Entries Tagged "operational security"

Page 5 of 7

Clever Counterterrorism Tactic

Used against the IRA:

One of the most interesting operations was the laundry mat [sic]. Having lost many troops and civilians to bombings, the Brits decided they needed to determine who was making the bombs and where they were being manufactured. One bright fellow recommended they operate a laundry and when asked “what the hell he was talking about,” he explained the plan and it was incorporated — to much success.

The plan was simple: Build a laundry and staff it with locals and a few of their own. The laundry would then send out “color coded” special discount tickets, to the effect of “get two loads for the price of one,” etc. The color coding was matched to specific streets and thus when someone brought in their laundry, it was easy to determine the general location from which a city map was coded.

While the laundry was indeed being washed, pressed and dry cleaned, it had one additional cycle — every garment, sheet, glove, pair of pants, was first sent through an analyzer, located in the basement, that checked for bomb-making residue. The analyzer was disguised as just another piece of the laundry equipment; good OPSEC [operational security]. Within a few weeks, multiple positives had shown up, indicating the ingredients of bomb residue, and intelligence had determined which areas of the city were involved. To narrow their target list, [the laundry] simply sent out more specific coupons [numbered] to all houses in the area, and before long they had good addresses. After confirming addresses, authorities with the SAS teams swooped down on the multiple homes and arrested multiple personnel and confiscated numerous assembled bombs, weapons and ingredients. During the entire operation, no one was injured or killed.

Posted on October 13, 2008 at 1:22 PMView Comments

Data Mining for Terrorists Doesn't Work

According to a massive report from the National Research Council, data mining for terrorists doesn’t work. Here’s a good summary:

The report was written by a committee whose members include William Perry, a professor at Stanford University; Charles Vest, the former president of MIT; W. Earl Boebert, a retired senior scientist at Sandia National Laboratories; Cynthia Dwork of Microsoft Research; R. Gil Kerlikowske, Seattle’s police chief; and Daryl Pregibon, a research scientist at Google.

They admit that far more Americans live their lives online, using everything from VoIP phones to Facebook to RFID tags in automobiles, than a decade ago, and the databases created by those activities are tempting targets for federal agencies. And they draw a distinction between subject-based data mining (starting with one individual and looking for connections) compared with pattern-based data mining (looking for anomalous activities that could show illegal activities).

But the authors conclude the type of data mining that government bureaucrats would like to do–perhaps inspired by watching too many episodes of the Fox series 24–can’t work. “If it were possible to automatically find the digital tracks of terrorists and automatically monitor only the communications of terrorists, public policy choices in this domain would be much simpler. But it is not possible to do so.”

A summary of the recommendations:

  • U.S. government agencies should be required to follow a systematic process to evaluate the effectiveness, lawfulness, and consistency with U.S. values of every information-based program, whether classified or unclassified, for detecting and countering terrorists before it can be deployed, and periodically thereafter.
  • Periodically after a program has been operationally deployed, and in particular before a program enters a new phase in its life cycle, policy makers should (carefully review) the program before allowing it to continue operations or to proceed to the next phase.
  • To protect the privacy of innocent people, the research and development of any information-based counterterrorism program should be conducted with synthetic population data… At all stages of a phased deployment, data about individuals should be rigorously subjected to the full safeguards of the framework.
  • Any information-based counterterrorism program of the U.S. government should be subjected to robust, independent oversight of the operations of that program, a part of which would entail a practice of using the same data mining technologies to “mine the miners and track the trackers.”
  • Counterterrorism programs should provide meaningful redress to any individuals inappropriately harmed by their operation.
  • The U.S. government should periodically review the nation’s laws, policies, and procedures that protect individuals’ private information for relevance and effectiveness in light of changing technologies and circumstances. In particular, Congress should re-examine existing law to consider how privacy should be protected in the context of information-based programs (e.g., data mining) for counterterrorism.

Here are more news articles on the report. I explained why data mining wouldn’t find terrorists back in 2005.

EDITED TO ADD (10/10): More commentary:

As the NRC report points out, not only is the training data lacking, but the input data that you’d actually be mining has been purposely corrupted by the terrorists themselves. Terrorist plotters actively disguise their activities using operational security measures (opsec) like code words, encryption, and other forms of covert communication. So, even if we had access to a copious and pristine body of training data that we could use to generalize about the “typical terrorist,” the new data that’s coming into the data mining system is suspect.

To return to the credit reporting analogy, credit scores would be worthless to lenders if everyone could manipulate their credit history (e.g., hide past delinquencies) the way that terrorists can manipulate the data trails that they leave as they buy gas, enter buildings, make phone calls, surf the Internet, etc.

So this application of data mining bumps up against the classic GIGO (garbage in, garbage out) problem in computing, with the terrorists deliberately feeding the system garbage. What this means in real-world terms is that the success of our counter-terrorism data mining efforts is completely dependent on the failure of terrorist cells to maintain operational security.

The combination of the GIGO problem and the lack of suitable training data combine to make big investments in automated terrorist identification a futile and wasteful effort. Furthermore, these two problems are structural, so they’re not going away. All legitimate concerns about false positives and corrosive effects on civil liberties aside, data mining will never give authorities the ability to identify terrorists or terrorist networks with any degree of confidence.

Posted on October 10, 2008 at 6:35 AMView Comments

UK Ministry of Defense Loses Memory Stick with Military Secrets

Oops:

The USB stick, outlining training for 70 soldiers from the 3rd Battalion, Yorkshire Regiment, was found on the floor of The Beach in Newquay in May.

Times, locations and travel and accommodation details for the troops were included in files on the device.

It’s not the first time:

More than 120 USB memory sticks, some containing secret information, have been lost or stolen from the Ministry of Defence since 2004, it was reported earlier this year.

Some 26 of those disappeared this year == including three which contained information classified as “secret”, and 19 which were “restricted”.

I’ve written about this general problem before: we’re storing ever more data in ever smaller devices.

The point is that it’s now amazingly easy to lose an enormous amount of information. Twenty years ago, someone could break into my office and copy every customer file, every piece of correspondence, everything about my professional life. Today, all he has to do is steal my computer. Or my portable backup drive. Or my small stack of DVD backups. Furthermore, he could sneak into my office and copy all this data, and I’d never know it.

The solution? Encrypt them.

Posted on September 16, 2008 at 6:21 AMView Comments

Why Some Terrorist Attacks Succeed and Others Fail

In “Underlying Reasons for Success and Failure of Terrorist Attacks: Selected Case Studies” (Homeland Security Institute, June 2007), the authors examine eight recent terrorist plots against commercial aviation and passenger rail, and come to some interesting conclusions.

From the “Executive Summary”:

The analytic results indicated that the most influential factors determining the success or failure of a terrorist attack are those that occur in the pre-execution phases. While safeguards and controls at airports and rail stations are critical, they are most effective when coupled with factors that can be leveraged to detect the plot in the planning stages. These factors include:

  • Poor terrorist operational security (OPSEC). The case studies indicate that even plots that are otherwise well-planned and operationally sound will fail if there is a lack of attention to OPSEC. Security services cannot “cause” poor OPSEC, but they can create the proper conditions to capitalize on it when it occurs.
  • Observant public and vigilant security services. OPSEC breaches are a significant factor only if they are noticed. In cases where the public was sensitive to suspicious behavior, lapses in OPSEC were brought to the attention of authorities by ordinary citizens. However, the authorities must likewise be vigilant and recognize the value of unexpected information that may seem unimportant, but actually provides the opening to interdict a planned attack.
  • Terrorist profile indicators. Awareness of and sensitivity to behavioral indicators, certain activities, or past involvement with extremist elements can help alert an observant public and help a vigilant security apparatus recognize a potential cell of terrorist plotters.
  • Law enforcement or intelligence information sharing. Naturally, if security services are aware of an impending attack they will be better able to interdict it. The key, as stated above, is to recognize the value of information that may seem unimportant but warrants further investigation. Security services may not recognize the context into which a certain piece of information fits, but by sharing with other organizations more parts of the puzzle can be pieced together. Information should be shared laterally, with counterpart organizations; downward, with local law enforcement, who can serve as collectors of information; and with higher elements capable of conducting detailed analysis. Intelligence collection and analysis are relatively new functions for law enforcement. Training is a key element in their ability to recognize and respond to indicators.
  • International cooperation. Nearly all terrorist plots, including most of those studied for this project, have an international connection. This could include overseas support elements, training camps, or movement of funds. The sharing of information among allies appears from our analysis to have a positive impact on interdicting attack plans as well as apprehending members of larger networks.

I especially like this quote, which echos what I’ve been saying for a long time now:

One phenomenon stands out: terrorists are rarely caught in the act during the execution phase of an operation, other than instances in which their equipment or weapons fail. Rather, plots are most often foiled during the pre-execution phases.

Intelligence, investigation, and emergency response: that’s where we should be spending our counterterrorism dollar. Defending the targets is rarely the right answer.

Posted on February 28, 2008 at 6:25 AMView Comments

Swedish Army Loses Classified Information on Memory Stick

Oops:

The daily newspaper, Aftonbladet, turned the stick over to the Armed Forces on Thursday. The paper’s editorial office obtained the memory stick from an individual who discovered it in a public computer center in Stockholm.

An employee of the Armed Forces has reported that the misplaced USB memory stick belongs to him. The employee contacted his superior on Friday and divulged that he had forgotten the memory stick in a public computer. A preliminary technical investigation confirms that the stick belongs to the employee.

The stick contained both unclassified and classified information such as information regarding IED and mine threats in Afghanistan.

I wrote about this sort of thing two years ago:

The point is that it’s now amazingly easy to lose an enormous amount of information. Twenty years ago, someone could break into my office and copy every customer file, every piece of correspondence, everything about my professional life. Today, all he has to do is steal my computer. Or my portable backup drive. Or my small stack of DVD backups. Furthermore, he could sneak into my office and copy all this data, and I’d never know it.

Also this. Although why the Swedish Army doesn’t encrypt its portable storage devices is beyond me.

Posted on January 9, 2008 at 1:46 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.