Schneier on Security
A blog covering security and security technology.
« Lessons from Mumbai |
| Evolutionary Perspectives of War »
December 1, 2008
Communications During Terrorist Attacks are Not Bad
Twitter was a vital source of information in Mumbai:
News on the Bombay attacks is breaking fast on Twitter with hundreds of people using the site to update others with first-hand accounts of the carnage.
The website has a stream of comments on the attacks which is being updated by the second, often by eye-witnesses and people in the city. Although the chatter cannot be verified immediately and often reflects the chaos on the streets, it is becoming the fastest source of information for those seeking unfiltered news from the scene.
But we simply have to be smarter than this:
In the past hour, people using Twitter reported that bombings and attacks were continuing, but none of these could be confirmed. Others gave details on different locations in which hostages were being held.
And this morning, Twitter users said that Indian authorities was asking users to stop updating the site for security reasons.
One person wrote: "Police reckon tweeters giving away strategic info to terrorists via Twitter".
I can't stress enough: people can and will use these devices and apps in a terrorist attack, so it is imperative that officials start telling us what kind of information would be relevant from Twitter, Flickr, etc. (and, BTW, what shouldn't be spread: one Twitter user in Mumbai tweeted me that people were sending the exact location of people still in the hotels, and could tip off the terrorists) and that they begin to monitor these networks in disasters, terrorist attacks, etc.
This fear is exactly backwards. During a terrorist attack -- during any crisis situation, actually -- the one thing people can do is exchange information. It helps people, calms people, and actually reduces the thing the terrorists are trying to achieve: terror. Yes, there are specific movie-plot scenarios where certain public pronouncements might help the terrorists, but those are rare. I would much rather err on the side of more information, more openness, and more communication.
Posted on December 1, 2008 at 12:02 PM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm having trouble visualizing a terrorist with an AK-47 stopping and digging through Twitter to see if anyone posted any useful information.
For one thing, while he's doing that his eyes are off of his environment. Not a good idea for him if there are security forces in the area.
Also, don't forget that the security forces can post incorrect information in such a scenario to get the terrorists to react in a certain way.
> During a terrorist attack -- during any crisis situation, actually
> -- the one thing people can do is exchange information.
The proper thing to do is design systems where the appropriate information easily flows to the appropriate destination. You don't want information overload going to emergency responders, but you do want critical information going where it needs to go, and non-critical information prioritized properly... and prioritizing the information is the hard part.
You should check out the RIMSAT project, if you haven't already (http://www.knowledgeboard.com/item/1527/23/5/3), it's an interesting first-go at one end of this problem.
Agreed. The good guys have a lot of distributed brainpower and can make much better use of open information than the bad guys, who are under pressure. Even if they have access to external help (in this case there is no evidence that they did), they still have to absorb and use the information.
I thought the only real information given away by TV (and social media) was the airdropping of commandos on the top of Nariman house. The helicopters had performed a couple of recon's earlier, but the terrorists would have had no idea if and when commandos were being airdropped. Most other times, the TV channels didn't have access to valuable information anyway. I was monitoring twitter and am not aware of any sensitive information given away there either.
Off-topic but related, here's one idea: there should be a well-publicized emergency shortcode (like 911 in the U.S. or 100 in India) to which people can send SMS and MMS. This is useful in situations like hostages being unable to communicate overtly, emergency control lines getting jammed, or if victims need to send photos to aid rescue or intelligence. Is there any country that has implemented such a shortcode ?
During a crisis like this, the ability to obtain information is of the utmost importance. My condolences go out to the victims of this tragic event.
> while he's doing that his eyes are off of his environment
Have a team somewhere watching Twitter along with news sites, watching TV news, etc., and radio the terrorists actually carrying out the attack if anything high priority shows up.
Obviously you don't want this to be used to track your planning team, so add scramblers, spread spectrum, relays, and fluffy white cats to movie plot taste.
I've said before that this whole "twitter might be used by terrorists" thing is a crock:
What's next? Terrorists might use cars? They might eat food?
If in the past they didn't monitor internet communications, now they will.
The problem is that governments see civilians as obstacles or, at best, inert objects, whereas they really should be treating them as allies. This "we know best, sit down and shut up" attitude is seriously counterproductive.
Counterproductive depends on what you want to produce. The people who listened to the authorities in the WTC attacks mostly died, since they were told to stay in place, thereby improving the gene pool.
The most interesting information security quote from uhoh's articles:
"The killers demanded a list of the names and room numbers of all British and American guests at the Oberoi hotel"
The information the hotel needs to know is name and credit card number. Even that isn't needed at the front desk (though, the last story about hotel security probably means they need some form of authentication). The rest is information that they shouldn't be keeping but almost always do. Sometimes the local authorities even force them to keep that. Probably the fact they recorded it lead to actual deaths.
NN, your personal attacks on W. David Stephenson are way over the line. Do not post about him or his product to any thread on this blog again.
My argument is, that the terrorists have high tech communication instruments with them like blackberries and sat fones. What if they had a setup like a communication center or control room, in the outside world and people in that setup, monitor social nw and send only the crux to the attackers to abet them. what if..?I dont have any evidence..its just a speculation...
Unfortunately, there's an existence proof for this kind of "movie plot scenario" - i.e., Munich 1972. News programs broadcast live footage and commentary of an attempted commando raid, tipping off the terrorists and forcing the raid to be called off.
It's lazy to simply criticize the demand from authorities (who were, to be sure, fairly hapless during the crisis) to stop using these tools, but that doesn't mean that someone's desire to know in real time trumps the need for secrecy during ongoing operations.
I'm disappointed - I expect more complex reasoning from this blog.
1972 was a bit before my political awareness, but I've done some searching today looking for some details of the "media breach" described in the Munich event to see if it maps well to the recent incident in Mumbai, and I haven't found any details of this event. (I haven't read "One Day in September", for whatever that's worth)
I'm frankly a little surprised that I haven't found any information regarding exactly how the media's broadcast description botched up a rescue attempt. Not that I'm saying it didn't happen, but I'd like to see some sort of details...
In any event, there is a huge difference between relaying tactical information regarding a specific law enforcement or military action in response to an incident and aggregating information such as what is described in the post above.
I find it extremely difficult to believe that information such as people were sending out via Twitter is of net negative value in a terrorist incident. If I'm an unarmed civilian hiding in a hotel room while a handful of terrorists are taking hostages, my inclination is going to be to transmit information on my location in nearly any way I can determine. The likelihood is low that twittering my location via my cell phone is going to lead to my rescue, but it is orders of magnitude lower that it is going to lead to the discovery of my position by the bad guys.
I strongly disagree with Bruce on this one. Live commentary through TV or Twitter or any medium for that matter, on strategy used against terrorists. Not only is the strategy not useful to the common man (does it really matter if I get to know of the strategy half an hour later?) but it is useful to those *specifically interested* in this detail (the terrorists were known to have Sat-phones, so there could be a complete remote workstation just filtering out relevant live news and providing it to them). What is the big need to TVs to broadcast this live strategy? Twitter users were mostly sending updates obtained from this TV coverage and nothing more.
On a different note, the main objective of such an attack is to spread terror among masses. 14 Indian news channels (I do not have the count of foreign channels) covering this live and repeatedly showing horrendous videos of fire and blasts surely helped the cause to a large extent!
Tiny correction to the previous comment: Live commentary through TV or Twitter or any medium for that matter, *specifically* on strategy used against terrorists *is not required*
@Moderator: "NN, your personal attacks on W. David Stephenson are way over the line."
Sheesh! Get a sense of proportion! My "attacks", as you so prosaically call them, are hardly all that personal, and the product deserves all the lambasting it gets - after all why put it on this blog? Worried about litigation? Never mind, I guess you'll probably delete this post too.
If it is true that the terrorists were targeting US and UK travellers in the city, imagine how much more effective they would have been had they been using an RFID scanner that could detect signals from chipped passports.
I agree with you in the importance of communications during this kind of events. But I'll give you an example where this in not quite right.
There were two Spanish politicians trapped in the hotel Oberoi, and all major newspapers in Spain published the exact floor where they were. Ironic enough, they also published the recommendations from the Indian security forces: "remain hidden with the lights off".
I'm just wondering, is it any good in publishing the exact location of the people? It will be helping the terrorists, not the security forces; those should be aware of the location already (or at least informed through a private channel).
When terrorists run rampage in a building where I am hiding somewhere to escape there attention - the last thing I want is for someone to twitter (or whatever the current buzzword is) my location online, possibly leading terrorists to my hiding-place.
If sometime in the future technology enables me to appear as a large potted plant I might give it a try though.
"I'm just wondering, is it any good in publishing the exact location of the people?"
I don't think it is a good idea to broadcast that info to everyone. Only a select people have an immediate need to live data: the responders and those related to the victims.
I forgot to add, not every tourist carries their passport with them all the time. It's not required in India at least. More likely discriminators are the colour of one's skin, mannerisms, gait, etc. I remember someone telling me she could tell the difference between a person raised in India and a person raised outside by the way that person walked. Completely non-scientific though but there are ways.
This free flow of information is very disconcerting to a lot of governments and mainstream media outlets because both of them have a vested interest in controlling some part of the message. I think this is just the most prominent example of a push back from these groups, but this sort of thing goes on all the time. Just ask some indy media types who went to the RNC this summer about aiding "terrorists" ;-) And they had some of the best coverage of the event.
Of course communications during terrorist attacks are bad. CNN acted as spotters for the terrorists in the Taj. If the hostages in the Chabad house hadn't already been tortured to death, the live broadcast of the slo-mo Indian commando raid would have told the terrorists it was time to murder them.
Of course communications during terrorist attacks are good. Blackberry was used by many of the folks in the Taj to find out if the people down the hall were rescuers or terrorists.
I'm sorry, but this is just wrong headed. As Daniel mentions above, civilians have no need to know about strategy or rescue efforts as they occur - but the terrorists certainly do, and they were obviously equipped with the technology needed to take advantage of the information being spewed across all channels - not just Twitter - about the attacks.
Maybe you wouldn't want to know, Porkchop, but I'd be more than mildly curious if they people out in the hallway shouting that they were the authorities coming to rescue me were just that or the terrorists asking me to step into their parlor.
But, yes, the terrorists did monitor coverage, just like in one of those movies things that Schneier is sure is always irrelevant to real life.
Sue Do Nym - Security people announcing their presence is a very different thing from random passersby announcing the same. If the security people are calling out then, presumably, they aren't worried about trying to surprise the terrorists.
A terrorist attack is a pretty classic case of information asymmetry. The terrorists have all the information: who and where they are, what their goals and targets are, etc. The public and the authorities typically know almost nothing.
In such a situation, information sharing by the public and authorities is the best way to even the score. Even if it's diffuse and vague, it's better than nothing. And if information *does* leak to the terrorists, you're rarely telling them anything they don't already know.
The Munich 1972 commando raid is the exception that proves the rule: in that case, the public had more information than the terrorists, the asymmetry went the other way. But this is a relatively unusual case. And in general, if your antiterrorism plan falls apart if the terrorists have a "man on the outside", you've got a pretty lousy antiterrorism plan (which, as far as I can tell, was absolutely the case in Munich.)
By the phrasing of the article linked, it sounds like the blackberry phones were used for an entirely different purpose than what you're proposing.
The terrorists weren't using them to find out useful information regarding their attack, they were using them to find out the worldwide reaction to their attack... which actually makes a ton of sense.
Terrorists regard the attack as successful if they make news, not by body count (except in such a way that the body count increases their exposure)... as can be noted by the other thread currently on this blog. So they have the blackberrys to keep track of their publicity.
Also, to claim that civilians have no need to know of rescue or police strategy is just plain silly... of course it would be useful to the civilians to know in a general sense when police might be staging a rescue (certainly at the very least, the converse - when the police are *unlikely* to be responding). Certainly it would be useful for the responders to know where the civilians are. It's also useful to the responders for interested outside parties to know the status of the civilians -> if you can find out via twitter that your spouse is hiding and safe, you're not calling 911 (or the Indian equivalent).
While it's certainly silly for a Spanish news agencies to broadcast the location of high value targets, it's not generally silly for those high value targets to broadcast their location.
Put another way: if I'm in a hotel, and there's a cadre of crazy suicidal terrorists in the lobby and heavily armed police outside, and I'm currently on the 12th floor hiding in a closet, I don't particularly think it's a bad idea to broadcast that information, even if it's possible that the terrorists may also acquire it.
That information is highly valuable to me, and it's highly valuable to the responders (they know exactly where to go to get me), but it's significantly less valuable to the terrorists *who already have hostages* (unless of course I'm a high-value hostage target).
I'm essentially merely a target of opportunity to the terrorist -> if I waltz into their sphere of immediate command, they'll capture/kill me. I'm *not* a target of opportunity to the responders -> I'm a high value target, a "rescue"-able non-hostage victim. I can be retrieved with little immediate risk.
There is no doubt that the media blew an attempted rescue by German commandos in Munich in 72, so pleading ignorance of recent history is hardly a serious counter-argument for "more information" the public didn't need in real time.
This "more info is good" seems highly kneejerk in the Mumbai situation. I suspect the real-time information being released by people in the field would fall into three categories:
1) "I saw a terrorist/am being held by/heard gunshots over there" (which is probably the most valuable category, but is extremely error prone and could be used to set up ambushes)
2) "Hey, why are all these commandos mustering here" (which could only be bad) and
3) "Hey there's a guy up on that 12th fl. balcony." (which puts him in danger of fools announcing his location to anyone monitoring the channel.) If a guy wants to announce he's hiding in a closet of room 718 than so be it, that's his neck. Why is it important that online gawkers know this in real time? The authorities already have an information advantage once the clash begins. How is it strengthened by cyber yentas?
Article seems good proof for simple shared secret covert communications through open sources planning for proper handling?
Problem is the secret handling and contact lists. Also, a sophisticated Mallory is becoming more likely these days. Grr, good old crypto stuff, sets the stage.
If police/etc could get a list and contact next of kin, etc, then better handling perhaps? One hopes security is up on this.
Granted, this is a rare event, but with all the tools we have today, a little communications and planning goes a long way.
Granted, some could set this up during the event with their blackberry, but still...not that many would even think it.
In the aftermath of an incident like this, it usually takes quite some time before the dust settles and early rumours and speculation get replaced with facts.
Having said that, the story being reported in India is that information from internet feeds and careless journalists was being monitored not by the terrorists on the ground with the AKs, but by overseas contacts who then relayed the most salient points by sat-phone. (It is not clear how they could know this, unless it comes from the one terrorist who was taken alive -- who does seem to be singing like a canary.)
There are at least three specific incidents where it is alleged that this information appears to have helped the terrorists to find and kill people hiding from them, or to defeat and kill security forces.
Quite possibly some of those reports are wrong, or exaggerated. But if we go on what is being published at the moment, then it would seem that free publication of this information was most definitely harmful.
@ Mark M
> There is no doubt that the media blew an attempted
> rescue by German commandos in Munich in 72,
> so pleading ignorance of recent history...
Dear sir, I did not claim that this wasn't the case (36 years ago is also not "recent history). I simply asked for a reference. I've read a lot about various terrorist incidents, but somehow I've missed Munich in the past.
Three people have now presented this claim on this thread as de-facto "common knowledge" about which there is no doubt, but I have not found any verification of this claim (except by random commentators on other blogs). No newspaper articles, editorials, or analysis of the event published by law enforcement personnel.
I'm not saying that there isn't one, but generally speaking if I spend 30 minutes looking for something and can't find it (I have access to two universities' online libraries as well as the general internet), my general inclination is to call shenanigans and ask for a reference.
The references I found (in admittedly a short period of searching) all claimed instead that the German police was not adequately trained to respond to this event, and the botched rescue attempt was due to the response team not acting with unified communications - the right hand didn't know what the left hand was doing.
If there is no doubt in your mind that the media was responsible for the botched rescue attempt, you ought to be basing this upon some sort of evidence (other than a general distrust of the media). I'm just asking to see it.
Here is a story on the subject that makes you think. Is is supposed to be a true story from the war in Croatia in the '90s.
An artilery sergeant in the Yugoslav army received a task to organize an artilery fire towards the nearby Dubrovnik airport on ashort notice. As he didn't had a reconnasance unit at his disposal he used the following trick to guesstimate the firing parameters.
He fired a probe from one weapon towards the general direction of the airport and turned on a radio tuned to a local Croatian news station. He waited for a artilery shelling report on the news to pinpoint the exact location where his shell landed and used it to add corrections to his firing parameters. As soon as the radio news anonuced that Dubrovnik airport was a target of an enemy artilery fire, the sergeant used the last parameters to set up an artilery barrage from multiple weapons against the airport.
@Anonymous, I've heard the same story about artillery in Italy during the Allied advance, although in my version they were listening to German radio chatter. Either may be true; it certainly seems feasible.
So, let's see, my terrorist plan is that I monitor all the conversation tweets of all the users of twitter to get the locations of elderly millionaires when I shoot up a hotel. Is that how that twitter thing works? I should also hack the interwebs and get all the email too.
Or maybe I should just
shoot the rich looking foreign guy, which is easiest? Oops, shot a guy that looked rich but
was a waiter as well as about 20 millionaires, my terrorist plot has now totally failed?
I say drastic controls over the internet, cell phones, media, blogs, tv, radio and any other forms of communication imposed at all times will be the only solution to help us defeat terrorism.
Because one time 36 years ago some got shot in Munich because of tv we should have strict military law over all aspects of global communication. Or even today, because some geezer in India gets popped because he went on tv, that is worth total
control of communications, even though hundreds of others got shot without the aid of
Maybe to do something about the cause of terrorism: we should just prosecute USA war criminals for torture, invading countries and bombing civilians and civil infrastructure, 20-30 of them done in a treason-capital way should do it. Worth a try anyway, just 20-30 vs a million or so casualties..., the USA gets off pretty much scott-free and grubs out the roots of much of global state terrorism. For such a small investment of resource the possible payback would be worth it.
If I'm not sure whether the guy in the hall is really a cop, I'll call 911 (or local equivalent) and ask them his name. (It's not impossible for bad guys to have captured a police switchboard, but I can't think of anything that can help if they do.)
The knee-jerk is getting worse: now NYPD wants to jam cellphones citing the Mumbai attacks as inspiration.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.