Information Systems

Stopping Us In Our Tracks

In a recent Boston Globe article, General Martin Dempsey, Chairman of the Joint Chiefs of Staff, says that “a cyber attack could stop our society in its tracks.”  That’s a bit of hyperbole, and plays into a growing trend in coverage of cyber security…  exaggeration.

Realistic solutions to these issues are hard to come by when we are facing overblown predictions of cyber doom and gloom.  We need to take a hard look at what policy makers are saying (and being told) to ensure that we are applying the correct resources to the correct problem.

Cybercrime estimates are overblown

Making Sense of the Info Flood – A Social Media Exercise System

Social media is becoming a mainstream outreach and crisis communications channel for crisis and disaster management. Despite this growth, many emergency managers and agencies are not adept at working with Facebook, YouTube, or Twitter. The immediate nature of this medium means that some traditional crisis communication methods do not translate well, and must be adapted. Further, social media serves as a quick and effective method for monitoring public feedback or commentary on a crisis or disaster, and that function can and should contribute to an organization’s situational awareness.

To address this need, the Center for Disaster Risk Policy (http://cdrp.net) has developed a platform to exercise with various social media tools. The Social Media Exercise System (SMEX) is a ‘closed loop’ social media simulator, allowing real-time exercises involving social media to be conducted in a controlled environment. SMEX simulates Twitter, Facebook, Youtube, and web based news outlets, and includes interaction directly from the ‘survivors’ in the impact area. All simulated social media exercise components are aggregated (if requested) using a Ushahidi deployment that is part of the platform, allowing participants to assess and triage information as it flows into the exercise and form a geographical understanding of exercise events.

To support the SMEX, a simulation cell consisting of one or two exercise controllers oversees the flow of information to the participants. From this web-based control panel, controllers deploy inject ‘packages’ on either a schedule or as needed. Typically, groups of Twitter injects are created in advance of the exercise, so that as packages of injects are placed into the exercise the system creates a semi-realistic operational tempo. This allows for controllers to adjust the pressure of the exercise, by adjusting the rate at which new injects are brought into play.

The first SMEX, a proof of concept, was conducted in our Disaster Systems course in April 2012. There were seventeen participants, and each had brought with them their own laptop or tablet computer. Since with was a university course, they were not pre-organized to work in a crisis situation, though they were all familiar with the Incident Command System. This was deliberate, since I wanted to see the student recognize the need for organization and adopt some of the techniques learned throughout the semester.

The exercise was based on a tornado outbreak in and around Tallahassee, where the students would have some familiarity with the geography. To support about 90 minutes of play time, approximately 500 tweets were created, as well as four online news stories at both the local and national level, and dozens of 911 reports that would be fed to the exercise system. In addition the the pre-planned inject packages, controllers were able to create injects on the fly, working off on information overheard in the room. This allowed us to create some ‘curve balls’ that were based on decisions the students were making. Injects were crafted to focus on building situational awareness in a dynamic and chaotic situation, composing outgoing messages to the public, and identifying rumors. The operational tempo for this exercise was considerably lower than what would be encountered in a real event, but it adequately illustrated the stressful environment that participants in a disaster would have to work in.

At the start of the exercise, we identified the group as an ad-hoc organization working in support of the Public Information Officer. I had them designate a Team Leader, gave them the background briefing, and turned them loose. Within the first five minutes, they had dozens of tweets and 911 reports to deal with, and they quickly broke up the group by functions to better address the issues. The functions they identified early were Twitter monitoring, Ushahidi report review, 911 reporting, and media monitoring. These teams then started filtering the information and trying to prioritize and identify trends.

As the exercise wore on, several things became clear to the controllers and participants:

1. One map isn’t really sufficient. You need a map (such as Ushahidi) for initial assessment of incoming info; a sandbox, and a ‘final’ map that contains only what has been assessed as valid. Two Ushahidi instances may be the way to go, we aren’t entirely certain yet.
2. Filtering capability of reports and tweets needs to include time range searches. For example, participants needed the ability to show all tweets received between 1800 and 1820, and that capability did not exist.
3. Simulating social media requires a lot of data to be created.
4. The simulation cell needs custom built tools to effectively manage the inject of information to the exercise.
5. While the type of information received never called for emergency managers to allocate resources, it was very helpful for gaining a complete understanding of the event. The students in the room had an excellent picture of the scenario, using only information gained through the exercise system.
6. News article comments are a valuable source of data, and key areas to monitor for rumor and incorrect information.

Overall, the proof of concept SMEX was a success. Participants enjoyed the process, and learned quickly that such a simple concept was actually very difficult in operational conditions. It illustrated to the students the fact that social media can be a valuable source of information, as well as a difficult data stream to understand and process.

We are currently designing the next generation of the SMEX platform, as well as several scenarios that can be deployed as needed. In future iterations, we plan to extend play time by adding inject packages, and create a more realistic Twitter simulator. In addition, we will provide additional Ushahidi instances to participants to utilize as they see fit. We are looking forward to gathering additional data as we conduct exercises in a variety of settings – all aimed at improving social media usage for situational awareness.

Cyberattack in Iranian Oil Facility

Reuters is carrying an article on a suspected cyber attack on an Iranian oil facility.  I’ve spent the past couple of weeks updating our cyber-terrorism lectures and material, so I was immediately suspicious of the claims.  When reading the article carefully, several aspects jump out at me.

First, it’s described as a ‘virus’.  A virus may have infected the systems without any deliberate, malicious actions by an ‘attacker’.  Second, the virus affected “the main Internet and communications systems of Iran’s Oil Ministry and national oil company”.  In other words, it messed up their email and internet access. Again, this is not an indicator of an ‘attack’, but could be the result of a typical virus, worm or trojan.

Cyber events suffer from a need to be seen as ‘spectacular’, when in reality the simplest and most mundane explanation is the most likely.  In this particular case, the Iranians claiming this as a cyber attack is most likely a political move, and not based in reality.

CMAS is Going Live, and Testing Again

Reports are trickling through Twitter that at least Verizon is testing CMAS today, displaying blank messages. At least one twitter user found it “creepy as f&$%”.  I’m sure the latest carrier tests are linked to the impending rollout, which is scheduled for… now(ish).

As usual, AWARE Forum has a detailed post talking about the rollout and the work done so far.

Note on Cyber Terrorism

As I am re-writing a lecture on cyber issues for my terrorism class tonight, I find myself unconvinced that a lot of what gets called ‘cyber-terrorism’ should be classified as such.  While I read recent media blurbs like this “FBI on guard against terrorist cyber attacks (CNN)”, I doubt the accuracy of defining terrorist activity online as ‘terrorism’.

I feel that the term terrorism has been watered down in the past decade, and is now applied to actions and activities that perhaps it should not be.  That’s not necessarily a bad thing, but it certainly changes the public perception – and that may be detrimental in the long run.

Social Media and Post Incident Information Gathering

In my last Disaster Systems class we were discussion the usage of social media in emergency management. This is a standard topic in my syllabus, and probably the most dynamic of topics that we cover; I am constantly adding and editing information to keep current. This semester, as part of this lesson I wanted to do a hands-on activity utilizing social media and let the students play with some of the data validation and triangulation techniques we discuss in the lecture.

I had about ten students participate, a mix of graduates and undergraduates. They split into small teams and broke out laptops, tablets and iPhones (not an Android device to be seen). I gave them the guidelines for the drill, which included the fact that no major media outlets were to be utilized as sources. They were asked to limit their efforts to Twitter, Facebook, blogs, Google+, etc. – I wanted them playing in social media for the most part. We reviewed a few tools (Twitterfall, Hootsuite, TweetGrid) they might find useful in their monitoring and reminded them this was a passive exercise, there was no need to post information.

They were then told to find as much solid, verified, information as possible on the Ohio high school shooting, which had occurred about eleven hours before. I was looking for the basics – who, what, when, why and how – as well as samples of bad or bogus information and samples of information that was repeated endlessly. It was a simple topic, the SM chatter on the event was plentiful, but they only had about 20 minutes to work with.

What they came up with was an interesting mix of expected and unexpected. For the most part, given the timeframe, they had very few hard facts. They knew the shooting was in Chardon, Ohio. They knew the shooter’s name. Several of them found his Facebook page, but were unable to adequately verify it as authentic. Lots of rumor and soft info on the shooter’s habits, personality, and possible motives. All of that I expected. However, they were unable to find any hard info about the time of the incident, the current status of the shooter, or the exact casualty/fatality count (we had at least three conflicting “themes” on that one). It was an interesting observation.

There were several key points from an emergency or crisis management perspective.

1. There is more information out there than you can imagine, and sorting through and curating it all is going to take time. Time is a commodity that most activated EOC’s seldom have enough of.
2. Social media can provide a lot of ‘soft’ info, but may be lacking in the hard details. This is not a bad thing, as the hard details are typically available to an emergency manager from other sources. Social media can fill in what the community is saying, what the public is focused on, and enhance your situational awareness and crisis communication.
3. Social media monitoring is best as a collaborative effort. The groups used shared workloads and ad hoc collaboration to go out to a variety of different sites/sources hunting information.
4. A lot of information is stale and/or incorrect. Verification of information is important, particularly in dynamic events as information will change rapidly. Verification and authentication takes time.

All of these factors show the value of the VOST (Virtual Operations Support Team) concept as a tool to assist emergency managers and EOCs manage the social media environment. It was a great informal exercise, and I’m looking forward to doing it again and collecting more information.

CMAS Test Confusion. Again.

This morning on Twitter and other social media channels I started seeing references to a CMAS test conducted yesterday, apparently by Verizon Wireless.  What caught my eye was the fact that the alert messages that ended up on some people’s phones were not clearly ‘only a test’.  I pinged the #SMEM group on Twitter about it, and quickly got a response from @AWAREforum directing me to their post on the subject:  Large-scale CMAS Testing Yesterday Causing Confusion.

Many reports indicated it was a nationwide Verizon test, but I am a Verizon subscriber and did not receive the alerts – and neither did anyone else I know.  While many people complained that the message was confusing, all of the screencaps in AWARE’s post seem pretty clear that it’s a test message.

I was also surprised by the repeated sentiment that CMAS was a tool for the government to ‘bug’ or ‘track’ the population.  I shouldn’t be surprised, I guess; there are people who will believe anything.

One final point… this is a great example of Twitter serving as a great tool for emergency managers.  I needed some info, I posted it to the #SMEM hashtag community and had an answer in five minutes.  If you are on Twitter, be sure to check out the discussions on #SMEM and the weekly live chat conducted under the hashtag #SMEMchat – Fridays at 1230pm EST.

Surprising Lesson from Joplin

I’ve always been told an interior hallway will work as a tornado shelter (if a basement isn’t available). This article, written with information gathered after the Joplin tornado, proves that assumption false.

Also of interest is the fact that SMS was working, while cell service was not. This means Twitter would be a functional reporting tool post impact.

Google Integrates Public Warnings into Google Maps

Wish you had a graphical display off all current public alerts and warnings?  Head over to http://www.google.org/publicalerts and browse around.

Google just launched a maps page that places current alerts, watches and warnings from the National Weather Service, NOAA, and the USGS on a single interactive map.  While aggregation and display is nifty, where Google really shines is in the fact that they are integrating alerts data with search results on Google Maps.  If you go to Google Maps and search for a term that resembles an existing watch or warning, that data will be displayed with your search results.  No word on the Google Blog whether there are plans to integrate warning data with typical web search results – but that would be really cool, too.

For the complete word, here is the official Google Blog post.

http://blog.google.org/2012/01/public-alerts-now-on-google-maps.html

Added an update to my post on the NYC CMAS test.

CMAS Test Worked. Mostly. [UPDATED]

The planned test of the CMAS system yesterday in and around NYC seems to have worked.  At least, there are reports that people received the messages on their wireless phone.  One tiny problem.  Some of them, at least, didn’t know it was a test.

Insert snarky comment here.

I have to wonder – who crafted the test messages?  Since this was a test of the IPAWS/CMAS message aggregation capability, I have to think the messages originated with EM personnel somewhere.   If that is the case… shame on you.  If the message isn’t real, either because it’s an exercise, system test, or whatever, the first part and the last part of the message should make that clear.   For example, “Exercise exercise exercise.  There is a civil emergency in your area….  This is an exercise.”

It seems that while the technology worked (people got the messages), the system failed.  There is more to warnings and alerts than simply getting the message to the population, they need to know what to do next.  Comments on the Gawker article (linked) show confusion on the term ‘shelter in place’ as well.  Sounds to me like the risk communication teams have some work cut out for them in the near future.

Update (21 DEC 11)

As clarified in the comments section of this post, the issues here are spread over two separate system tests.  The CMAS system test in NYC seems to have been mostly successful – at least, there was almost zero chatter about it afterward.  Good.

However, a carrier system test (conducted the day before the NYC test) was carried out by Verizon in New Jersey.  This is the test that startled many residents, as the message did not include any indication that it was only a test.  While CMAS doesn’t allow for custom formatting, etc. (and I agree with the commenter that this may cause issues), the alert body still failed to indicate it was a test.

CMAS is going to be a valuable tool in the EM toolbox, and despite some early issues, I’m looking forward to full implementation.

NYC to Test IPAWS Component Today

The New York City Office of Emergency Management will broadcast six text messaging alerts today to test the new Commercial Mobile Alert System (CMAS).

This is the first deployment of CMAS, which is part of an integrated alerting and warning strategy developed by FEMA and partner organizations. Called IPAWS (Integrated Public Alert and Warning System) it is designed to reach more Americans in a more efficient way, it allows for centralized control of alert creation and dissemination.

CMAS is designed to target all cell phones (that are enabled by the user and carrier) in a specific geographic location – even roaming phones.  This is a warning capability that we do not currently have in the United States and will prove valuable in the case of localized threats.  Think tornado warnings, hazmat leaks, wildfires, flooding…  CMAS will give emergency managers the ability to get an alert to those who are in immediate danger, but may not be in front a computer, watching TV or listening to a radio.  Good stuff.

CMAS will continue to roll out across the country this Spring, and I encourage everyone to talk to their wireless carrier about how to activate the service.

Here is the original NYC OEM Press Release

Stuxnet Type Attacks May Become More Common

Attacks similar to the Stuxnet worm launched against the Iranian nuclear program may become more common in the future, and require fewer resources. According to an AP wire article (available nearly everywhere), researchers and security analysts all over the world are finding new vulnerabilities in SCADA control systems. SCADA (Supervisory control and data acquisition) systems act as the control interface between computers and physical industrial processes and are used to control manufacturing equipment, power generation systems, and other physical plants.

The Stuxnet worm, thought to be the work of one or more governments in an attempt to cripple Iranian production of nuclear material, was the first highly publicized SCADA attack. It was assumed that Stuxnet required large amounts of time, talent and resources to accomplish – but that may not be the case. One U.S. researcher discovered dozens of similar SCADA exploits in only a few months and spending only $20,000. That’s well within the reach of many fringe elements and terrorist organizations.

Other security analysts inspected a power company and a correctional institution and discovered vulnerabilities that would allow unauthorized control of systems connected to the controllers. In the prison this included facility doors, alarms, and video surveillance feeds.

Sounds bad, but it may not be. One point that the article doesn’t mention – the air gap. SCADA systems have long been known to be vulnerable when the attacker is sitting right next to the controller and is connected directly to it. Any system is vulnerable once the attacker has physical access. The real-world vulnerability, which the article does not address directly, is whether or not these attacks could succeed with the attacker sitting in a basement in Chicago, while the target is 2,000 miles away. Since SCADA systems are not supposed to be connected to the internet, this attack scenario seems less likely. Sure, some SCADA systems that shouldn’t be are connected to the internet, either deliberately or accidentally, but I doubt the described scenarios would be effective from outside the facilites.

Stuxnet intrigues me not only because of what it did, but the fact that it got onto the SCADA systems in the first place. Yes, these vulnerabilities exist (and will for years), but the real danger is the introduction of worms capitalizing on these vulnerabilities onto the isolated systems.  The Air Force has experienced some similar issues recently, and any commercial enterprise knows the threat of malicious code introduced via USB drives and other removable media.  Even on systems that are properly air gapped from the internet, if users are attaching removable media to workstations connected to the SCADA controller, some types of attacks could be successful.    These scenarios are still a long way from the Hollywood style ‘take control of everything’, but an attacker could still wreak a lot of havoc in a short amount of time.

In summary, the article is worth a read, but tends to overestimate the threat.  Attackers are not able to remote control prisons, nor re-route power, etc. – at least not with any type of external control.  Security analysts are already aware of these types of attacks, and the air gap remains the best defense.

Electronic Communications Privacy Act Doesn’t Provide Much Privacy (Anymore)

The Electronic Communications Privacy Act (ECPA) recently turned 25 years old, but there may not be much to celebrate.  The Act, designed to increase the privacy of computer users in 1986, has not aged well and many of its provisions are now a detriment to privacy.

In 1986, email was not stored on servers for any length of time.  Users connected to the mail server and downloaded the message to an email client.  Once that download completed, the message was erased from the server – it existed only on the user’s computer.   ECPA allows that messages left on servers for more than 180 days are ‘abandoned’, and as such are not subject to the same protections as email owned by a user.  To access email on a personal computer, law enforcement must obtain a search warrant.  To access messages abandoned on a server, the government need only supply a subpoena.

Fast forward to 2011.  Many (if not most) of us utilize web based mail services such as Yahoo!, Gmail, Hotmail, etc.  Do you delete your messages that are older than 180 days?  Nope.  Which means, under ECPA, the government can access your old messages without a search warrant – they only need a subpoena.   The same may be true for your files stored on services such as Facebook, Dropbox, Box.net, etc.  Our current computing model is geared toward long term online storage of files, but our legal privacy protections are not.

There is some movement to rectify this, but nothing concrete has emerged.  From a counter-terrorism standpoint, it is easier to conduct surveillance and intelligence gathering on targets using only a subpoena than having to obtain a search warrant.  It would not surprise me, given the USA PATRIOT Act, to see terrorism loopholes added to any modification of the ECPA.

Users must be aware of the security and privacy implications of their online activities, as well as how their expectations of privacy compare to the reality.

Further reading: Wired.com and PCWorld.com