Realistic solutions to these issues are hard to come by when we are facing overblown predictions of cyber doom and gloom.  We need to take a hard look at what policy makers are saying (and being told) to ensure that we are applying the correct resources to the correct problem.

Reblogged from My Big Fat EM Blog:

To address this need, the Center for Disaster Risk Policy (http://cdrp.net) has developed a platform to exercise with various social media tools. The Social Media Exercise System (SMEX) is a ‘closed loop’ social media simulator, allowing real-time exercises involving social media to be conducted in a controlled environment. SMEX simulates Twitter, Facebook, Youtube, and web based news outlets, and includes interaction directly from the ‘survivors’ in the impact area. All simulated social media exercise components are aggregated (if requested) using a Ushahidi deployment that is part of the platform, allowing participants to assess and triage information as it flows into the exercise and form a geographical understanding of exercise events.

To support the SMEX, a simulation cell consisting of one or two exercise controllers oversees the flow of information to the participants. From this web-based control panel, controllers deploy inject ‘packages’ on either a schedule or as needed. Typically, groups of Twitter injects are created in advance of the exercise, so that as packages of injects are placed into the exercise the system creates a semi-realistic operational tempo. This allows for controllers to adjust the pressure of the exercise, by adjusting the rate at which new injects are brought into play.

The first SMEX, a proof of concept, was conducted in our Disaster Systems course in April 2012. There were seventeen participants, and each had brought with them their own laptop or tablet computer. Since with was a university course, they were not pre-organized to work in a crisis situation, though they were all familiar with the Incident Command System. This was deliberate, since I wanted to see the student recognize the need for organization and adopt some of the techniques learned throughout the semester.

The exercise was based on a tornado outbreak in and around Tallahassee, where the students would have some familiarity with the geography. To support about 90 minutes of play time, approximately 500 tweets were created, as well as four online news stories at both the local and national level, and dozens of 911 reports that would be fed to the exercise system. In addition the the pre-planned inject packages, controllers were able to create injects on the fly, working off on information overheard in the room. This allowed us to create some ‘curve balls’ that were based on decisions the students were making. Injects were crafted to focus on building situational awareness in a dynamic and chaotic situation, composing outgoing messages to the public, and identifying rumors. The operational tempo for this exercise was considerably lower than what would be encountered in a real event, but it adequately illustrated the stressful environment that participants in a disaster would have to work in.

At the start of the exercise, we identified the group as an ad-hoc organization working in support of the Public Information Officer. I had them designate a Team Leader, gave them the background briefing, and turned them loose. Within the first five minutes, they had dozens of tweets and 911 reports to deal with, and they quickly broke up the group by functions to better address the issues. The functions they identified early were Twitter monitoring, Ushahidi report review, 911 reporting, and media monitoring. These teams then started filtering the information and trying to prioritize and identify trends.

As the exercise wore on, several things became clear to the controllers and participants:

1. One map isn’t really sufficient. You need a map (such as Ushahidi) for initial assessment of incoming info; a sandbox, and a ‘final’ map that contains only what has been assessed as valid. Two Ushahidi instances may be the way to go, we aren’t entirely certain yet.
2. Filtering capability of reports and tweets needs to include time range searches. For example, participants needed the ability to show all tweets received between 1800 and 1820, and that capability did not exist.
3. Simulating social media requires a lot of data to be created.
4. The simulation cell needs custom built tools to effectively manage the inject of information to the exercise.
5. While the type of information received never called for emergency managers to allocate resources, it was very helpful for gaining a complete understanding of the event. The students in the room had an excellent picture of the scenario, using only information gained through the exercise system.
6. News article comments are a valuable source of data, and key areas to monitor for rumor and incorrect information.

Overall, the proof of concept SMEX was a success. Participants enjoyed the process, and learned quickly that such a simple concept was actually very difficult in operational conditions. It illustrated to the students the fact that social media can be a valuable source of information, as well as a difficult data stream to understand and process.

We are currently designing the next generation of the SMEX platform, as well as several scenarios that can be deployed as needed. In future iterations, we plan to extend play time by adding inject packages, and create a more realistic Twitter simulator. In addition, we will provide additional Ushahidi instances to participants to utilize as they see fit. We are looking forward to gathering additional data as we conduct exercises in a variety of settings – all aimed at improving social media usage for situational awareness.

First, it’s described as a ‘virus’.  A virus may have infected the systems without any deliberate, malicious actions by an ‘attacker’.  Second, the virus affected “the main Internet and communications systems of Iran’s Oil Ministry and national oil company”.  In other words, it messed up their email and internet access. Again, this is not an indicator of an ‘attack’, but could be the result of a typical virus, worm or trojan.

Cyber events suffer from a need to be seen as ‘spectacular’, when in reality the simplest and most mundane explanation is the most likely.  In this particular case, the Iranians claiming this as a cyber attack is most likely a political move, and not based in reality.

So.  What’s next in the election year news froth-o-meter?

As usual, AWARE Forum has a detailed post talking about the rollout and the work done so far.

I feel that the term terrorism has been watered down in the past decade, and is now applied to actions and activities that perhaps it should not be.  That’s not necessarily a bad thing, but it certainly changes the public perception – and that may be detrimental in the long run.

Here is a summation from the article: “The FBI once taught its agents that they can “bend or suspend the law” as they wiretap suspects. But the bureau says it didn’t really mean it, and has now removed the document from its counterterrorism training curriculum, calling it an “imprecise” instruction. Which is a good thing, national security attorneys say, because the FBI’s contention that it can twist the law in pursuit of suspected terrorists is just wrong.”

That’s some interesting reading, and certainly doesn’t read as though it went through any legal vetting process.  Th FBI, which did release the documents on request, has not disclosed when this training material was issued, how long it was used, or who the intended audience was.

I had about ten students participate, a mix of graduates and undergraduates. They split into small teams and broke out laptops, tablets and iPhones (not an Android device to be seen). I gave them the guidelines for the drill, which included the fact that no major media outlets were to be utilized as sources. They were asked to limit their efforts to Twitter, Facebook, blogs, Google+, etc. – I wanted them playing in social media for the most part. We reviewed a few tools (Twitterfall, Hootsuite, TweetGrid) they might find useful in their monitoring and reminded them this was a passive exercise, there was no need to post information.

They were then told to find as much solid, verified, information as possible on the Ohio high school shooting, which had occurred about eleven hours before. I was looking for the basics – who, what, when, why and how – as well as samples of bad or bogus information and samples of information that was repeated endlessly. It was a simple topic, the SM chatter on the event was plentiful, but they only had about 20 minutes to work with.

What they came up with was an interesting mix of expected and unexpected. For the most part, given the timeframe, they had very few hard facts. They knew the shooting was in Chardon, Ohio. They knew the shooter’s name. Several of them found his Facebook page, but were unable to adequately verify it as authentic. Lots of rumor and soft info on the shooter’s habits, personality, and possible motives. All of that I expected. However, they were unable to find any hard info about the time of the incident, the current status of the shooter, or the exact casualty/fatality count (we had at least three conflicting “themes” on that one). It was an interesting observation.

There were several key points from an emergency or crisis management perspective.

1. There is more information out there than you can imagine, and sorting through and curating it all is going to take time. Time is a commodity that most activated EOC’s seldom have enough of.
2. Social media can provide a lot of ‘soft’ info, but may be lacking in the hard details. This is not a bad thing, as the hard details are typically available to an emergency manager from other sources. Social media can fill in what the community is saying, what the public is focused on, and enhance your situational awareness and crisis communication.
3. Social media monitoring is best as a collaborative effort. The groups used shared workloads and ad hoc collaboration to go out to a variety of different sites/sources hunting information.
4. A lot of information is stale and/or incorrect. Verification of information is important, particularly in dynamic events as information will change rapidly. Verification and authentication takes time.

All of these factors show the value of the VOST (Virtual Operations Support Team) concept as a tool to assist emergency managers and EOCs manage the social media environment. It was a great informal exercise, and I’m looking forward to doing it again and collecting more information.

Many reports indicated it was a nationwide Verizon test, but I am a Verizon subscriber and did not receive the alerts – and neither did anyone else I know.  While many people complained that the message was confusing, all of the screencaps in AWARE’s post seem pretty clear that it’s a test message.

I was also surprised by the repeated sentiment that CMAS was a tool for the government to ‘bug’ or ‘track’ the population.  I shouldn’t be surprised, I guess; there are people who will believe anything.

One final point… this is a great example of Twitter serving as a great tool for emergency managers.  I needed some info, I posted it to the #SMEM hashtag community and had an answer in five minutes.  If you are on Twitter, be sure to check out the discussions on #SMEM and the weekly live chat conducted under the hashtag #SMEMchat – Fridays at 1230pm EST.

“The Royal United Services Institute estimates about 50 Britons are fighting with Somali extremists Al Shabaab.  They and others returning from wars in Yemen and Nigeria could use their experience on UK streets, RUSI said.”

That is a very specific estimate, and I would like to see how they arrived that that figure. Surely it is not based on specific tracking of people or targets; if specific identities were known, I doubt they would remain a threat at large upon return to the UK. Whatever the method, it is true that this type of overseas on-the-job training is a serious threat to the security of most nations. While the article title focuses on the ‘lone wolf’ scenario, these experienced terrorists and fighters could easily coalesce into home grown terror groups, as well as serve as a nucleus for future terrorist recruitment.

Additionally, Britain is going to be facing some serious restructuring and austerity in counter-terrorism after the 2012 Olympics. While the United States isn’t facing an immediate crisis in that regard, it is only a matter of time before our funding begins to wane. In the U.S., disaster response and preparedness (at the Federal level) will go first, which will place a lot of communities at risk from a variety of both natural and technological hazards.

xkcd.com | “Etymology-Man“

Philippine forces examine the site where Abu Sayyaf members were killed (via Voice of America)

According to Philippine officials, a raid has killed three terrorist leaders; two from Jemaah Islamiyah and one from Abu Sayyaf.   While all three were identified as terrorists by the United States, it’s unclear what effect this strike will have on the ongoing operations in Mindanao.

“The Abu Sayyaf group is quite decentralized,” Ms. Lau said. “When high-profile figures have been killed in the past, you still have the Abu Sayyaf operating. As to whether or not this is a significant blow to the group, that would be an extremely difficult judgment to make at this point.” (NYTimes)

The coverage and narrative regarding the attack is muddled.  Some sources say they were killed in a ‘raid’, while others call it an ‘airstrike’.  At least one article does not mention Jemaah Islamiyah at all, but places all the terrorists killed as members of Abu Sayyaf.  Here is some of the coverage:

NYTimes.com | ABC News | The Star (Malaysia) | Voice of America

The Philippine military has been unable (so far) to recover and identify the bodies.  There are also reports of as many as 15 Abu Sayyaf members being killed in the raid.  What strikes me is that despite the unclear situation and confusing reports, most of the media stories all include a reference to Al Qaeda.  It would seem that it is impossible to discuss any terrorist organization throughout the world without discussing a possible, potential, tenuous connection to Al Qaeda.

In particular, it appears that around a third of all terrorist attacks in the US are clustered around four or five metropolitan areas. Also, as the nature of terrorism shifted, targets changed. For example, during the 70′s San Francisco was a popular target choice. As the radical fervor of that decade waned, targets moved elsewhere. Despite all of that, New York and Los Angeles are consistently targets, presumably because of their size and public profile.

I’m looking forward to taking this apart in more detail, and incorporating some of it into our terrorism courses. More information on START is available online.