The RISKS Digest
Volume 21 Issue 66

Monday, 17th September 2001

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

11 September 2001 in retrospect
PGN
Info on RISKS (comp.risks)

11 September 2001 in retrospect

<"Peter G. Neumann" <neumann@CSL.sri.com>>
Mon, 17 Sep 2001 16:27:43 PDT

         ***********************************
         ***********************************
         **       11 September 2001       **
         ***********************************
         ***********************************

              "THE RISKS ARE OBVIOUS."
           BUT PERHAPS NOT OBVIOUS ENOUGH.


11 September 2001 will be painfully remembered by most of the planet's
population for the coordinated hijacking of four jetliners and the ensuing
surprise attacks on New York City's World Trade Center and the Pentagon,
with thousands of lives lost and enormous consequential after-effects.  Our
hearts go out to everyone close to those who were so irrevocably affected --
including the crash victims, the firemen and other emergency workers in New
York City, and especially the UA93 passengers whose efforts evidently saved
the lives of others.

We are once again reminded how fragile our lives and civic infrastructures
are, and how interdependent we all are.  Although violent and sudden
large-scale termination of people's lives has previously been all too
familiar in many countries of the world, many of us have hitherto largely
taken too much for granted.  Hopefully, the aftermath of this fateful day
will dramatically increase public awareness of some of the vulnerabilities
in our lives and risks to our freedom.

However, the events should come as no surprise, because many warnings have
been widely ignored.  For example, the President's Commission on Critical
Infrastructure Protection of the previous U.S. Administration identified
serious vulnerabilities in telecommunications, electric power and other
energy sources, transportation, financial services, emergency services, and
government continuity.  It noted how interdependent these critical
infrastructures are, and how they are all related to information
technologies.  It also observed difficulties in coordination among and
within different infrastructures, and perhaps most relevant, a general lack
of public awareness.  In many respects, complacency has been seen across the
board in response to that report.  In addition, the White House Commission
on Safety and Security (the Gore Commission) identified many serious risks
in aviation.  (Also, see my paper <http://www.csl.sri.com/neumann/air.html>,
presented at the January 1997 International Conference on Aviation Safety
and Security, co-sponsored by that commission and George Washington
University.)  Various analyses of commercial aviation and air-traffic
control over the past 18 years within the Department of Transportation have
identified potentially serious vulnerabilities that merit closer attention.
More recently, a U.S. General Accounting Office report identified many
serious problems in airport security.  But, perhaps because the risks and
threat levels seemed low, or possibly because institutional bureaucracy is
so deeply entrenched, very little action was deemed necessary.
Unfortunately, some of the issues recognized therein have now come home to
roost.

As a society, we in the U.S. seem to be unwilling to take certain prudent
precautions — perhaps because they would cost too much, or be too
inconvenient, or would seriously degrade service.  Apparently, we suffer
from a serious lack of foresight.

The Risks Forum has persistently considered risks associated with our
technologies and their uses, but we often note that many of the crises and
other risk-related problems have resulted from low-tech events, misguided
human behavior, or malicious misbehavior.  In short, the typical search for
high-tech solutions to problems stemming from social, economic, and
geopolitical causes has frequently ignored more basic issues.  Over-endowing
high-tech solutions is riskful in the absence of adequate understanding of
the limitations of the technology and the frailties and perversities of
human nature.  Whereas there are high-tech solutions that might be effective
if properly used, we should also be examining some low-tech and no-tech
approaches.

One pervasive theme in the Risks Forum over the past 16 years has been the
ubiquity of systemic vulnerabilities relating to security, reliability,
availability, and overall survivability, with respect to human enterprises,
society at large, and to systems, applications, and enterprises based on
information technologies.  Evidently, we still have much to learn.

Let us seek to build a better world, and remain true to our human values and
constitutional foundations.  Also, let us beware of seeming solutions --
technological or otherwise — that result in further escalation of the
risks.  Sadly, because of the inherent vulnerabilities in those seeming
solutions, we are always at risk, whether we realize it or not.

Peter G. Neumann

Please report problems with the web pages to the maintainer

x
Top