Entries Tagged "terrorism"

Page 24 of 80

Internet Kill Switch

Last month, Sen. Joe Lieberman, I-Conn., introduced a bill (text here) that might—we’re not really sure—give the president the authority to shut down all or portions of the Internet in the event of an emergency. It’s not a new idea. Sens. Jay Rockefeller, D-W.Va., and Olympia Snowe, R-Maine, proposed the same thing last year, and some argue that the president can already do something like this. If this or a similar bill ever passes, the details will change considerably and repeatedly. So let’s talk about the idea of an Internet kill switch in general.

It’s a bad one.

Security is always a trade-off: costs versus benefits. So the first question to ask is: What are the benefits? There is only one possible use of this sort of capability, and that is in the face of a warfare-caliber enemy attack. It’s the primary reason lawmakers are considering giving the president a kill switch. They know that shutting off the Internet, or even isolating the U.S. from the rest of the world, would cause damage, but they envision a scenario where not doing so would cause even more.

That reasoning is based on several flawed assumptions.

The first flawed assumption is that cyberspace has traditional borders, and we could somehow isolate ourselves from the rest of the world using an electronic Maginot Line. We can’t.

Yes, we can cut off almost all international connectivity, but there are lots of ways to get out onto the Internet: satellite phones, obscure ISPs in Canada and Mexico, long-distance phone calls to Asia.

The Internet is the largest communications system mankind has ever created, and it works because it is distributed. There is no central authority. No nation is in charge. Plugging all the holes isn’t possible.

Even if the president ordered all U.S. Internet companies to block, say, all packets coming from China, or restrict non-military communications, or just shut down access in the greater New York area, it wouldn’t work. You can’t figure out what packets do just by looking at them; if you could, defending against worms and viruses would be much easier.

And packets that come with return addresses are easy to spoof. Remember the cyberattack July 4, 2009, that probably came from North Korea, but might have come from England, or maybe Florida? On the Internet, disguising traffic is easy. And foreign cyberattackers could always have dial-up accounts via U.S. phone numbers and make long-distance calls to do their misdeeds.

The second flawed assumption is that we can predict the effects of such a shutdown. The Internet is the most complex machine mankind has ever built, and shutting down portions of it would have all sorts of unforeseen ancillary effects.

Would ATMs work? What about the stock exchanges? Which emergency services would fail? Would trucks and trains be able to route their cargo? Would airlines be able to route their passengers? How much of the military’s logistical system would fail?

That’s to say nothing of the variety of corporations that rely on the Internet to function, let alone the millions of Americans who would need to use it to communicate with their loved ones in a time of crisis.

Even worse, these effects would spill over internationally. The Internet is international in complex and surprising ways, and it would be impossible to ensure that the effects of a shutdown stayed domestic and didn’t cause similar disasters in countries we’re friendly with.

The third flawed assumption is that we could build this capability securely. We can’t.

Once we engineered a selective shutdown switch into the Internet, and implemented a way to do what Internet engineers have spent decades making sure never happens, we would have created an enormous security vulnerability. We would make the job of any would-be terrorist intent on bringing down the Internet much easier.

Computer and network security is hard, and every Internet system we’ve ever created has security vulnerabilities. It would be folly to think this one wouldn’t as well. And given how unlikely the risk is, any actual shutdown would be far more likely to be a result of an unfortunate error or a malicious hacker than of a presidential order.

But the main problem with an Internet kill switch is that it’s too coarse a hammer.

Yes, the bad guys use the Internet to communicate, and they can use it to attack us. But the good guys use it, too, and the good guys far outnumber the bad guys.

Shutting the Internet down, either the whole thing or just a part of it, even in the face of a foreign military attack would do far more damage than it could possibly prevent. And it would hurt others whom we don’t want to hurt.

For years we’ve been bombarded with scare stories about terrorists wanting to shut the Internet down. They’re mostly fairy tales, but they’re scary precisely because the Internet is so critical to so many things.

Why would we want to terrorize our own population by doing exactly what we don’t want anyone else to do? And a national emergency is precisely the worst time to do it.

Just implementing the capability would be very expensive; I would rather see that money going toward securing our nation’s critical infrastructure from attack.

Defending his proposal, Sen. Lieberman pointed out that China has this capability. It’s debatable whether or not it actually does, but it’s actively pursuing the capability because the country cares less about its citizens.

Here in the U.S., it is both wrong and dangerous to give the president the power and ability to commit Internet suicide and terrorize Americans in this way.

This essay was originally published on AOL.com News.

Posted on July 12, 2010 at 7:07 AMView Comments

Space Terrorism

Space terrorism? Yes, space terrorism. This article, by someone at the European Space Policy Institute, hypes a terrorist threat I’ve never seen hyped before. The author waves a bunch of scare stories around, and then concludes that “the threat of ‘Space Terrorism’ is both real and latent,” then talks about countermeasures. Certainly securing our satellites is a good idea, but this is just silly.

Posted on June 29, 2010 at 11:42 AMView Comments

Baby Terrorists

This, from Congressman Louie Gohmert of Texas, is about as dumb as it gets:

I talked to a retired FBI agent who said that one of the things they were looking at were terrorist cells overseas who had figured out how to game our system. And it appeared they would have young women, who became pregnant, would get them into the United States to have a baby. They wouldn’t even have to pay anything for the baby. And then they would turn back where they could be raised and coddled as future terrorists. And then one day, twenty…thirty years down the road, they can be sent in to help destroy our way of life. ‘Cause they figured out how stupid we are being in this country to allow our enemies to game our system, hurt our economy, get setup in a position to destroy our way of life.

This is simply too stupid to even bother refuting. But this sort of fear mongering is nothing new for Gohmert.

Posted on June 29, 2010 at 6:28 AMView Comments

How Much Counterterrorism Can We Afford?

In an article on using terahertz rays (is that different from terahertz radar?) to detect biological agents, we find this quote:

“High-tech, low-tech, we can’t afford to overlook any possibility in dealing with mass casualty events,” according to center head Donald Sebastian. “You need multiple methods of detection and response. Terrorism comes in many forms; you have to see, smell, taste and analyze everything.”

He’s got it completely backwards. I think we can easily afford not to do what he’s saying, and can’t afford to do it.

The technology to detect traces of chemical and biological agents is neat, though. And I am very much in favor of research along these lines.

Posted on June 23, 2010 at 6:00 AMView Comments

The Continuing Incompetence of Terrorists

The Atlantic on stupid terrorists:

Nowhere is the gap between sinister stereotype and ridiculous reality more apparent than in Afghanistan, where it’s fair to say that the Taliban employ the world’s worst suicide bombers: one in two manages to kill only himself. And this success rate hasn’t improved at all in the five years they’ve been using suicide bombers, despite the experience of hundreds of attacks—or attempted attacks. In Afghanistan, as in many cultures, a manly embrace is a time-honored tradition for warriors before they go off to face death. Thus, many suicide bombers never even make it out of their training camp or safe house, as the pressure from these group hugs triggers the explosives in suicide vests. According to several sources at the United Nations, as many as six would-be suicide bombers died last July after one such embrace in Paktika.

Many Taliban operatives are just as clumsy when suicide is not part of the plan. In November 2009, several Talibs transporting an improvised explosive device were killed when it went off unexpectedly. The blast also took out the insurgents’ shadow governor in the province of Balkh.

When terrorists do execute an attack, or come close, they often have security failures to thank, rather than their own expertise. Consider Umar Farouk Abdulmutallab—the Nigerian “Jockstrap Jihadist” who boarded a Detroit-bound jet in Amsterdam with a suicidal plan in his head and some explosives in his underwear. Although the media colored the incident as a sophisticated al-Qaeda plot, Abdulmutallab showed no great skill or cunning, and simple safeguards should have kept him off the plane in the first place. He was, after all, traveling without luggage, on a one-way ticket that he purchased with cash. All of this while being on a U.S. government watch list.

Fortunately, Abdulmutallab, a college-educated engineer, failed to detonate his underpants. A few months later another college grad, Faisal Shahzad, is alleged to have crudely rigged an SUV to blow up in Times Square. That plan fizzled and he was quickly captured, despite the fact that he was reportedly trained in a terrorist boot camp in Pakistan. Indeed, though many of the terrorists who strike in the West are well educated, their plots fail because they lack operational know-how. On June 30, 2007, two men—one a medical doctor, the other studying for his Ph.D.—attempted a brazen attack on Glasgow Airport. Their education did them little good. Planning to crash their propane-and-petrol-laden Jeep Cherokee into an airport terminal, the men instead steered the SUV, with flames spurting out its windows, into a security barrier. The fiery crash destroyed only the Jeep, and both men were easily apprehended; the driver later died from his injuries. (The day before, the same men had rigged two cars to blow up near a London nightclub. That plan was thwarted when one car was spotted by paramedics and the other, parked illegally, was removed by a tow truck. As a bonus for investigators, the would-be bombers’ cell phones, loaded with the phone numbers of possible accomplices, were salvaged from the cars.)

Reminds me of my own “Portrait of the Modern Terrorist as an Idiot.”

Posted on June 18, 2010 at 5:49 AMView Comments

Behavioral Profiling at Airports

There’s a long article in Nature on the practice:

It remains unclear what the officers found anomalous about George’s behaviour, and why he was detained. The TSA’s parent agency, the Department of Homeland Security (DHS), has declined to comment on his case because it is the subject of a federal lawsuit that was filed on George’s behalf in February by the American Civil Liberties Union. But the incident has brought renewed attention to a burgeoning controversy: is it possible to know whether people are being deceptive, or planning hostile acts, just by observing them?

Some people seem to think so. At London’s Heathrow Airport, for example, the UK government is deploying behaviour-detection officers in a trial modelled in part on SPOT. And in the United States, the DHS is pursuing a programme that would use sensors to look at nonverbal behaviours, and thereby spot terrorists as they walk through a corridor. The US Department of Defense and intelligence agencies have expressed interest in similar ideas.

Yet a growing number of researchers are dubious ­ not just about the projects themselves, but about the science on which they are based. “Simply put, people (including professional lie-catchers with extensive experience of assessing veracity) would achieve similar hit rates if they flipped a coin,” noted a 2007 report from a committee of credibility-assessment experts who reviewed research on portal screening.

“No scientific evidence exists to support the detection or inference of future behaviour, including intent,” declares a 2008 report prepared by the JASON defence advisory group. And the TSA had no business deploying SPOT across the nation’s airports “without first validating the scientific basis for identifying suspicious passengers in an airport environment”, stated a two-year review of the programme released on 20 May by the Government Accountability Office (GAO), the investigative arm of the US Congress.

Commentary from the MindHacks blog.

Also, the GAO has published a report on the U.S. DHS’s SPOT program: “Aviation Security: Efforts to Validate TSA’s Passenger Screening Behavior Detection Program Underway, but Opportunities Exist to Strengthen Validation and Address Operational Challenges.”

As of March 2010, TSA deployed about 3,000 BDOs at an annual cost of about $212 million; this force increased almost fifteen-fold between March 2007 and July 2009. BDOs have been selectively deployed to 161 of the 457 TSA-regulated airports in the United States at which passengers and their property are subject to TSA-mandated screening procedures.

It seems pretty clear that the program only catches criminals, and no terrorists. You’d think there would be more important things to spend $200 million a year on.

EDITED TO ADD (6/14): In the comments, a couple of people asked how this compares with the Israeli model of airport security—concentrate on the person—and the idea that trained officers notice if someone is acting “hinky”: both things that I have written favorably about.

The difference is the experience of the detecting officer and the amount of time they spend with each person. If you read about the programs described above, they’re supposed to “spot terrorists as they walk through a corridor,” or possibly after a few questions. That’s very different from what happens when you check into a flight an Ben Gurion Airport.

The problem with fast detection programs is that they don’t work, and the problem with the Israeli security model is that it doesn’t scale.

Posted on June 14, 2010 at 6:23 AMView Comments

1 22 23 24 25 26 80

Sidebar photo of Bruce Schneier by Joe MacInnis.