The Keys to a More Secure Future
Sometime in July, a team of hackers will try to break into the computer networks that run key utilities around the U.S. The strikes won't come from Islamic cyberterrorists -- who in recent days have been rumored to be planning such attacks themselves -- but rather from friendly teams of security analysts the Electric Power Research Institute has hired to find chinks in the armor of conventional power plants.
EPRI's "Red Teams," as they're called, are just one element in an urgent campaign to shore up the security of U.S. infrastructure so as to safeguard the homeland from terrorist attacks -- both virtual and physical.
Likewise, the Federal Aviation Administration has begun using friendly hackers to test its networks after a series of frightening breaches. Then there's the Nuclear Regulatory Commission, the body that holds sway over nuclear power plants and materials. In April, the NRC created a rapid-response team to counter terrorist attacks, something it can now afford, thanks to a $35 million emergency bump in its budget.
STILL IN PLANNING.
The private sector is pushing forward as well: Northwest Airlines announced on June 26 that it will begin using facial-recognition equipment to expedite check-ins and verify the identities of so-called "trusted passengers" -- those who fork over enough personal information to remove themsleves from suspicion as security risks (see BW Online, 6/26/02, "Making Frequent Flyers Trusted Travelers").
So far, so good. But what's increasingly clear as such efforts gain momentum is that nearly 10 months after the September 11 terrorist attacks on New York and Washington, enhanced security remains largely in the planning stage -- with the vast majority of the job still to be done. Except at airports, which have rushed out biometric devices to control employee access to sensitive areas, most of the U.S. is plodding to develop a stronger security posture. Pilot projects are still the norm for the most advanced technologies, most of which remain years away.
What's now obvious is that in the two or three years between the World Trade Center attacks and the implementation of technologies that will make similar assaults less likely, plain old human alertness may be the mechanism on which security most depends. When it comes to the slickest solutions, "we're barely at the starting line," says Steven Flynn, a fellow at the Council on Foreign Relations and an expert in transportation security issues. Here's a look at the major efforts to improve homeland security -- and where they may lead:
Pre-September 11, major spending increases on domestic security were hard to justify: Why blow billions on projects that don't boost productivity or economic growth just to head off a theoretical threat?
The terrorist attacks answered that question, and yet a full-scale mobilization of the type that came after Pearl Harbor, to use an apt example, is just now getting attention from Congress. True, President Bush has pledged to spend $37.5 billion on the new Homeland Security Dept. But much of that will come from existing programs.
The floodgates on federal security spending will likely first swing open later this month, when Congress is expected to approve an emergency supplemental appropriations bill, with $30 billion earmarked for homeland security. Other bills in Congress would boost spending in fiscal 2003 for everything from shoring up water-plant security to supporting academic and federal cybersecurity research to the tune of $1 billion.
Clearly, the Pentagon will be a big beneficiary. Its projected 2003 budget should increase 13.4%, to $379 billion, and few in Congress are likely to object. Likewise, the National Institutes of Health could get a 16.7% increase next year, much of it for bioterrorism research.
All told, the federal government will hand out a record $112 billion in research and development funding next year, up $8.9 billion vs. fiscal 2002, predicts the American Association for the Advancement of Science, a nonprofit science-advocacy group that tracks spending and policy patterns. Already this year, the U.S. government has nearly tripled counterterrorism R&D spending, to $1.5 billion, according to the AAAS.
The next test, of course, will be how much of this money ends up being put to good use. The President's sweeping homeland security restructuring will put R&D programs from five federal agencies under one roof -- and could cause massive confusion that may even set back security efforts.
Further, big gaps remain in federal policy, including how Washington plans to help the private sector shore up nuclear power plants, water plants, chemical factories, oil pipelines, and other critical elements of the U.S. infrastructure. Many of these are owned by companies that might not be able to afford the retrofits necessary to shore up security at, say, nuclear plant cooling towers, without government help.
All of these areas have received plenty of attention and some money since September 11. Yet except for efforts to fight bioterror, to secure the nation's borders, and to protect public transportation, Washington still has to prove that it can back up its promises of homeland security with action.
What do El Niño and nerve gas have in common? Not much, at first glance. But a global network of buoys, satellites, and sensors designed to track the ocean-warming pattern that emerges about every five years and causes dramatic coastal storms along California could be rejiggered to spot biochemical releases. Whether the project, dubbed the TAO/Triton Array, gets fully funded has yet to be decided.
That's a metaphor for the state of technological innovation in the war on terrorism. In the wake of the attacks, scientists are investigating how to thwart terrorism by repurposing existing technologies. Rapid-fire gene mapping systems that use lasers and fluorescent dyes to quickly plot the composition of human chromosomes could also help map bacterial agents and spot biological attacks, ideally in real time. It isn't yet clear, however, when such systems will be commercial -- or who will fund their development.
For now, work is proceeding -- particularly in government labs. Scientists at the National Institute for Standards & Technology are currently developing a camera with a liquid-filled lens that sees as well as the human eye. While the camera would be useful for many types of imaging, such as producing clearer medical x-rays or CAT scans, NIST hopes the lens will also help law-enforcement officials more easily distinguish images of weapons on screens of security scanners.
The gee-whiz quotient of such devices already is rising. For instance, the time required to identify a limited range of biological agents in the current generation of detection devices has dropped from several hours to less than one hour. The equipment used to protect big public events such as the U.S. Olympic Winter Games, has diminished from trailer-mounted machines to boxes the size of a desk.
Another example is the walk-through portal that spots explosives by sucking up airborne particles and analyzing them for signs of bomb-making materials. In May 2002, Barringer Industries unveiled that product, which uses technology created at Sandia National Laboratories. It requires a walk-through time of only 10 seconds per person and is far more accurate than systems that rely on security agents who do things the old-fashioned way -- applying swabs to bags to get samples to test for bomb material.
Better still, the portal -- which is similar to an airline checkpoint -- can spot not only people who have handled bombs or carried bomb-laden luggage, but also suicide bombers themselves.
It's certain that improved technologies will play an increasing role in the campaign for stronger homeland security. Just remember, though, that technologies of every variety seem to follow a well-worn path: They proceed in fits and starts -- and they almost always take longer than expected.
A corollary to tech innovation will be making existing computer systems and networks more secure -- a sprawling project that never ends since the objective is to snag a bad actor whose shenanigans are often a moving target. For the most part, it's mundane stuff, such as updating systems to make sure they have the latest security software and checking every Web server to make sure it's configured to fend off easy attacks.
This past spring, though, a chorus arose questioning the wisdom of patching existing systems -- as opposed to building new systems based on more secure computer languages and system designs. The idea would be to fix once and for all problems in the underlying software languages that power data networks and the Internet.
To date, most of the emphasis in information security has been on adding new security layers such as firewalls, intrusion-detection systems, and antivirus products. While wider use of these systems has made corporations and governments more secure, that's no panacea, critics say.
"Think about what would have happened on September 11 if the terrorist attacks had been coordinated with a cyberattack. We would have been much worse off," says Peter Neumann, a computer security expert and a principal scientist at think tank SRI International. "Our infrastructure is entirely dependent on computers and communications." Making them safe from Internet-based cybercrime is a task that will never end.
Until innovation in security technology reaches a critical mass, the solution of choice will be nifty applications of existing technology. For instance, the second version of the new Transportation Security Administration's CAPPS II passenger-screening system for airlines will use database-merging and systems-integration techniques to create a real-time opportunity to spot possible indications of terrorist activities. Another example: In the wake of September 11, Oracle created a system that links hospital emergency rooms in New York City to help uncover early evidence of biological attacks.
Another burgeoning field, telematics, has trucking companies mounting sensitive monitors on vehicles. These can broadcast over wireless networks information such as the location of a truck that's transporting hazardous material, the status of its load, whether the cabin door is open or closed, and even video frame-grabs of the driver. "All of this is possible with off-the-shelf technology," says Tony Eales, CEO of San Diego (Calif.) telematics company Teletrac. Eales estimates that 10% of the vehicle fleets running in the U.S. now use telematic tracking.
That's way up from a decade ago, partly because of an extra benefit -- cost savings. Advanced fleet-tracking capabilities make it easier for trucking companies to plan logistics and supply runs. The same holds true for electronic bills-of-lading in the shipping industry. These online documents verify the ownership of cargo. Putting them on the Web saves millions of dollars in paper costs and employee time, and speeds deliveries.
The security payoff? A fast-moving system gives terrorists and criminals alike less time to mess with or steal the cargo. And electronic documents make it much easier to share information across borders -- and governments. "You won't have to force this on industry," says the Council on Foreign Relations' Flynn.
The Human Factor
While new or existing technologies have grabbed much of the spotlight, cooperation, not innovation, may prove a more potent terrorism deterrent for a long time to come. In the past, government agencies warred subtly: the CIA vs. the FBI, the FBI vs. state law enforcement, and so on. Additionally, corporations have been reluctant to report computer breaches to investigators for fear of spooking partners, customers, and investors. For now, the emphasis on national unity seems to be eroding those walls.
Consider what's going on at one of the busiest crossings between the U.S. and Mexico. In Douglas, Ariz., a host of law-enforcement agencies are cooperating to get better control of the border. Under the auspices of the U.S. Customs Service, it and the Immigration & Naturalization Service and state, local, and federal law-enforcement entities have joined forces to fight problems in a unified way. They exchange information via e-mail and delve into common databases using broadband connections in remote locales.
This arrangement uses the same information to serve the purposes of many. A license-plate scanning and tracking system coupled with video cameras notifies Arizona state cops of stolen vehicles being moved toward Mexico. The same system also gives INS officials a leg up in sifting through the heavy border traffic in search of those who shouldn't be entering the country, says Doug Doan, the CEO of systems integrator NTMI (NTMI ), which has done much of the technological work for the project. "It doesn't really cost much more money. It's more how people interact," says Doan.
Fortunately, governments and companies involved in international commerce are already used to cooperating. Regional port authorities and various shipping companies around the globe communicate regularly on the nature of shipments. There already exists a system of trusted intermediaries and cargo-assurance brokers that attest to the validity of a bill-of-lading on a shipment coming out of a country where the rule of law might be less than certain and corruption common.
"The folks in Seattle at the port authority probably have better relations with their counterparts in Singapore than those that exist between their national governments," contends Flynn. Add in recognition of the need for heightened awareness, and such relationships offer a better chance to stop terror attacks, even amidst a sea of 5.7 million shipping containers that the U.S. received in 2001, according to the U.S. Customs Service.
Still, few in business or in the government think that current levels of cooperation are sufficient to meet security needs. "We're going to need to be married more and more with the high-tech industry...to capture communications as part of criminal conduct," says Dan Larkin, the FBI supervisory agent in charge of the National Infrastructure Protection Center's Pittsburgh office.
As the war on terror unfolds, this human factor is becoming more important even with the emphasis on exotic technologies. In part, that's because human error will continue to cause most security breaches. Preventing "attacks and threats requires someone to think. Only humans can detect new things," says Bruce Schneier, the chief technology officer of computer security company Counterpane Internet Security. "Computers are not so good at it." Indeed, the most potent weapon against terror is ages old: It's the one between your ears.