren't ready for that eventuality.
So don't just test your plans...give them a full workout stress test. Think worst case.
Then re-read "The Stand" and test your plans again.
Oh...and will we ever know if testing "really" makes a difference? No...not really. In the end there will always be areas you can point to and say "we weren't ready for that" or "we could have been better prepared for this". But you will know that you tried your very best to make a difference.
Plans are useless. Planning is valuable. King County has always been at the forefront of disaster planning. They were (and still are) the leaders in planning for a flu pandemic. Delivering medications (i.e. Tamiflu) by mail during a pandemic makes sense, because people don't have to break self-imposed shelter-in-place to brave lines and crowds to get the meds. Even the mail carrier doesn't have to come in contact with others.
> I am also fascinated that a) he doesnt have 3 days worth of water and
> a blanket and b) he expects the government to provide them.
Living in California, I have a pretty well-stocked earthquake kit. I've even taken some steps to distribute supplies so in the unlikely event that a gas line ruptures and my house and detached shed *both* burn down, I still have access to rudimentary supplies.
That said, I fully expect the government to provide relief in the event of a major disaster, and I don't think that is an odd thing to expect from the government. I plan for the contingency that this might not occur because I'm naturally an independent type, but the very nature of a major disaster requires government-resource-level response, because not everyone (a) plans for a disaster or (b) will have their preparations go according to plan ;)
If I have two week's worth of supplies and nobody else in the neighborhood has access to food or drinking water, my plans aren't going to do me much good when the mob raids my house in desperation. Rugged individualism only gets you so far...
I assume the planning includes countermeasures to prevent robberies of mail trucks by black marketeers.
During a bioterrorism attack this plan expects postal carriers to be
a) still willing to go on delivering stuff as if nothing had happened ("Neither Rain, Nor Sleet, Nor bloated corpses in the street ....")
b) not be mugged by desperate people
Brilliant plan :-)
OMG. This is the most ridiculous thing I have seen.
It seems to me that the postal service is testing to see how it does its job, but with the added benefit of instilling FUD.
If they can deliver mail, then surely they can deliver mail!
This tells me that either they can not deliver mail, or the exercise is a deliberate attempt of saying: "duck and cover, kids".
This really tells me that the post office is incompetent at all other times - which from personal experience is true, and from economic theory that a monopoly will tend to charge a higher price for lower quality service.
' In general, I think emergency response is one of the few areas where we need to spend more money.'
We are already spending a lot more money than before Clinton on emergency response, where does that money go? Graft, not suprisingly. Just look at Katrina.
'And, in general, I think tests and drills like this are good -- how else will we know if the systems will work the way we think they will?'
The problem when building up a system like this is that one is induced to use it. Give every citizen a pistol, and then check the effectiveness by letting the state police spray machine gun fire at them. That's the feeling I get, at least.
Perhaps I'm being too paranoid, but ironically the first thing that occurs to me is that the pretense of an antidote package would be a good ruse to get someone to actually open a package they wouldn't normally (i.e. weren't expecting it etc) and expose themselves to a hazard they wouldn't have otherwise.
It would thus be like the emails that trick users into installing a "patch" to fix their system when actually it will do the opposite.
As we all know, in the movies, the evil villains value a sense of irony above all else.
'Perhaps I'm being too paranoid, but ironically the first thing that occurs to me is that the pretense of an antidote package would be a good ruse to get someone to actually open a package they wouldn't normally (i.e. weren't expecting it etc) and expose themselves to a hazard they wouldn't have otherwise.'
Exactly! I was just thinking that, myself.
Bruce, shouldn't this drill be called 'security theater' too? Why not?
If you really want to deliver a malicious package, pay the postage and mail a prize. To really encourage opening, use iPod packaging, with just enough heft to feel real. A bar of soap should work.
"b) not be mugged by desperate people"
RTFA. The mail carriers were escorted by police officers.
If you send 1000 packages to random people with government labels and instructions for use, how many people will die before the authorities realise that their test has been subverted?
Heh, that reminds me of a WWII poster I used to have that depicted how emergency response teams would fan out across all of America.
Every neighborhood was to report up to a facilitator, who would report into city or municipality coordinator, who would report to a county...
From that perspective, I think the risk scenarios are the point, not the distribution/supply system. Doesn't matter if the post office can distribute all the medicine in the world if they can't handle common looting or counterfeiting problems (as Geoff and others have already pointed out).
If you do not have a good supply security management and monitoring/accounting system in place to oversee the distribution of goods, I suspect the likelihood of anything valuable getting to the destination is about 30-40% at best.
I've noticed this with regard to everything from those little trivial alcohol bottles they used to serve on airplanes (until the looting became too costly to sustain) to humanitarian assistance efforts shipping food and medicine:
Although the police escort is a start, is a single officer per carrier the correct risk mitigation for trucks filled with valuable medicine?
From the report:
"the police officer accompanying the postal mail carrier will not come to your door. The officer will stay in the postal delivery truck or on the sidewalk. [...] Having a police officer follow the delivery route provides security for the postal carrier and the medication supply, allowing the deliveries to take place as safely and quickly as possible."
Seems to me the police officer would be completely isolated from the force (also spread-out on assignments) and therefore at the mercy of local communities, which should probably be involved in coordinating anyway.
Not sure I'm explaining clearly, so if I can find that poster from WWII I'll put it online.
what exactly did this exercise prove? we already know the post office can deliver mass materials to just about every house on its beat, witness the fact that your form 1040 and supporting schedules will appear in your mailbox just before the new year. proving what is already known sounds like security theater.
Well, so far I only managed to find the Civilian War Services Block Plan from the US Defense Council in WWII. Still looking for the Civilian Protection chart. I posted the image here:
Doesn't this test also tell us how easily the system could be used to deliver dangerous packages?
"The mail carriers were escorted by police officers."
Even in the non-pandemic situation, we have people stockpiling these drugs out of simple fear for their lives.
In a real pandemic, where bodies are starting to pile up and the risk blatantly obvious, it would not be unreasonable to expect that anyone carrying around a so-called "cure" will be shot and killed outright. "Better them than me." So to just detail a few cops means that a few more people will be killed in addition to the courier. Now maybe the government will be stupid enough to try the trick once, but after the first attack there will be precious few volunteers for subsequent delivery attempts. Further dispensing will likely require people coming to the supplier, not the other way around.
When 1000 flyers saying "This is a drill. There is no emergency" have just out would be the time to attack, then?
On the other hand, testing plans is generally a good thing.
In a real catastrophe, the police will have their own agenda. There won't be any loose cops hanging around to stick with babysitting duty. (Child minding, UK.)
As we know from experience with civil unrest, the number one thing the police do when a problem threatens to overwhelm their routine operations is gather together in large numbers in safe enclaves. Massed manpower, firepower, and motive power are their key assets, so they will not waste resources venturing out in small sorties. City blocks could be burning, but the police will not show up until after armed citizens have stood up to protect the public.
The postal workers would have to rely on YOYO -- You're On Your Own. My guess, they'll grab their allotment of drugs, abandoning their routes, and take care of themselves and their families. They won't worry about getting fired, since all of their bosses will have fled already.
Sounds to me like Cold War drills. You know the get-under-the-table-and-survive-da-bomb. Civil defense preparadness was useless both in the US and the Soviet Union. The reason? The magnitude of the disaster is just too big to handle (I suggest the 1984 movie "The Day After" as a good teaching aid).
So either we have a small epidemic, or a large pandemic. In the first case, good hospital and medical teams are fine, in the second one there's little you can do.
Wouldn't the time and effort spent on those drills be better spent elsewhere? Maybe better vaccination programs for the everyday virus instead of worrying about movie-plot scenarios?
@ Pat Cahalan:
> because not everyone (a) plans for a disaster
> or (b) will have their preparations go
> according to plan ;)
I'd rather put my faith in my own preparations and in God than in a demonstrably corrupt central bureaucracy. And that's precisely the reasoning that led to a U.S. Constitution that does not explicitly empower the central government to act in this way, at the taxpayers' expense. And, before somebody cites it, remember that "General Welfare" was and has been interpreted (even into the 20th century, U.S. v. Butler) to _restrict_ the powers of the central government, to those Acts that promote the welfare of all the people, therefore excluding Acts that promote the welfare of some of the people at the expense of others.
It is a "novel interpretation" of the General Welfare clause - precisely that interpretation the Court ridiculed in Butler - that empowers the central government to the excesses we've lately witnessed.
"Duck and cover" drills were a good idea: 1) A blast does not have to be part of an all-encompassing doomsday scenario, 2) not all blasts are nuclear, 3) not every school is directly under it even if it is nuclear. Saying D&C is a waste of time is like telling soldiers not to dive under cover when they hear incoming artillery. Yeah, if it lands on your head it wont make any difference, but some sandbags, a helmet and a foxhole will convert a near miss from evisceration into ringing ears.
There are two types of levees: those that have failed and those that will fail. Dont put all your eggs in one basket - have a plan for dealing with a single brittle defense when it fails. Better yet, dont use a single brittle defense - if you just HAVE to have your city built underwater, then have movable barricades to block the sea ends of the canals in case the canal walls fail. Have pumps that are protected against water incursions. Have evacuation drills. Or best of all - dont build your city underwater to begin with so you can devote your resources to things other than making an untenable location tenable. But dont build something poorly, in a stupid location, be too cheap to defend it properly and then complain to the rest of us that we should fix it for you when the inevitable happens.
@Pat Cahalan: Water has a lot of mass, maintaining enough water in a survivable storage facility for an entire population is a waste of resources when the people could have easily done it themselves. Then only people in the worst parts of the impacted area would need government assistance, not the whole city/county/state who were out of water for a couple of days but otherwise unaffected. A gallon of water that you put in your own empty chlorine-rinsed plastic milk jug in advance probably cost you $0.02. That same gallon provided by the government after a disaster probably costs $72.19.
"Bruce, shouldn't this drill be called 'security theater' too? Why not?"
I admit that this looks like security theater from the perspective of the recipients. But all drills are in some respects "theater."
The point of a drill like this is to see what works, what doesn't, and what can be improved. You can think through the scenarios again and again, but there's no substitute for actually doing it.
Hmmm. I can't help but wonder if this was the inspiration for last week's Perry Bible Fellowship:
(Some comics on site not safe for work, or impressionable apes.)
'I admit that this looks like security theater from the perspective of the recipients.'
Well, we have established the fact that it's security theater from the perspective of non-recipients (see others above).
'But all drills are in some respects "theater."'
You have just complicated your own analysis.
The liquids ban was a drill, then too.
TSA is just one giant drill.
The imperial wars we wage are just 'drills' as well.
I have always thought that your purpose of using 'security theater' was a derogatory term for bad security practice, one that looks superficially good on the surface but in reality secures very little.
Now you seem to be telling me that it's OK, because it's a 'drill' ! And a drill is a type of theater. But then this blurs the reason for even having the term 'security theater', because all of the theatres are purposeful drills conducted by individuals, corporations, governments, etc.
Unless of course you are being pedantic, and the term drill applies only in cases where actions are explicitly called 'drills'.
'The point of a drill like this is to see what works, what doesn't, and what can be improved. You can think through the scenarios again and again, but there's no substitute for actually doing it.'
Works on whose behalf?
Works against whose behalf?
Improved for who?
You see these are the questions that are never asked (and its a shame), its just implicitly assumed that it's done for the 'general welfare', something that DOES NOT exist.
It is quite likely that in the next decade - remotely controlled robots could take the place of Postal Carriers in emergencies like these.
@ Anonymous Coward
> I'd rather put my faith in my own preparations and in God than
> in a demonstrably corrupt central bureaucracy.
I'd say that God is at best an unreliable source of aid (at least the material sort), and demonstrably less reliable than even a corrupt central bureaucracy.
I'm not saying that government isn't corrupt, or that there isn't the opportunity for mismanagement by governmental entites, but certainly you'd agree that you (personally) don't have the resources to support your neighbors?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.