=============================================================== T H E S E C U R I U S N E W S L E T T E R =============================================================== November 13, 2003 | Vol. 4, #06 | http://www.securius.com/ CONTENTS: * AGAIN? =============================================================== A service of PC Guardian | San Rafael, California Computer security products | http://www.pcguardian.com/ "Protecting Computers & Data Worldwide -- Since 1984" =============================================================== -------------------------------------------------------- AGAIN? -------------------------------------------------------- By Seth T. Ross *** "Three things are to be looked to in a building: that it stand on the right spot; that it be securely founded; that it be successfully executed." - Johann Wolfgang Von Goethe, Elective Affinities, 1808 *** Security Magazine's July 2000 cover story featured soaring images of the World Trade Center (WTC) with the large-type headline: "Never Again: The World Trade Center fights against the threat of terrorism with one of the most sophisticated security systems in the world". The article touts the $60 million response to the 1993 car-bombing at the WTC, including the installation of bullet-resistant guard booths, anti-ram barriers, bomb-sniffing dogs, a stopped vehicle detection system, 15 miles of fiber optics to carry security transmissions, redundant emergency power, and more. Security planners were meticulous and thorough in creating a "closed building" under complete access control; they implemented the best security systems that money can buy. On September 11, 2001, airplane hijackers were able to defeat the original security design of the WTC, the additional post-1993 security measures, and several different layers of national security defenses -- including border security, immigration security, intelligence, air defense, and airport security -- in order to stage a devastating attack that killed 2750 people and caused the total destruction of the WTC site in New York City, including the World Trade Center office towers, commercial and governmental low-rise buildings, and the hotel, as well as the underground concourse, PATH terminal, and subway stations. This infamous event occurred despite significant investments in physical security and access control. Terrorists have clearly fixated on the WTC target, and it's safe to assume that whatever replaces the World Trade Center will be a prime target for a third attack. A complete reckoning of the threats faced by a rebuilt WTC site is beyond the scope of this essay. There is no doubt, however, that the design of a new WTC must account for the active threat model posed by terrorists, who have demonstrated the willingness and capability to use both cars and airplanes as bombs. A good argument can be made that it is reckless to rebuild the World Trade Center before the breakdowns in security and life safety that caused the massive loss of life in 2001 are identified and appropriate countermeasures are put in place. The idea would be wait for the results of ongoing investigations by the 9/11 Commission[1] and the National Institute of Standards and Technology (NIST)[2] and then incorporate the findings as requirements for the new site design. NIST, for example, is conducting detailed investigations into relevant topics such as the Computational Mechanics for Aircraft Impact Analysis and the Thermal-Structural Analysis of Structural Systems Exposed to Fire.[3] This may be a good argument, but it is not a popular one, at least not among the half dozen or so New Yorkers to whom I've mentioned it. There is a widely held sentiment that, unless the center is rebuilt and life returns to normal as soon as possible, somehow the terrorists will have "won". Unfortunately, by any measure, the terrorists "won" the battle fought on September 11, 2001. Then there's the argument that rebuilding the WTC is an immediate economic necessity. Realistically, the economic recession has ensured a surplus of high-rise office space in Manhattan -- for the time being, it's uncertain who might rent space in a future WTC. Finally, there's the argument that it's futile to even try to prevent or reduce the harm from airplanes flying into buildings. Yet, special strengthening features are routinely incorporated into the design of defense facilities, nuclear power plants, overseas embassies, and other buildings that face a similar active threat model. The Pentagon was also hit by a jet on 9/11, but there were far fewer casualties -- this hardened facility was back in business the same day. While the rush to rebuild the World Trade Center is understandable on political grounds -- New York Governor George Pataki wants a groundbreaking ceremony timed to the 2004 Republican National Convention in Manhattan -- the rebuilding process is beginning to look like a security wipeout of historic proportions. No one can reasonably argue that a fortress should replace the twin towers. But rather than pretend the threat doesn't exist, it would be far more reasonable to complete the analysis of the 9/11 security and building failures before committing to a new site design. It may not be practicable to prevent a large jet from flying into WTC II, or to build so that the jet would not cause complete building failure, but perhaps it would be possible to build with enough hardening and fireproofing to keep the buildings up long enough to evacuate. And to design dispersed emergency exits so that a single point of failure does not trap thousands of people in the upper stories. MIT Professor Thomas Eagar has spoken eloquently to the need to find a middle ground between the rush to rebuild and security hardening: If we were to harden everything against a terrorist attack, we'd push ourselves back into the first half of the 19th century in terms of living style. Now, some people might consider that an improvement, but not everybody, so society has some important tradeoffs here. There's got to be some middle ground where we can make things more secure but not destroy our standard of living.[4] The good news is that, despite the rush to rebuild, there is still time to analyze the 9/11 breakdowns in security and for the architects and builders of the reborn World Trade Center site to make the adjustments in their security designs appropriate the threat model, to reach a middle ground between security and practicality. See you next issue. 'Til then, keep your guard up. REFERENCES [1] See http://www.9-11commission.gov/ A preliminary report can be found at http://www.house.gov/science/hot/wtc/wtcreport.htm [2] See http://wtc.nist.gov/ [3] See http://wtc.nist.gov/solicitations/awards0322.htm [4] See http://www.pbs.org/wgbh/nova/wtc/collapse2.html For general 9/11 info: http://www.wikipedia.org/wiki/September_11,_2001_Terrorist_Attack =============================================================== ABOUT THIS NEWSLETTER The Securius Newsletter is published by PC Guardian. For information about our simple and effective crypto software and anti-theft devices, please visit us at http://www.pcguardian.com/ You can find our archive of back issues at http://www.securius.com/ SUBSCRIBING/UNSUBSCRIBING To unsubscribe from this newsletter, send an email to leave-securius-nl@lists.securius.com To subscribe to this newsletter, send an email to join-securius-nl@lists.securius.com FEEDBACK OR QUESTIONS Write the author, Seth T. Ross sross@pcguardian.com PC Guardian 1133 East Francisco Blvd. San Rafael, CA 94901 US ABOUT THE AUTHOR Seth is the Chief Strategy Officer at PC Guardian and author of the book, _UNIX System Security Tools_ (McGraw-Hill 1999): http://www.amazon.com/exec/obidos/ASIN/0079137881/pcguardian-20 SPECIAL THANKS TO Emily Navarre, editor extraordinaire FORWARD THIS MAIL RIGHT NOW Please take a moment and forward this newsletter to a colleague or friend. =============================================================== Redistribution of this newsletter is permitted, as long as the entire message body and this notice are included. Copyright 2003 PC Guardian. All rights reserved.