Schneier on Security
A blog covering security and security technology.
« Metadata in MS Office |
| NSA for Kids »
November 14, 2005
Airport Security Against Chemical and Biological Terrorism
There's a new report from Sandia National Laboratories (written with Lawrence Berkeley National Laboratory) titled "Guidelines to Improve Airport Preparedness Against Chemical and Biological Terrorism." It's classified, but there's an unclassified version available. (Press release. Unclassified report.)
I haven't read it yet, but it looks interesting.
Posted on November 14, 2005 at 3:19 PM
• 12 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I've only really skimmed it so far, but there doesn't really seem to be anything that is specific to airports as against, say, shopping malls. Maybe there was more specific stuff in the classified version but there really does seem to be something of an obsession with air transport being the major terrorist target.
In practice, it seems to me that major terrorist groups are extremely flexible about choosing targets but vary their tactics only very slowly, if at all. For example over the last 4 years AQ and affiliates like JI have almost exclusively used either explosive vest suicide bombers or vehicle mounted bombs, plus roadside bombs (in one region only) and one abortive attempt to use SAMs. In contrast, targets or attempted targets have been widely varied, everything from beachside cafes to nuclear reactors.
Come on guys, what's with all the encryption talk? Isn't it much more fun to debate old-fashioned guns and butter security issues?
Bruce, I'm really interested in hearing your "The Economics of Security" talk at RSA. Any chance you will be discussing the cost/benefit of encryption, or helping us better understand how to navigate PKI implementation decisions/trade-offs?
I couldn't help but notice the report tries to specifically steer clear of anything other than "threats with the largest potential consequences" for airports.
This would not be so unusual except for the fact that the section titled "Review of Selected Historical Chem-Bio Incidents" seems to show that "the types of attacks that have been carried out or attempted" have somewhat limited (although severe) potential impact.
They specifically say on page 22 that they will not deal with the following incidents:
• Releases onboard aircraft
• Contagious person (biological)
• Food contamination (biological)
That's right. Don't eat the fish or the chicken. And yet the examples on pages 19 and 20 appear to be:
• evaporative release of sarin nerve gas in multiple trains converging on a single subway station
• a device consisting of two packages – a burning bag of sodium cyanide and a bag of sulphuric acid – was discovered in a restroom that (unlike most) ventilates to the passenger platform
• a sprayer and fan to release anthrax spores from atop an eight-story building in Tokyo
• briefcases fitted with small tanks and battery-powered fans to spray botulinum toxin in crowded areas,
• contaminated food in the salad bars
• poison the town’s water supply
• envelopes containing anthrax spores were mailed to prominent politicians and members of the press
None of these cases have much relevance to an airport's "closed" barriers (where you can filter all ingress). In fact, quite the opposite, train stations, restaurants, water supplies, mail, roof-tops, etc. all happen to be generally open and accessible to attackers from numerous directions. Thus, from a control perspective you might say that a release of gas in an underground train station might have the same intent as "releases onboard aircraft", so the examples just show that the later recommendations may be totally irrelevant to the most likely threats.
I guess I'll keep reading (the layout of the document is very accessible, at least from a regular DR perspective), but so far all I can say is "Roger, Roger". What's with the airport obsession?
"Bruce, I'm really interested in hearing your 'The Economics of Security' talk at RSA. Any chance you will be discussing the cost/benefit of encryption, or helping us better understand how to navigate PKI implementation decisions/trade-offs?"
I'm more likely to stick to general examples. That one is a bit esoteric.
I find that the audience resonates better with examples from their daily life, as opposed to specifically computer examples.
"A bit off topic, but I think you would be interested on the publication of fast implementation of MD5 collisions finder source code in C:
based on the paper of Xiaoyun Wang, et al."
There have been a bunch of results here. This one didn't seem particularly newsy. I'll take another look at it.
No surprise that the paper fails to address a critical issue in all dispersal attacks, whether biological, chemical, or radioactive. When the people in charge (the ones with the badges and guns) believe an attack has been made or is in progress, they have to decide whether to confine the victims or help them escape, and they have to make that decision with imperfect information.
DHS has been championing the policy of 'assume the worst', and they define the worst as an attack by a biological agent. Therefore the default choice is to confine the victims to prevent them from spreading a biological agent, using deadly force as necessary.
If the attackers wish to try dispersal attacks in the US, they now know not to use biologicals. As they've been taught to use resources in place, the DHS itself can become a resource they can use to their advantage to improve the 'yield' of their attacks.
What struck me about the report wasn't the substance, per se, but rather that it implicitly justifies a new range of restrictions and probable TSA efforts to layer on new security measures, pushing back the security perimeter around airports, rather than focusing on idenitifaction of threats.
I want to have detailed procedure about to learn basics of mobile phones mechanism both hardware and software
I want to have detailed procedure about to learn basics of mobile phones mechanism both hardware and software. kindly help me.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.