Known Knowns, All Over Again

RAND recently produced a new technical report on public information on transportation infrastructure. One quote from the report’s summary, while certainly true, reminds me all too much of Donald Rumsfeld’s poetic musings on known knowns and unknown unknowns:

“Familiarity with public sources of information is also valuable to defenders. If they are unaware that a terrorist group knows or can easily learn about a particular vulnerability, that vulnerability can be exploited more easily. If, however, defenders are able to establish a rough idea of what terrorists are likely to know or can learn from public sources, they can better identify what assets, regions, or populations may be at risk and adjust their defenses accordingly.”

In a way, the release of reports like this is a bad thing, overall. Not because it highlights the (real, if almost certainly overstated) threat of what the authors term “low- or no-risk information gathering activities” – public source, off-site research – but because by focusing on one very, very narrow form of vulnerability assessment as risk analysis, too much emphasis is perhaps being placed on certain potential vulnerabilities to the neglect of others.

“Defenders” who “adjust their defenses” to counter potential public-source threats are just begging for trouble elsewhere, it seems. Rest assured, there can be few worse methods of risk and threat analysis than conducting open-source research on the facilities or structures you’re tasked to protect. Doing so, at the expense or in lieu of a proper security analysis is, fairly literally, an invitation for disaster.

Something the study fails to do is take public information and vulnerability assessment to the next level, and consider is the potential value of (public-source) disinformation as a security tool. In other words, intentionally “revealing”, one way or another, security vulnerabilities of whatever sort that don’t actually exist. It can be very easy or very difficult, depending on what you’re trying to do, and comes hand-in-hand with a new set of risks, but it’s not at all difficult to imagine situations where it would be very, very effective. This is an area that I’m surprised hasn’t gotten more attention in today’s security-conscious era; then again, perhaps it has, but there isn’t any public-source information about it. Ah, the irony…

Published in: Geekiness, General, Security | on August 8th, 2007| Comments Off on Known Knowns, All Over Again

Both comments and pings are currently closed.

Comments are closed.