independently assisting oversight of highly classified programs

[coderman]

On Mon, Jan 20, 2014 at 11:59 AM, coderman <coderman at gmail.com> wrote:
> ...
> i'll dig up the archives later today...  the paper was "sanitized" but
> the real concern was all of the vast and detailed fiber, power, gas,
> transportation, and other infrastructure mapped at sufficient detail
> for edges to have sufficiently useful capacity ratings for evaluation
> in the graph algorithms highlighting high degree, high risk nodes /
> links in the network.  access to "sensitive critical infrastructure
> information" ever after actively squelched.


there is some likely usual bit rot around this story, for now read at:
 http://seclists.org/isn/2003/Jul/28


and i may be wrong; they describe the cinderblock, unconnected,
multi-factor auth fortress where the work was moved, but this article
doesn't say SCIF and implies the contracts still in progress.   still
digging...


JYA do you remember this hullabaloo? have convenient docs to link?


best regards,
  except SONET pairs sharing same right of way over aerial and buried plant.


---


http://www.washingtonpost.com/wp-dyn/articles/A23689-2003Jul7.html

By Laura Blumenfeld
Washington Post Staff Writer
Tuesday, July 8, 2003

Sean Gorman's professor called his dissertation "tedious and
unimportant." Gorman didn't talk about it when he went on dates
because "it was so boring they'd start staring up at the ceiling." But
since the Sept. 11, 2001, attacks, Gorman's work has become so
compelling that companies want to seize it, government officials want
to suppress it, and al Qaeda operatives -- if they could get their
hands on it -- would find a terrorist treasure map.

Tinkering on a laptop, wearing a rumpled T-shirt and a soul patch
goatee, this George Mason University graduate student has mapped every
business and industrial sector in the American economy, layering on
top the fiber-optic network that connects them.

He can click on a bank in Manhattan and see who has communication
lines running into it and where. He can zoom in on Baltimore and find
the choke point for trucking warehouses. He can drill into a cable
trench between Kansas and Colorado and determine how to create the
most havoc with a hedge clipper. Using mathematical formulas, he
probes for critical links, trying to answer the question: "If I were
Osama bin Laden, where would I want to attack?" In the background, he
plays the Beastie Boys.

For this, Gorman has become part of an expanding field of researchers
whose work is coming under scrutiny for national security reasons. His
story illustrates new ripples in the old tension between an open
society and a secure society.

"I'm this grad student," said Gorman, 29, amazed by his transformation
from geek to cybercommando. "Never in my wildest dreams would I have
imagined I'd be briefing government officials and private-sector
CEOs."

Invariably, he said, they suggest his work be classified. "Classify my
dissertation? Crap. Does this mean I have to redo my PhD?" he said.
"They're worried about national security. I'm worried about getting my
degree." For academics, there always has been the imperative to
publish or perish. In Gorman's case, there's a new concern: publish
and perish.

"He should turn it in to his professor, get his grade -- and then they
both should burn it," said Richard Clarke, who until recently was the
White House cyberterrorism chief. "The fiber-optic network is our
country's nervous system." Every fiber, thin as a hair, carries the
impulses responsible for Internet traffic, telephones, cell phones,
military communications, bank transfers, air traffic control, signals
to the power grids and water systems, among other things.

"You don't want to give terrorists a road map to blow that up," he
said.

The Washington Post has agreed not to print the results of Gorman's
research, at the insistence of GMU. Some argue that the critical
targets should be publicized, because it would force the government
and industry to protect them. "It's a tricky balance," said Michael
Vatis, founder and first director of the National Infrastructure
Protection Center. Vatis noted the dangerous time gap between exposing
the weaknesses and patching them: "But I don't think security through
obscurity is a winning strategy."

Gorman compiled his mega-map using publicly available material he
found on the Internet. None of it was classified. His interest in maps
evolved from his childhood, he said, because he "grew up all over the
place." Hunched in the back seat of the family car, he would puzzle
over maps, trying to figure out where they should turn. Five years
ago, he began work on a master's degree in geography. His original
intention was to map the physical infrastructure of the Internet, to
see who was connected, who was not, and to measure its economic
impact.

"We just had this research idea, and thought, 'Okay,' " said his
research partner, Laurie Schintler, an assistant professor at GMU. "I
wasn't even thinking about implications."

The implications, however, in the post-Sept. 11 world, were enough to
knock the wind out of John M. Derrick Jr., chairman of the board of
Pepco Holdings Inc., which provides power to 1.8 million customers.
When a reporter showed him sample pages of Gorman's findings, he
exhaled sharply.

"This is why CEOs of major power companies don't sleep well these
days," Derrick said, flattening the pages with his fist. "Why in the
world have we been so stupid as a country to have all this information
in the public domain? Does that openness still make sense? It sure as
hell doesn't to me."

Recently, Derrick received an e-mail from an atlas company offering to
sell him a color-coded map of the United States with all the electric
power generation and transmission systems. He hit the reply button on
his e-mail and typed: "With friends like you, we don't need any
enemies in the world."

Toward the other end of the free speech spectrum are such people as
John Young, a New York architect who created a Web site with a friend,
featuring aerial pictures of nuclear weapons storage areas, military
bases, ports, dams and secret government bunkers, along with driving
directions from Mapquest.com. He has been contacted by the FBI, he
said, but the site is still up.

"It gives us a great thrill," Young said. "If it's banned, it should
be published. We like defying authority as a matter of principle."

This is a time when people are rethinking the idea of innocent
information. But it is hardly the first time a university has
entangled itself in a war. John McCarthy, who oversees Gorman's
project at GMU's National Center for Technology and Law, compared this
period to World War II, when academics worked on code-breaking and
atomic research. McCarthy introduced Gorman to some national security
contacts. Gorman's critical infrastructure project, he said, has
opened a dialogue among academia, the public sector and the private
sector. The challenge? "Getting everyone to trust each other,"
McCarthy said. "It's a three-way tension that tugs and pulls."

When Gorman and Schintler presented their findings to government
officials, McCarthy recalled, "they said, 'Pssh, let's scarf this up
and classify it.' "

And when they presented them at a forum of chief information officers
of the country's largest financial services companies -- clicking on a
single cable running into a Manhattan office, for example, and
revealing the names of 25 telecommunications providers -- the
executives suggested that Gorman and Schintler not be allowed to leave
the building with the laptop.

Businesses are particularly sensitive about such data. They don't want
to lose consumer confidence, don't want to be liable for security
lapses and don't want competitors to know about their weaknesses. The
CIOs for Wells Fargo and Mellon Financial Corp. attended the meeting.
Neither would comment for this story.

Catherine Allen, chief executive of BITS, the technology group for the
financial services roundtable, said the attendees were "amazed" and
"concerned" to see how interdependent their systems were. Following
the presentation, she said, they decided to hold an exercise in an
undisclosed Midwestern city this summer. They plan to simulate a cyber
assault and a bomb attack jointly with the telecommunications industry
and the National Communications System to measure the impact on
financial services.

McCarthy hopes that by identifying vulnerabilities, the GMU research
will help solve a risk management problem: "We know we can't have a
policeman at every bank and switching facility, so what things do you
secure?"

Terrorists, presumably, are exploring the question from the other end.
In December 2001, bin Laden appeared in a videotape and urged the
destruction of the U.S. economy. He smiled occasionally, leaned into
the camera and said, "This economic hemorrhaging continues until
today, but requires more blows. And the youth should try to find the
joints of the American economy and hit the enemy in these joints, with
God's permission."

Every day, Gorman tries to identify those "joints," sitting in a gray
cinderblock lab secured by an electronic lock, multiple sign-on codes
and a paper shredder. No one other than Gorman, Schintler or their
research instructor, Rajendra Kulkarni, is allowed inside; they even
take out their own trash. When their computer crashed, they removed
the hard drive, froze it, smashed it and rubbed magnets over the
surface to erase the data.

The university has imposed the security guidelines. It is trying to
build a cooperative relationship with the Department of Homeland
Security. Brenton Greene, director for infrastructure coordination at
DHS, described the project as "a cookbook of how to exploit the
vulnerabilities of our nation's infrastructure." He applauds Gorman's
work, as long as he refrains from publishing details. "We would
recommend this not be openly distributed," he said.

Greene is trying to help the center get federal funding. ("The
government uses research funding as a carrot to induce people to
refrain from speech they would otherwise engage in," said Kathleen
Sullivan, dean of Stanford Law School. "If it were a command, it would
be unconstitutional.")

All this is a bit heavy for Gorman, who is in many ways a typical
student. His Christmas lights are still up in July; his living room
couch came from a trash pile on the curb. Twice a day, Gorman rows on
the Potomac. Out on the water, pulling the oars, he can stop thinking
about how someone could bring down the New York Stock Exchange or
cripple the Federal Reserve's ability to transfer money.

On a recent afternoon, he drove his Jeep from the Fairfax campus
toward the river. Along the way he talked about his dilemma: not
wanting to hurt national security; not wanting to ruin his career as
an academic.

"Is this going to completely squash me?" he said, biting his
fingernail. GMU has determined that he will publish only the most
general aspects of his work. "Academics make their name as an expert
in something. . . . If I can't talk about it, it's hard to get hired.
It's hard to put 'classified' on your list of publications on your
résumé."

As he drove along Route 50, he pointed out a satellite tower and a
Verizon installation. Somewhere in Arlington he took a wrong turn and
stopped to ask for directions. It has always been that way with him.
He's great at maps, but somehow he ends up lost.