Schneier on Security
A blog covering security and security technology.
« Zero-Day Microsoft PowerPoint Vulnerability |
| Fake IDs Save Lives in Iraq »
July 18, 2006
Top Terrorist Targets from the DHS
It's a seriously dumb list:
A federal inspector general has analyzed the nation's database of top terrorist targets. There are more than 77,000 of them -- up from 160 a few years ago, before the entire exercise morphed into a congressional porkfest.
And on that list of national assets are ... 1,305 casinos! No doubt Muckleshoot made the cut (along with every other casino in our state).
The list has 234 restaurants. I have no idea if Dick's made it. The particulars are classified. But you have to figure it did.
Why? Because here's more of what the inspector general found passes for "critical infrastructure." An ice-cream parlor. A tackle shop. A flea market. An Amish popcorn factory.
Seven hundred mortuaries made the list. Terrorists know no limits if they're planning attacks on our dead people.
The report says our state has a whopping 3,650 critical sites, sixth in the U.S. It didn't identify them -- remember, we wouldn't want this list of eateries, zoos and golf courses to fall into the wrong hands.
That number, 3,650, is so high I'm positive we haven't heard the most farcical of it yet.
What's going on? Pork barrel funding, that's what's going on.
We're never going to get security right if we continue to make it a parody of itself.
Posted on July 18, 2006 at 7:25 AM
• 37 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Did anyone catch the documentary, "The Power of Nightmares" on CBC (http://www.cbc.ca/passionateeye/powerofnightmares/one.html) last night? It made the case that Al-Quaeda didn't exist until the American neo-conservatives made them up and that the current politics of fear -- including the new vulnerabilities of an Amish popcorn factory -- are the result of an attempt to bring moral and religious issues into American culture.
On the other side of the coin, casinos, popcorn, restaurants, sport fishing, and ice cream represent the "selfish and materialistic nature of American life."
Assuming that the documentary is correct (I haven't researched anything to support it), we're not talking about security; we're talking about worst-case scenarios to support the case that a great evil exists. If the neo-conservatives made up the enemy, it would follow that they would have also made up the enemy's targets.
Part of me hopes that our clients didn't see the documentary; we don't a reason for them to confuse serious security threats with farcical terrorist threats.
Some are already able to find the "terrorist implication" of non-terrorist-related threats.
Hmmm. I don't understand how this is pork barrel funding. Will there really going to be dollars spent of each of the 77,000 identified site? (OMG, if that is true I must be dumber than I look!)
My guess is that, intentionally or unintentionally, the numbers are so high that it makes any efforts to secure these targets impossible. This also, probably intentionally, continues the politics of fear that Chris talks about.
I don't find much different between specifying 77,000 targets and specifying the entire country is a terrorist target.
I should check which congresspeople are on the oversight committee(s), and complain. The average 10-year old could make a better list.
We're being offered a seminar on how to identify WMD's here in a non-essential, non-target town in Oregon. Somebody's paying to put that on.
I could see it being possibly neccesary in a city 30 miles from us because they have some manufacturing and a commercial airport, but unless it's homegrown, I don't think we be seeing any action out here in the sticks. Maybe they're thinking of the high overpass on I-5 and the disaffected bums that have a stopover campsite just up the hill from it.
Probably because we're a major retirement community and all the people who have too much time on their hands to sit in front of the set wringing their hands need something to act as a fear pallative.
The point should probably be made that making a list as broad as this one does some of the terrorists' work for them: by generating a sense of vulnerability all over the country. While there might be some value in terms of alertness, on the part of security personnel, one cannot escape the sense that this is part of a pattern of cynical manipulation of the terrorist threat by those in power.
"...our state has a whopping 3,650 critical sites..."
Hell, our city has almost that many Starbucks! And, as everyone knows, the best way to spread fear is to threaten our morning latte!
Do you think this ridiculous list would have anything to do with this article about cutting 40% of anti-terror funding for New York and Washington? "A DHS risk scorecard for the city asserted that the home of the Empire State Building and the Brooklyn Bridge has 'zero' national monuments or icons." "Winners included [...] smaller cities such as Louisville (up 70 percent), Charlotte (64 percent) and St. Louis (31 percent)."
"The particulars are classified...Why? Because here's more of what the inspector general found passes for 'critical infrastructure.' An ice-cream parlor. A tackle shop. A flea market. An Amish popcorn factory."
So, when is the DoJ going to prosecute the Seattle Times - and this site - for divulging classified information?
I wonder if some of the odder choices of place relate to the "off duty" activities of some of the U.S. Gov senior figures ;)
You know that quite little fish restaurant down some back street that Congress man XXXX is fond of taking people too...
Seriously though some of the odder choices might well be due to this sort of thing, even if it's not your local politician. For instance a casinos in of it's self is just a building with some expensive bits of furnishing in it. However now add the people with a lot of money in their pocket to the place. How many of those people are on welfare and how manny on 200K Dollar incomes?
Assuming the later are more prominent then you have to ask what they actually do for a living and what happens if they become either bomb victimes or hostiges, and the resulting damage to the U.S. economy...
This story does not indicate which list is involved here. The one which has gotten the most criticism is populated with the results of a survey filled out by state officials. The state officials had no guidance on what to fill out, with predictably inconsistent results. Since that list isn't directly used for anything, though, its thorough uselessness is not really very important.
I dont' think the neo's "made up" al-qaeda, but what they did was have the contingency plan in place to make moves once there was a suitable trigger.
Government is supposed to be creating all sorts of contingency plans - it's one of its major functions. And this function is easily corruptible to one ideology or another. Look at Bush before the 9-11 - bumbling, boring, nobody cared, had odd tax ideas and not much of a statesman, barely elected.
And then look how the machine sprung into action with the galvanizing force of 9-11. He transformed like a frickin Voltron into something very different from his pre-9-11 Presidential self.
There is no conspiracy here - there was careful planning by his policy wonks. Those guys like Rumsfeld and Cheney were never hiding these things - they would speak out about their ideals. They got the chance to put the rubber to the road when the planes hit. And recent history has judged their ideals and found them to fall very short of their aspirational goals.
FDR couldn't have made his New Deal work in a different climate than Depression era America - the robber barons and bankers would have laughed him out of office and audited him to death. The neo-con plans were waiting for years for proper implementation once everyone realized the Soviets were in a tailspin and the Cold War was over except for the coups.
Again, this isn't conspiracy but documented newsletters and policy papers.
I have just noticed the Journo is from Washington State, and he is wondering about places that might be of concern...
Well most people know that to the North West of lake Washington is a little town called Redmond where a certain software company hangs out (the Microsoft rock micht be concidered an international monument by some not just national ;)
Oh and a few miles up the road from there is Bothel (yes it's a real place in King county) well there are one or to fairly insignificant looking buildings just up from the Marriot Residency there that if destroyed would have a very significant impact on communications in the entire continental U.S.
Apart from Microsoft there are a few other companies of note up in that far north west state with weather like the U.K., CIsco, AT&T, Cingular, etc etc.
Oh and of course Seattle is the home of the all those Coffee (shop) companies that appear to be creeping across the face of the globe faster than the burger giants.
And the last time I looked the majority of the U.S. (working) Wealthy list lived / worked / played in Washington state.
I think many of the locations on the list are just places where there is often a large number of people, like casinos. To support this theory, remember that stadiums are already on heightened alert, needing heightened security presence.
So if the planners who contributed to the list think "critical infrastructure" correlates to "heightened security presence", it's pretty obvious how all kinds of wacky locations get on the list.
That's the problem with the list: no objective criteria. Another is probably "no justification necessary", which means you don't have to justify the ice cream parlors or casinos by giving any reason or rationale, and there's no penalty for including anything that's inappropriate, so it ends up being exactly like every wish-list or laundry-list. No real sense of priorities, and everything in there but the kitchen sink. As a software developer, getting lists like this from clients is quite common, and has been for at least the 25 years I've been in the biz, and probably for a lot longer than that.
Add priorities, add what you're willing to pay, for each item on the list, then get back to me. Until then, the list is useless.
There are critical infrastructure targets, like refineries, power generation stations, offshore oil platforms, etc. These are targets that require our strongest security measures.
Unfortunately, as shown in Israel and other places around the world, there are also social infrastructure targets. The enemy has shown itself willing to strap on explosives and blow itself up in school buses, neighborhood restaurants, shopping malls, churches, mosques, or basically any gathering of people. They have no regard for themselves or their targets, so it's no wonder the hysteria is out of hand.
There is no real way to secure each and every target, so the terrorists have room to operate. However, having a list at least helps with the contingency planning of what to do after one is hit.
I fail to see how having a list helps with the contingency planning.
Do you mean that if you (your business) are on the list you should have a contingency plan, and if you (your business) isn't on the list you don't have to worry about terrorist attack?
I hope not...
Or perhaps you mean that groups like Fire and Police departments could use this list to formulate specific plans for their response to local events (knowing the likely targets)?
That seems more plausible, but contingency planning is best done in general terms, and not specific terms. Plan for things like "public bombing" and not 32 different "flavors" of public bombing at different Casinos, cafes, and popcorn factories.
The point you make that I like is that the Critical Infrastructure targets are important and security measures should be taken to prevent/thwart attacks.
Going beyond covering these targets seems daft, because of the "open nature" of terrorist attacks. As you point out, they can strike nearly anywhere and there is little to be done to defend against that.
So why list them at all? Certainly there are more than 77,000 possibilities, why stop there? Stop at what you can reasonably expect to secure. I think that is the point of the article.
@ Jiminy cricket: Neos HAVE been planning this, including the invasion specifically of Iraq, for decades. There was an article in Foreign Policy by Wolfowitz, et. al. discussing that we needed to force democracy, and that Iraq because of Saddam presented the only viable target. Note, this was 7 years before 9/11, but 9/11 gave the Neos the political excuse to execute their grand vision.
And I believe we have to look at the results, Iraq and increasingly Afganistan are quagmires, the Palestinian democracy has elected Hamas, Hizbollah threatens Israel more significantly than ever with missiles provided by the axis of evil countries, who we can't even credibly threaten because we are so tied up in other places (wasn't deterence going to be one of the good results of all our warmaking?) North Korea and Iran are 'nucular' capable...
W says he's a results oriented guy, lets look at the results of the $350B he's spent on war.
so you're a restarauteur. which has more cachet, three stars in the guide michelin or being designated "critical infrastructure" by the department of homeland security?
"W says he's a results oriented guy, lets look at the results of the $350B he's spent on war."
One result, the US Dollar is slowly slipping down to a level where it would otherwise have been if it was not used as an international trading currency. (If Sadam had as was rumoured before the invasion switched to selling Iraq oil in Euros then it would have de-valued almost over night...).
Another result the $350B GWB has spent on the war has as in past wars realy strengthend the economy of the areas it has been spent in. (Unfortunatly due to the "outsourcing" of the U.S. labour etc it has effectivly been spent in other countries strengthaning their economic position quite nicley whilst the US has slid downwards...).
I could quite easily go on and on with this but, as a non U.S. person it would be unkind. (it might also stop you giving us such benifits ;)
"so you're a restarauteur. which has more cachet, three stars in the guide michelin or being designated "critical infrastructure" by the department of homeland security?"
Hey unlike the Political weenies I can read the Michelin Guide when ever I want to not so with "Critical Infrastructure" list.
The real problem isn't the metrics by which they measure "likely targets". Sure, it's likely that there is some pork barrelling going on here, but the main problem is that *they're trying to harden likely targets*
The 77,000 are probably actually "credible" targets. There's probably actually 10 or 100 times that number of "credible" terrorist targets in the United States. As Bruce himself has pointed out on innumerable other threads (and the movie plot contest showed in detail) any place where people congregate can be a suitable, credible terrorist target. Every power generation facility, every chemical plant, every communications nexus, military base, police station, hospital, toxic waste dump, water reservoir, etc. is a credible target, as is every mall, airport, sports arena, amusement park, school, community center, church, etc. etc. ad nauseum.
It makes little or no sense to harden individual targets, unless there are some pretty major extenuating circumstances. Nuclear power plants, military arms depots (which should be hardened in any event), significantly large hydroelectric dams, etc.
99.99% of the "credible" targets in the United States simply cannot be feasibly hardened, and attempting to do so is a colossal waste of resources. Even the act of making this list of 77,000 targets represents a waste of resources. Do we really want to militarize Disneyland (and if we were so magnificently stupid as to think we should, how would you secure an 85 acre facility without putting up lots of razor wire and machine gun nests?)
Spend the money on cops, fire departments, hospitals, first responders, etc. Offer better wages to the National Guard. Upgrade the facilities and equipment of the Coast Guard.
When/if "the terrorists" attack again, all of that money will provide assistance and tangible benefits. Spending money on individual targets only helps if the terrorist decide to pick on that target, and we're unlikely to have an accurate enough crystal ball to accomplish that feat of foresight.
"99.99% of the "credible" targets in the United States simply cannot be feasibly hardened, and attempting to do so is a colossal waste of resources."
With this I would agree, however I do not think the list is totaly useles, however it depends on how it is implemented and used.
For instance if the list is arived at by Fire / Police or other Officers who have an appriciation of what would happen should the target be attacked then in of it's self it would become just a repository of information.
If however entries on the list where assessed by these officers similar to a health and safety visit to ensure that they had a certain minimum of planning prevention and remidial activities in progress then it would be very benificial.
For instance on the planning side ensuring that up to date building plans contact numbers radio frequencies used by security staff is available to emergancy officers in a standardized format would be imensly helpfull in the first part of any ememrgancy let alone a terorist attack. In return the officers could give assisitance on site plans such as evacuation etc safe routes and points.
Likewise with prevention, what is needed is not blanket CCTV etc, it is carefully planned and well implemented systems along with appropriate fire etc detection systems. Again officers could provide assistance with the planning and implementation.
Likewise with remidial activities such as ensuring adiquate numbers of first aid kits defibs etc and also alowing officers etc to practice certain types of event to raise public awarness in saftey / first aid etc.
Just creating and sitting on a list is stupid, only using it to send out "Be aware" flyers to site managers would also be not benificial, the list needs to be used not just for anti-terorist activities but also other public safety (after all aircraft do fall out of the sky for mechanical reasons, and fires and earthquakes will still happen).
If you force a terrorist to shift their attack to a new location, does that count as success?
For example, many subway systems now have announcements/signs letting people know they should speak up if they see unattended luggage. This makes it harder to drop a bag on a train and count on large casualties... unless you're willing to sit with the bag.
But that does nothing against a terrorist who drops that same explosives filled bag in a supermarket or fairground.
I agree, that sort of information may be useful, for just the reasons you present.
However, collecting that data, formatting it properly, and enabling the emergency responders (etc) to have access to it in a suitable "30 seconds after event" fashion would be a pretty big logistical task. Perhaps one that would be worthwhile, though.
It's obviously not a credible idea to ask your police to memorize all that information wrt all of the buildings and venues in their precinct, for example - there would have to be some sort of device for easy access. And then of course you have to secure the data and the devices, so that the terrorists (or workaday criminals, who would probably benefit highly from knowing that sort of information) can't use it for planning their attacks, etc.
Again, the question is why the list? If it is to get pork, then it is by definition going to be flawed. If it is for 1st responders, most of them are not Federal, so a local list would 1) be more effective, and 2) probably not include the non-sense that is otherwise wasting resources and money. If it is to 'harden likely targets', then the criteria are obviously out of whack given that popcorn vendors hardly constitute a likely target.
But really, these ideas are really secondary. A layered defense offers the best protection, military, border security, intelligence, and finally maybe selective target hardening. If anyone starts at the bottom, they'll run out of money before they get to the useful stuff at the top.
@Clive, sorry, couldn't help it, the wasted resources here drive me nuts...sorta like the previous paragraph. And we here in the states might argue the improved economy point...
The best way to protect critical infrastructures is to conduct a sustainable foreign policy, activity in which USA are not good at all, at least since the last 50 years.
A sustainable and fair foreign policy would not create the assumptions and the ground on which "terrorist" are basing their claims.
This is the only form of prevention.
And yes, I am not American as well as not Muslim...
a) Who chooses the target?
Can a list be made without specifying who the terrorist is, and what he's trying to reach?
In Germany we had left-wing terrorists.
Their target has been top, but not widely popular representatives from economy and administration (like Bubak, Schleyer, Herrhausen, Rohwedder, Braunmühl).
A link (with short german descriptions) of victims is to be found here:
We had right-wing terrorists too.
1980 a bomb exploded on the Octoberfest, killing 13 People.
In Italy, terrorists attacked the train station of Bologna - 85 People were killed.
While the right-wing terrorists seemed to be going for many victims, left-wing terrorists seemed to prefer few but 'important' victims.
This would produce disjunctive lists.
b) What do targets have in common?
I can identify 3 groups of targets - perhaps you'll find some more:
1. Many Victims.
Examples would be the Twin-Towers, Oktoberfest, Bologna, London, Madrid
2. Targets of symbolic meaning.
The Twin-Towers and the Pentagon count here too. The White House and the president himself are of serious relevance, but of course Disney Land or the Oscar-Evening match that pattern too.
3. Functional targets.
Infrastructure is often mentioned as a possible target, but we see it rarely happen.
We could mention the Pentagon.
I guess it's hard to find a vital point in technical infrastructure, or in the economy which can seriously be affected.
A target may belong to more than one group, and therefore be more interesting.
Perhaps a big event at the MIT: The MIT is well known and a symbol. A lot of people could be hurt. A lot of important persons could be affected.
I live in Berlin, Germany, and you can find machine-pistol armed security people at three points in the city: Close to the american embassy, near the british embassy and the in front of the famous jewish synagoge.
In 1999 or 2000, there was a political crisis with israel involved - I don't remember the concrete reason.
In the quarter around the synagoge there are some small Shops: a jewish bookstore, a backery, a restaurant and a butcher's shop, where you can get kosher flesh.
During that krisis these small shops where hardened too.
I guess that's how small a target may be.
Rethinking the 3 kinds of targets mentioned above, I guess they have a hidden target in common: Our mind.
Our mind, and the mind of the sympathisers of the terrorists - that's what the real target is.
How can we harden our mind?
Take a walk at the seaside.
Let's go to the forest.
Have a deep breath and open your mind.
Stay calm but keep your eyes open.
If we can't protetect the people, we shouldn't pretend we can.
How can we open the mind of the sympathisers?
I guess this question is still open.
Diplomacy was mentioned earlier in this thread.
Respect is an idea I like to mention.
Have a nice day.
So, will Bruce's famous restaurant guide have a San Francisco edition for the 2007 RSA Conference, and will it have a notation for each restaurant indicating whether it is a likely terrorist target? If the Government will not release the designations, I'm sure that Bruce can devise some criteria for how hard or soft a target it might be. For example, if the restaurant has a hat-check booth, terrorists wearing hats will have to go elsewhere...
Seriously, we have seen that suicide bombers like to target restaurants and markets. Short of airport-level metal and explosives detectors, what should a paranoid diner look for in restaurant security?
So Indiana tops the list with 8591 targets. They must be counting the meth labs. And then there's #2, Wisconsin. Cows maybe? Or cheese factories? NH and VT seem to be taking the golf score approach; lower is better. No sense looking like too ripe a target, eh? Or maybe maple syrup isn't a favorite of the AQ boys.
So, does this mean you should no longer compliment a meal by saying "wow, this is the bomb"...or by saying the opposite: "this blows chunks"?
Seems like it's only a matter of time before someone suggests American slang be cleansed of terror-ish phrases.
Speaking of changes to the culture, I was listening to some kids on the beach the other day as they played with sticks and rocks they found:
"Hurry, civilians are escaping the attack by going into the train tunnel. Look out! Here comes another suicide bomber. Bzzzzzz, boom! Oh, no, the tunnel has collapsed!"
It was very surreal.
The list helps authorities think it through somewhat in advance. It doesn't take a LOT of thought for most people, but we're talking about government.
There's a bombing in your city. You wouldn't send the same set of resources to the site if the bombing were at a famous restaurant as if the bombing were at a gas station or a city government building or a casino. Each will have its own set of unique problems that will need to be dealt with fairly quickly. Some quick examples of differences: the gas station will require immediate evacuation of the surrounding area and some quick decisions on whether the storage tanks are in danger of going up. The casino carries a huge amount of cash which may require securing. The city government building has documents that must remain secure.
The list may be just gold diggers, but it also gives a subset of real locations for which federal, state, and local government can take a few minutes to jot down a set of plans on how to deal with various terrorist plots so they aren't standing around scratching their heads and pointing fingers when a real situation happens, like we saw with Katrina.
"I've said it before, I'll say it again: Democracy simply doesn't work." - Kent Brockman
"I've said it before, I'll say it again: Democracy simply doesn't work."
But as Winston Churchil pointed out it is still the best of all the worst options....
If al'qaida or whoever really wants to paralyze us, they will start hitting suburban malls, substations (in August), bridges on major highways... things that are important that we have too many of to properly protect. A dozen "Washington snipers" would do the job too. This really is an exercise in futility no matter what is on the list. Sure, protect the power plants, protect the monuments, but more than that is pointless.
The scramble to throw away our dollars trying to protect the unprotectable will doom us.
can't seem to find a job application for security guard at the indiana amish popcorn factory can anybody help ????? does this gov make me feel safe ????? i don't think so...........
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.