return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Risk Containment and Pricing Public ]

The Mu shu pork Index for predicting Chinese propagation of inflation


If you manufacture product in China as part of your global supply chain or purchase Chinese products for inclusion into your manufacturing or processing efforts, you should pay attention to what we are calling the Mu Shu Pork Index in the spirit of the Economist's Big Mac Index (1986) and Starbucks Tall Latte Index (2004). But whereas the Big Mac and Starbucks Indices are based on the theory of purchasing-power parity (PPP) that argues that exchange rates will, over time, equalize the price of identical baskets of goods and services in any two countries, our Mu shu Index will define a basket of effects that will flush rising costs and inflation through the Chinese economy and out into the global supply chain that absorbs Chinese product.

End of the low cost, labor intensive inflationary brake

The intersection of a litany of Chinese adulterations and contamination of pharmaceuticals, food stuffs and commodities with the skyrocketing cost of pork, the meat staple of every Chinese, all set against unease in the bond markets triggered the need for an inflation index that could be propagated globally.

With the global economy expanding at a robust pace, and prices rising in fast-developing countries like India and Mexico, central bankers and investors are becoming concerned. Interest rates are inching up in the United States and Europe as lenders demand that borrowers pay more to offset the erosion of buying power over time...

Heavy investments in new factories, roads, rail lines and ports have helped limit inflation until now in manufactured goods, as productivity improvements mostly offset rising wages and higher prices for food, oil and metals. Economists and business executives say that manufacturers face growing pressure to raise prices as well, particularly with the torrent of money pouring into China, which has helped push up the prices of Chinese stocks and real estate.

Prosperity driven consumption, wage inflation and commodity increases have driven up prices for Chinese pork, chicken, fish, beef and eggs but pork's rise has been so great that the CCP was taken by surprise, ordering municipal subsidies on pork purchases. (In less than two months (March-April), live pig prices rose over 70% while pork was up almost 30%, both continuing to rise into May. Meat prices alone are contributing one % to the inflation rate.) Inflation is back in China, driving up wages and resource costs and will shortly drive up export prices; China's low cost labor intensive market is about to come to an end, ending an inflationary brake to the US/EU.

Cost cutting by other means; Cutting corners is an open secret in China

Pork is not the only inflation driver. Removing thinly veiled dysfunctions and dangerous shortcuts in Chinese supply chains will add cost.

"We're now learning some of the dirty secrets behind this fast-growing economy," said Wang Fei-ling, a professor of international affairs at the Georgia Institute of Technology. "And the dirty secret is they're cutting corners in making things."

Students of the Chinese manufacturing environment find such comments naive or at least inattentive to facts on the ground. Cutting corners has been a general manufacturing characteristic of Chinese firms even at the higher end, automotive market and associated components. Whereas processes such as APQP (Advanced Product Quality Planning) have long been standard in the North American and European market, US/EU Tier One automotive suppliers often talk of having to endure "good enough" production where the Chinese manufacturer decides what is good enough - and where it cannot be seen, notably in materials, coatings and plating - components have an increasingly high probability of being far from 'good enough.' In conference after conference on Chinese manufacturing, one hears firms lamenting that good Chinese suppliers are hard to find if they are skilled (as their production capacity is already saturated) or if they are not, requires patient and expensive training before a reliable product stream is produced. (And once you've trained them, they are likely to shift away from you to other clients willing to buy your training at a discount.)

The aforementioned does not mean that the Chinese are incapable of superb production; Far from it, especially in a national security environment. In an analogous condition, one remembers Russian manufacturing technology in early MIG-21 Fishbed fighters which often resembled what we liked to call 'rusty beer cans' yet the same aircraft's afterburner ceramic coatings (which suppressed the ionized gas plume detectable by VHF search radars) was state of the art. China is capable of world class production; This article is addressing commonly available Chinese commercial manufacturing and processing.

The PRC is, certainly has, attempted to portray two Chinese firms, Xuzhou Anying Biologic Technology Development Company and Binzhou Futian Biology Technology Company, found to be exporting melamine-tainted wheat flour to the US as "rogue companies, or "special individual cases" in a largely well-managed export industry," but such efforts to box the breach "seems quite at odds with local Chinese agricultural industry executives:"

In recent weeks, they have said in interviews that for years producers and feed makers have either used melamine in animal feed, sold it to animal and fish feed producers or knew of the sale and use of melamine in animal feed. Interviews with animal feed producers, melamine makers and melamine and feed traders suggested that it was a widespread practice to mix melamine into feed to deceive buyers into thinking they were getting higher-protein meal.

Most of the people interviewed said they did not believe that the practice was illegal or that melamine was toxic in animals or humans; the melamine was simply filler, most of them said, a way of earning extra profits. They did say, however, that it was also mixed secretly, otherwise buyers would know they were being cheated out of protein. "Our clients who buy melamine scrap to make animal feed are mainly from Shandong Province," Qin Huaizhen, manager of the Gaocheng Shunkai Chemical Factory in Hebei Province, said two weeks ago. "They use melamine scrap to produce fish, chicken and other animal feed." He went on to add: "Clients use it to boost the protein level."

Be it ethylene glycol in cough syrup, contaminated melamine in pet food, or lead in baby bibs and children's rings, Chinese firms have more to overcome than fears of "Made in China" morphing into "Buyer Beware." Their manufacturing costs will have to rise as they remove the short cuts. Old habits will die hard, province by province, city by city and plant by plant. The omens are not good that Chinese denials and information embargoes in the melamine contamination replicated those seen during the SARS and avian flu outbreaks, or that counterfeiters continue to follow industrial polluters into the interior of China in order to avoid exposure.

"Basically, for entrepreneurs, if something is not explicitly banned - it's not banned... As long as people are not sick or dying, it's O.K."

I predict that this correction will have a very long tail throughout the greater Chinese supply chain whose exports are currently pegged at over one trillion USD per annum, a tail that will affect many of the prosaic industrial, consumer and food items that populate the global supply chain.

What happens in the place of low cost labor products

Low skill, low wage jobs will shift to value-add, high skill industries. Here is one that will further upset existing OEM and Tier One suppliers in Asia, North America and Europe:

China's auto parts exports have increased more than sixfold in the last five years, nearly topping $1 billion in April and emerging as one of the fastest-growing categories of Chinese industrial products sold overseas. More than half of these auto parts go to the United States; most of the rest to Europe and Japan.

The rise of Chinese auto parts exports is part of a much broader shift. China is moving up from basic goods like textiles, toys and shoes and toward higher-value industrial goods that pay better wages - but also compete more directly with products from countries like Mexico and even from advanced industrialized countries like the United States...

Soaring output at auto assembly plants in China is generating enormous demand for auto parts and creating the economies of large-scale production previously possible only in North America, Europe and Japan. And with at least a half-dozen Chinese automakers planning to start exporting in the next few years, Chinese auto parts will soon be going overseas not just in crates, but as part of fully assembled cars.

Multinational automakers set virtually the same quality standards for their operations all over the world. They are working closely with Chinese parts companies to help them meet these standards; once they do, they are allowed to submit bids for supplying factories elsewhere.

Readers are referred to Sean McAlinden's work on the auto sector, two of which are cited here and here, for the impact of that industrial migration on US/EU OEMs and their suppliers. They will fondly remember the time when declining market share and inflation were their principal concerns. It will be instructive to construct the Mu shu basket.

UPDATE: Observation from a skilled senior operational staffer at a large Tier One with whom we have had ongoing discussions on IP protection methods for four plus years: "This [inflation] is to be expected."

My reply: "To the thoughtful, yes, but for those who ran to, or were driven to, China with the sole goal of low cost piece part pricing [leaving aside direct and indirect transportation costs due to delays, port crowding, lack of bottoms, etc.], this cost-up will come as a shock without an effective response." We discussed the similarity in the purchasing efforts of both GM and Ford which had driven suppliers to China purely to achieve lower piece part costs. He agreed with my assessment that those supply chains, and the suppliers therein, will face heightened vulnerability as they are unable to continue to meet cost-down demands, maintain margins, hold/build revenues and likely loan covenants from their banks.

Rise in China's Pork Prices Signals End to Cheap Output
New York Times
June 8, 2007

Yields on Treasuries Climb; Shares Tumble Again
New York Times
June 8, 2007

China to Revise Rules on Food and Drug Safety
New York Times
June 7, 2007

Chinese Auto Parts Enter the Global Market
New York Times
June 7, 2007

When Fakery Turns Fatal
New York Times
June 5, 2007

China Sentences Former Drug Regulator to Death
New York Times
May 29, 2007

An Export Boom Suddenly Facing a Quality Crisis
New York Times
May 18, 2007

China Urges U.S. Not to Punish All Food Exporters
New York Times
May 17, 2007

At Shanghai auto show, China carmakers in search of edge
By Keith Bradsher
April 22, 2007

China: Land of opportunity?
Oakland Business Review (Michigan)
November 2, 2006

The Economist
May 25, 2006

There's No Place Like Home: The Geography of Automotive Employment
Presentation to Chicago Federal Reserve Conference on "The New Geography of Auto Production"
Sean P. McAlinden
Center for Automotive Research
April 19, 2006

Coffee cup holds secret to currency forecasts
From Times Online
January 16, 2004

Burgers or beans?
A new theory is percolating through the foreign-exchange markets
From The Economist print edition
Jan 15, 2004


Disaster Deferred: The U.S. "Big 3" and the Labor Cost Squeeze
Glenn Mercer, McKinsey & Company, Inc.
GERPISA Conference
April 2003, Paris

Estimating the New Automotive Value Chain
A Study Prepared for Accenture
Sean P. McAlinden, David J. Andrea
Center for Automotive Research, Altarum Institute
November 2002

Gordon Housworth

InfoT Public  Risk Containment and Pricing Public  Strategic Risk Public  


  discuss this article

US IT infrastructure is as, likely more, vulnerable to active and passive cyberattack than Estonia


'Cyber-collection' versus cyberterrorism

The ongoing organized cyberattack on Estonian state and commercial IT infrastructure is the clearest example of a "cyber Pearl Harbor" - an active attack to disrupt or degrade the capacity of a state to function, to conduct commerce, to defend itself - yet as instructive, even attention grabbing to the thoughtful few, as this active attack is, it is among the smaller risk category of IT cyber risk; The greater risk is the wholesale 'passive' probing and intrusion efforts to reconnoiter infrastructure and steal proprietary/classified information.

Between FY 2005 and 2006, federal assets showed a marked rise in activities involving unauthorized access, improper usage, scans/probes attempted access, investigation, even denial of service, yet a decrease in malicious code (a condition I believe is due more to spear phishing and other, more intelligent exploits than to lessened activity).

In their fiscal year 2006 financial statement audit reports, 21 of 24 agencies indicated that they had significant weaknesses in information security controls. [The] weaknesses persist in major categories of controlsincluding, for example, access controls, which ensure that only authorized individuals can read, alter, or delete data, and configuration management controls, which provide assurance that only authorized software programs are implemented. An underlying cause for these weaknesses is that agencies have not yet fully implemented agencywide information security programs, which provide the framework for ensuring that risks are understood and that effective controls are selected and properly implemented. Until agencies effectively and fully implement agencywide information security programs, federal data and systems will not be adequately safeguarded to prevent unauthorized use, disclosure, and modification.

Without a systemic application of a Design Basis Threat (DBT) analysis, I cannot see federal or commercial systems staying ahead of the growing number of attackers and recon efforts; money and attention will be squandered for "feel good security" rising from false practices and vendors' siren recommendations of their particular wares as plugging the gap. See:

Furthermore, most systems are Brownfield legacy or if they are Greenfield they have critical links/access to Brownfield systems. Atop that, most systems are not designed with security in mind. From The defender's dilemma: common threads in exploiting commercial supply networks:

The problem is that the commercial production environment, in this case the "defender," is supremely exploitable as commercial supply chains are designed around economic efficiency and manufacturing efficiency rather than exploitation security. [Terrorist supply chains, or asymmetrical attacker Supply chains, are not built for commercial efficiency but for detection avoidance at least until the attack is in progress.] Cost and risk rise to the commercial defender as they try to backfill security needs atop a commercial structure. In this situation, it tracks with the difficulty in countering IP theft and diversion unless the process is built in from the onset. In all such environments, it is too easy to ask how often [the target will be attacked] as opposed to if or when?

Readers are encouraged to review my 2005 Malicious marketplace uniting espionage, criminal groups, crackers, terrorism, vulnerable systems, commercial and government targets that highlighted the Chinese Titan Rain intrusion efforts and confirms "our experience that 'cyber-collection' far outranks cyberterrorism":

The black hat community attacking commercial and military targets is as large as it is diverse and global:

  1. State espionage against foreign commercial and military targets
  2. Criminal enterprises focused on money over fame or ideology
  3. Stateless terrorism and its associated criminal money raising campaigns (phishing for example)
  4. "Outsourced" smaller criminal enterprises in low cost, permissive cultures (who can fabricate exploits too labor intensive for more established criminal groups)
  5. Cracker groups selling exploits to groups 1, 2, and 3 directly or through brokers

The Chinese enshrined informationalization, the best definition of which is from the Double Tongued Dictionary, into its military doctrine in 2004:

Subsequent analysis has shown that the People's Liberation Army (PLA) pursues a similar outsourcing strategy in its IT (Information Technology) and IP (Intellectual Property) harvesting by using Chinese commercial entities as proactive agents, i.e., your contract engineering house or supplier is also the collector of your proprietary information [private briefing to clients].

In a DOD background briefing for the 2007 Military Power of the People’s Republic of China, a question was raised on "informationization, which sounds quite a bit like our network-centric. Would that be a correct assumption?"

DEFENSE DEPT. OFFICIAL: I would be hesitant to draw a direct parallel, but I think that certainly China's ideas on what informationization is would be informed by their understanding of network-centric warfare. I think when they say informationization, it's really their understanding of how information technology is now a pretty significant component of the modern battlefield. So it's, you know, intelligence, surveillance, reconnaissance, precision strike. So it's the role of information, information systems, information technology. So I'd probably say it's not a direct parallel.

Target Estonia, and only Estonia

Estonia ranks with Scandinavian states in its level of internet integration:

One of the most wired societies in Europe… Estonia has a large number of potential targets. The economic success of the tiny former Soviet republic is built largely on its status as an "e-society," with paperless government and electronic voting. Many common transactions, including the signing of legal documents, can be done via the Internet...

A massive DDoS (Distributed Denial of Service) attack against such a state had the potential to cripple it, incurring costs and interruptions, and raising the risk calculus of potential partners who might do business with it going forward. With Estonian-Russian relations already strained at best, an Estonian action to relocate a Soviet war memorial, the "Bronze Soldier," on 27 April triggered just such a series of attacks within hours. This attack is unique for its lack of criminal motive and the presence of a direct and identifiable nationalistic motive.

While specific Estonian ISPs have been under DDoS attack for months by the Allaple virus, the motive for those attacks are unclear. The April-May DDoS attacks, in contrast, are massive, immediately tied to causal condition and perpetrator(s). In a stroke, a state's electronic infrastructure was raised to the same level as its sovereign territory and airspace. Estonia's infrastructure - government, banking, ISPs, telecommunications and news agencies - was driven offline, almost completely outside of the Baltic states and Scandinavia.. The Estonian defense ministry ranked the attack on the nation as comparable to 11 September.

There was also precision in the attacks. While Estonia is both a NATO alliance member and an EU member, no NATO systems in Estonia were attacked.

Attack characteristics

Described as a "common-size attack" of 100-200 megabits per second, the Estonian attack is analogous to the Apolo Ohno attack in both size and nationalistic impetus; and similar in size to the 2006 rogue DNS server attack. "Multiple botnets and tools--both botnet-related and not botnet-related" were employed.

Though Estonia is generally cyber-wise, this attack demands substantial numbers of skilled technicians. Estonian ISPs are working with their international ISPs "that give them inbound traffic as well as the attack traffic" in order to push out traffic interdiction, identify root cause and isolate them. Expect changes in botnet locations and sources to retain attack vibrancy; Expect variations in sources, traffic and packet types.

Another 'characteristic' of the Estonian attack is its success; For a modest investment in botnets, the attacks have degraded Estonian commercial and governmental operations, registering an effective and highly visible protest. Governments, factions and corporations should expect copycat events. Much larger attacks, blended with multiple payload characteristics, are quite possible.

Stateless quality of active and passive cyber attacks

"If a member state's communications centre is attacked with a missile, you call it an act of war. So what do you call it if the same installation is disabled with a cyber-attack?" NATO Official

The better DDoS attacks and penetration attacks share a condition common to terrorist groups, namely statelessness, and with it the ambiguity of identifying the culpable state actor and the risk of targeting the innocent. A peer-to-peer botnet can go far in camouflaging its controller. Whereas the first wave of attacks on Estonia largely emanated from Russian servers, including those government, the second, larger series emanated from a global array of servers.

This stateless nature, in addition to the newness of active statewide cyber attacks, raises many questions that have yet to be codified in international law:

  • What is the cyber equivalent for the death of a nation's citizen?
  • How many of those units constitute grounds for cyber or military retaliation?
  • What is the variance between a cyber and military threshold response?
  • What level of proof is needed to secure international approval?
  • If an attack emanated from within a state, is it a sanctioned state action or a rump action by groups of its or other nationals?
  • What is the appropriate level of response, in kind or otherwise?
  • When does a cyber attack become indistinguishable from a conventional attack? (One might well ask when this question will be considered quaint and rendered moot.)

Answering these questions will not be easy as the international community has yet to formulate responses to lesser levels of cyber crime and terrorism, much less a massive cyber attack; Neither NATO or the EU have yet defined what constitutes a cyber attack.

US ability to withstand a major active cyber attack

If the federal government is seriously contemplating a 'cyber Pearl Harbor' threat, the unclass reporting and current asset deployment does not reflect it. Quite the opposite, the current US cyber warfare strategy is seen as "dysfunctional" and a "complete secret to everybody in the loop" by General James Cartwright, US Strategic Commander. Cartwright made this assessment:

  • Cyber warfare strategy divided among three groups: Net Warfare (attack and reconnaissance), Joint Task Force for Global Network Operations (network defense and operations) and Joint Information Operations Warfare Center (electronic warfare)
  • Groups operate independently with poor information sharing
  • Present DOD approach "developed ad-hoc" based on terminal defense, commences action "only after an attack, and takes weeks for a response
  • Result is a "passive, disjointed approach that undermines the military's cyberspace operations"
  • US not developing cyber intellectual capital at the required rate to address a tiered hierarchy of "hackers, criminals, and nation-states"
  • "DOD must move away from a network defense-oriented cyber architecture [while] cyber reconnaissance, offensive, and defensive capabilities must be integrated and leveraged for maximum effect"

As Cartwright was opining in early 2007, it does not give this author comfort that the first federal cyber war exercise, Cyber Storm, carried out in February 2006 had such a relatively positive outcome. (It is moments like this when I remember the counsel of a skilled practitioner who noted that any exercise presided over by political elites must be designed not to fail lest their stewardship be called into doubt.)

Cyber Storm was to provide a "controlled environment to exercise State, Federal, International, and Private Sector response to a cyber related incident of national significance" affecting "Energy, Information Technology (IT), Telecommunications and Transportation infrastructure sectors." My lack of comfort was not improved by the choice of attacker, a group of "anti-globalization radicals and peace activists" called the Worldwide AntiGlobalization Alliance (WAGA) instead of a substantive Hezbollah or al Qaeda effort, or better yet, the expected swarm attack of a Chinese or Russian cyber offensive. See Informationalization in Chinese military doctrine affects foreign commercial and military assets.

Were the stakes not so high, this lighthearted review might be funny:

The attack scenario detailed in the presentation is a meticulously plotted parade of cyber horribles led by a "well financed" band of leftist radicals who object to U.S. imperialism, aided by sympathetic independent actors… Apparently, no computers were harmed in the making of Cyber Storm. "There were no actual attacks on live networks, no Red Team," the presentation notes. "Players reacted to situation and incident reports according to their regular/normal SOPs." So it was more of a paper exercise. A referee points at someone and yells, "You! Your website is defaced. What do you do?" -- and the organization responds accordingly… And on it goes, with over 800 scenario "injects" over four action-packed days.

Having spun scenarios without limit, Cyber Storm's "Overarching Lessons Learned" offer painful parallels to each of the TOPOFF series simulating large-scale terrorist attacks involving biologic, chemical and radiological WMDs ("diseases are fearsome, hospitals and first responders are overwhelmed, interagency and intra-agency coordination is pummeled while communications in the form of multiple control centers, numerous liaisons, and increasing numbers of response teams merely complicate the emergency response effort"). See Bioterrorism Drill TOPOFF 2 -- Failing to think like al Qaeda & relearning old lessons and Katrina as an "incident of national significance" puts the lie to DHS scenario planning for terrorist event preparation.

Who could be surprised by these lessons learned? They could describe any large bureaucracy under stress, perhaps even their daily environment:

  • Correlation of multiple incidents is challenging at all levels:
    • Within enterprises / organizations
    • Across critical infrastructure sectors
    • Between states, federal agencies and countries
    • Bridging public private sector divide
  • Communication provides the foundation for response
  • Processes and procedures must address communication protocols, means and methods
    • Collaboration on vulnerabilities is rapidly becoming required
    • Reliance on information systems for situational awareness, process controls and communications means that infrastructures cannot operate in a vacuum
  • Coordination of response is time critical
    • Crosssector touch points, key organizations, and SOPs must be worked out in advance
    • Coordination between publicprivate sectors must include well articulated roles and responsibilities

A way forward

USAF (Air Force) is undertaking what I believe is some long overdue consolidation, removing all ISR (intelligence, surveillance and reconnaissance) from the operations community and consolidating them under the intelligence directorate (A2), and standing up a Cyber Command based on 8th Air Force infrastructure capable of seeing "Cyberspace [as] a fighting domain where the principles of war do apply."

If the US was confronted with a major cyber attack against critical IT infrastructure, DoD is said to be "prepared, based on the authority of the president, to launch a cyber counterattack or an actual bombing of an attack source" but I am not sanguine. "The primary group responsible for analyzing the need for any cyber counterstrike is the National Cyber Response Coordination Group (NCRCG)" whose key members are US-CERT, DoJ and DoD. But it appears that a coordinated response remains a work in progress:

The NCRCG's three co-chairs acknowledge it’s not simple coordinating communications and information-gathering across government and industry even in the best of circumstances, much less if a significant portion of the Internet or traditional voice communications were suddenly struck down. But they asserted the NCRCG is "ready to stand up" to confront a catastrophic cyber-event to defend the country.

I think it accurate to say that interagency coordination and response, together with coordination with the private sector who manages much of US IT infrastructure, has yet to be tested; Cyber Storm's next event should inject realism over rainbow scenarios. At the moment, US Strategic Command will issue a counterattack recommendation to POTUS:

In the event of a massive cyberattack against the country that was perceived as originating from a foreign source, the [US] would consider launching a counterattack or bombing the source of the cyberattack [but] the preferred route would be warning the source to shut down the attack before a military response.

Given that initiating a cyber counter-counterattack will currently violate the Computer Fraud and Abuse Act, we have a long road ahead.

Double Tongued Dictionary
Note: The Double-Tongued Dictionary is useful to readers of Asian issues in particular as it "records undocumented or under-documented words from the fringes of English, with a focus on slang, jargon, and new words [that are] absent from, or are poorly covered in, mainstream dictionaries."

War Fears Turn Digital After Data Siege in Estonia
New York Times
May 29, 2007

Cyberattack in Estonia--what it really means
Arbor Networks' Jose Nazario takes stock of the denial-of-service attack against the Baltic nation--and the wider implications.
By Robert Vamosi

May 29, 2007, 4:00 AM PDT

Air Force examines its vulnerability to cyberattack
BY Sebastian Sprenger
May 29, 2007

Feds take 'cyber Pearl Harbor' seriously
BY Jason Miller
Published on May 28, 2007

China Crafts Cyberweapons
The Defense Department reports China is building cyberwarfare units and developing viruses.
Sumner Lemon
IDG News Service
May 28, 2007 10:00 AM PDT

DoD: China seeking to project military power
By William H. McMichael - Staff writer
Marine Times
Posted : Friday May 25, 2007 16:11:31 EDT

DoD Background Briefing with Defense Department Officials at the Pentagon
Presenter: Defense Department Officials May 25, 2007
[No attribution, comments for background only]
[Subject was the 2007 China Military Power Report]
News Transcript On the Web
Office of the Assistant Secretary of Defense (Public Affairs)
US Department of Defense
May 25, 2007

Military Power of the People’s Republic of China
Office of the Secretary of Defense

Cyber Assaults on Estonia Typify a New Battle Tactic
By Peter Finn
Washington Post
May 19, 2007

Estonian DDoS Attacks - A summary to date
by Jose Nazario
Security to the Core
Posted on Thursday, May 17, 2007

NATO concerned over cyber attacks on Estonia, possible impact on alliance
Associated Press/IHT
May 17, 2007

Estonia urges firm EU, NATO response to new form of warfare: cyber-attacks
AFP/Sydney Morning Herald
May 16, 2007 - 12:05PM

Russia accused of unleashing cyberwar to disable Estonia
· Parliament, ministries, banks, media targeted
· Nato experts sent in to strengthen defences
Ian Traynor in Brussels
May 17, 2007
The Guardian

A cyber-riot
The Economist
May 10, 2007

INFORMATION SECURITY: Persistent Weaknesses Highlight Need for Further Improvement
Testimony Before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Committee on Homeland Security, House of Representatives
Statement of Gregory C. Wilshusen and David A. Powner
April 19, 2007

Black Hat: Botnets Go One-on-One
Kelly Jackson Higgins
Dark Reading
FEBRUARY 22, 2007

Cartwright: Cyber warfare strategy ‘dysfunctional’
BY Josh Rogin
Published on Feb. 9, 2007

RSA - US cyber counterattack: Bomb one way or the other
Ellen Messmer
vrijdag 9 februari 2007

Blue Force Tracker for cyberspace?
BY Josh Rogin
Jan. 25, 2007

Air Force to reorganize intell community
BY Josh Rogin
Published on Jan. 12, 2007

When Hippies Turn to Cyber Terror
By Kevin Poulson
Wired Blog 27B Stroke 6
August 15, 2006 | 12:27:58 AM

Report: Hackers engage in vulnerability auctions
BY Rutrell Yasin
July 12, 2006

National Cyber Exercise: Cyber Storm
National Cyber Security Division
New York City Metro ISSA Meeting
June 21, 2006

Military Power of the People’s Republic of China
Office of the Secretary of Defense

Risk management critical for FISMA success
Experts say IGs, execs must agree on common enforcement and audits
BY Michael Arnone
March 13, 2006

China Investing in Information Warfare Technology, Doctrine
By Kathleen T. Rhem
American Forces Press Service
July 20, 2005

The Military Power of the People’s Republic of China
Office of the Secretary of Defense

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Informationalization in Chinese military doctrine affects foreign commercial and military assets


Informationalization, the computerization of business, industry, and military, has entered Chinese military thinking in earnest, affecting both foreign commercial and military assets. US and EU commercial assets have already suffered serious predation from Chinese military assets and Chinese commercial assets operating under military direction.

In the absence of a US counter-cyber warfare strategy, Chinese IT technologists enter all but the most secure US systems, exceeding the limits of passive examination and surveillance. Naval Network Warfare Command (Netwarcom) and others observe:

  • Chinese attacks "far outstrip other attackers in terms of volume, proficiency and sophistication, [the conflict having] reached the level of a campaign-style, force-on-force engagement"
  • "Motives of Chinese hackers run the gamut, including technology theft, intelligence gathering, exfiltration, research on DOD operations and the creation of dormant presences in DOD networks for future action"
  • Chinese employ complex, parallel attacks including using a virus plant "as a distraction and then come in "slow and low" to hide in a system while the monitors are distracted... spear phishing, sending deceptive mass e-mail messages to lure DOD users into clicking on a malicious URL, [and innovative implementations] of more traditional hacking methods, such as Trojan horse viruses and worms"
  • Attacks are so deliberate, "it's hard to believe it's not [Chinese] government-driven"

Shifting from 'passive' to active cyberwarfare, the PRC intends to "be able to win an "informationized war"" by 2050. Where technology continues to outstrip policy, the advantage goes to the agile able to pierce regulatory and technical barriers.

In reverse order, I have gathered together the pertinent information warfare snippets from the 2007, 2006 and 2005 annual Military Power of the People's Republic of China that outline the significant leaps made by China in both conceptual thinking and implementation:


The 2007 Military Power of the People's Republic of China cites active and passive Chinese cyberwarfare in two chapters:

Chapter Four, Force Modernization Goals and Trends:

Information Warfare. There has been much writing on information warfare among China's military thinkers, who indicate a strong conceptual understanding of its methods and uses. For example, a November 2006 Liberation Army Daily commentator argued:

[The] mechanism to get the upper hand of the enemy in a war under conditions of informatization finds prominent expression in whether or not we are capable of using various means to obtain information and of ensuring the effective circulation of information; whether or not we are capable of making full use of the permeability, sharable property, and connection of information to realize the organic merging of materials, energy, and information to form a combined fighting strength; [and,] whether or not we are capable of applying effective means to weaken the enemy side's information superiority and lower the operational efficiency of enemy information equipment.

The PLA is investing in electronic countermeasures, defenses against electronic attack (e.g., electronic and infrared decoys, angle reflectors, and false target generators), and computer network operations (CNO). China's CNO concepts include computer network attack, computer network defense, and computer network exploitation. The PLA sees CNO as critical to achieving "electromagnetic dominance" early in a conflict. Although there is no evidence of a formal Chinese CNO doctrine, PLA theorists have coined the term "Integrated Network Electronic Warfare" to prescribe the use of electronic warfare, CNO, and kinetic strikes to disrupt battlefield network information systems.

The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks. In 2005, the PLA began to incorporate offensive CNO into its exercises, primarily in first strikes against enemy networks.

Chapter Six, Force Modernization and Security in the Taiwan Strait:

Beijing's Courses of Action Against Taiwan

Limited Force Options. A limited military campaign could include computer network attacks against Taiwan's political, military, and economic infrastructure to undermine the Taiwan population's confidence in its leadership. PLA special operations forces infiltrated into Taiwan could conduct acts of economic, political, and military sabotage. Beijing might also employ SRBM, special operations forces, and air strikes against air fields, radars, and communications facilities on Taiwan as "nonwar" uses of force to push the Taiwan leadership toward accommodation. The apparent belief that significant kinetic attacks on Taiwan would pass below the threshold of war underscores the risk of Beijing making a catastrophic miscalculation leading to a major unintended military conflict.


This is consistent with the 2006 Military Power of the People's Republic of China which described Chinese IT warfare preparation as follows:

Chapter Five, Force Modernization Goals and Trends:

Formation of Information Warfare Reserve and Militia Units

The Chinese press has discussed the formation of information warfare units in the militia and reserve since at least the year 2000. Personnel for such units would have expertise in computer technology and would be drawn from academies, institutes, and information technology industries. In 2003, an article in a PLA professional journal stated "coastal militia should fully exploit its local information technology advantage and actively perform the information support mission of seizing information superiority."

Militia/reserve personnel would make civilian computer expertise and equipment available to support PLA military training and operations, including "sea crossing," or amphibious assault operations. During a military contingency, information warfare units could support active PLA forces by conducting "hacker attacks" and network intrusions, or other forms of "cyber" warfare, on an adversary's military and commercial computer systems, while helping to defend Chinese networks.

The PLA is experimenting with strategy, doctrine, and tactics for information warfare, as well as integrating militia and reserve units into regular military operations. These units reportedly participate with regular forces in training and exercises.

Exploiting Information Warfare

The PLA considers active offense to be the most important requirement for information warfare to destroy or disrupt an adversary's capability to receive and process data. Launched mainly by remote combat and covert methods, the PLA could employ information warfare preemptively to gain the initiative in a crisis.

Specified information warfare objectives include the targeting and destruction of an enemy's command system, shortening the duration of war, minimizing casualties on both sides, enhancing operational efficiency, reducing effects on domestic populations and gaining support from the international community.

The PLA's information warfare practices also reflect investment in electronic countermeasures and defenses against electronic attack (e.g., electronic and infrared decoys, angle reflectors, and false target generators.

Computer Network Operations. China's computer network operations (CNO) include computer network attack, computer network defense, and computer network exploitation. The PLA sees CNO as critical to seize the initiative and achieve "electromagnetic dominance" early in a conflict, and as a force multiplier. Although there is no evidence of a formal Chinese CNO doctrine, PLA theorists have coined the term "Integrated Network Electronic Warfare" to outline the integrated use of electronic warfare, CNO, and limited kinetic strikes against key C4 nodes to disrupt the enemy's battlefield network information systems. The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks. The PLA has increased the role of CNO in its military exercises. For example, exercises in 2005 began to incorporate offensive operations, primarily in first strikes against enemy networks.


The 2005 Military Power of the People's Republic of China identified Informationalization as a key element of Chinese Military Doctrine in all its aspects:

Developments in Chinese Military Doctrine

  • China's latest Defense White Paper deployed authoritatively a new doctrinal term to describe future wars the PLA must be prepared to fight: "local wars under conditions of informationalization." This term acknowledges the PLA's emphasis on information technology as a force multiplier and reflects the PLA's understanding of the implications of the revolution in military affairs on the modern battlefield.
  • The PLA continues to improve its potential for joint operations by developing a modern, integrated command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) network and institutional changes.
  • During 2004, the PLA began to integrate military and civilian suppliers in the procurement system and outsourced a number of previously military jobs to civilian industry. The PLA is placing greater emphasis on the mobilization of the economy, both in peacetime and in war, to support national defense...

Perceptions of Modern Warfare and U.S. Defense Transformation

China observes closely foreign military campaigns and defense modernization initiatives. The United States factors heavily in these observations as a model of how a modern military engages in modern warfare. China draws from U.S. military operations by adopting or emulating lessons in some areas, and in others, by identifying exploitable vulnerabilities in potential high-tech adversaries. In addition, U.S. defense transformation, as demonstrated by recent U.S. operations, has highlighted to China the expanding technological gap between modern military forces and those of developing countries. The 2004 Defense White Paper identifies the "technological gap resulting from the revolution in military affairs" as having a "major impact on China's security." These concerns have prompted China's leaders, including President Hu Jintao, to order the PLA to pursue "leap ahead" technologies and "informationalized" capabilities to increase the mobility, firepower, and precision of PLA weapons and equipment.

Operation DESERT STORM (1991) was a primary motivator behind China's efforts to prepare for future warfare. The PLA noted that the rapid defeat of Iraqi forces revealed how vulnerable China would be in a modern war. The Gulf War drove the PLA to update doctrine for joint and combined operations to reflect modern warfare and to accelerate reform and modernization. The Gulf War also spurred PLA debates on the implications of the revolution in military affairs, and led China to seek modern C4ISR and to develop new information warfare, air defense, precision strike, and logistics capabilities...

Observations of Operation IRAQI FREEDOM
In May 2003, PLA Deputy Chief of the General Staff Xiong Guangkai authored an article assessing the broad implications of Operation IRAQI FREEDOM for Chinese assessments of modern war. Some of his more salient observations follow:
-- On gleaning lessons from coalition operations: ". . . the trend of new military changes is developing rapidly in the world, and the recent Iraq war has reflected this trend. We should not only profoundly research and analyze this trend but also actively push forward military changes with Chinese characteristics according to our country's actual conditions." ...

Dougle Tongued Dictionary
Note: The Double-Tongued Dictionary is useful to readers of Asian issues in particular as it "records undocumented or under-documented words from the fringes of English, with a focus on slang, jargon, and new words [that are] absent from, or are poorly covered in, mainstream dictionaries."

China Crafts Cyberweapons
The Defense Department reports China is building cyberwarfare units and developing viruses.
Sumner Lemon
IDG News Service
May 28, 2007 10:00 AM PDT

DoD: China seeking to project military power
By William H. McMichael - Staff writer
Marine Times
Posted : Friday May 25, 2007 16:11:31 EDT

DoD Background Briefing with Defense Department Officials at the Pentagon
Presenter: Defense Department Officials May 25, 2007
[No attribution, comments for background only]
[Subject was the 2007 China Military Power Report]
News Transcript On the Web
Office of the Assistant Secretary of Defense (Public Affairs)
US Department of Defense
May 25, 2007

Military Power of the People's Republic of China
Office of the Secretary of Defense

Cyber officials: Chinese hackers attack 'anything and everything'
BY Josh Rogin
Published on Feb. 13, 2007

Military Power of the People's Republic of China
Office of the Secretary of Defense

The Military Power of the People's Republic of China
Office of the Secretary of Defense

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Think Dust Bowl and California, or Black Death and London, not Katrina and Texas, in response to pandemic migration


In an ongoing discussion of pandemic preparation (see State of H5N1 Avian flu (Un)preparedness), I'd flagged The science of New Orleans: Getting out of town alive as pointing to similar demands on those attempting to avoid pandemic hotspots, to which a colleague asked, "Do you envision an evacuation as a response to Avian Flu? Would we be safer to hunker down or head out to our vacation cottage or at Aunt Myra's in East Fork? Is this what we mean by social distancing?

Replied that I do not envision "an evacuation" as in a single or large scale federally sponsored event but rather an uncontrolled series of evacuations large and small initiated by individuals and heads of families. Nations do not evacuate willingly for many of the reasons we saw in Katrina:

  • Protracted political decision process between federal and state to evacuate
  • Insuring mechanics of arranging personnel and assets to perform the evacuation
  • Siting in-transit provisioning of assets such as gas, food and restrooms
  • Willing state or federal recipients at the evacuation terminus
  • Arranging return of evacuees
  • Ability to do some or all of the above under emergency or crisis conditions

I wrote a Katrina series in 2005 of which part 2, Repeating systemic faults of Katrina in Ritaimpacts this conversation:

In an attempt to avoid a repeat of the mistakes of Katrina (here, here and here) that left local authorities and police with little choice but to break the law in order to do their job, FEMA calls for mass evacuations from threatened coastal areas. With an estimated 1.8 million or more Texas and Louisiana residents under evacuation orders, hundreds of thousands of Houston residents attempted to move inland, primarily north and west, in what quickly became mass gridlock crawling at 'hours per mile' instead of miles per hour. Apparently no one thought of the secondary and tertiary effects of setting such mass flight in progress.

The triggering call in a pandemic may not be a FEMA call but an accumulation of smaller events that may escape federal and state notice until people are in motion. My first assumption is that, all things considered, motion will be a mixture of reflex, custom, history and access. A colleague's comment about retiring to the vacation cottage is an example as might be the historic Boston notion of sending its women and children north and west to higher elevation in order to escape the summer ills.

Katrina was an example of federal fecklessness and ultimate state assumption of responsibility. Consider the consequences if, for example, Texas had refused rather than facilitated evacuation and resettlement of Katrina evacuees. In the case of Katrina, by the time an organized evacuation was underway of those who could not leave of their own volition, the evacuees were seen as disadvantaged, generally poor and not in peak health, but not thought of as diseased and infectious.

In case of a pandemic, think 1930s Dust Bowl rather than Katrina where individual family migrations were intercepted and turned back, by force if necessary. Substitute California for Texas:

The Dust Bowl exodus was the largest migration in American history. By 1940, 2.5 million people had moved out of the Plains states; of those, 200,000 moved to California. When they reached the border, they did not receive a warm welcome, as described in this 1935 excerpt from Collier's magazine. "Very erect and primly severe, [a man] addressed the slumped driver of a rolling wreck that screamed from every hinge, bearing and coupling. 'California's relief rolls are overcrowded now. No use to come farther,' he cried. The half-collapsed driver ignored him -- merely turned his head to be sure his numerous family was still with him. They were so tightly wedged in, that escape was impossible. 'There really is nothing for you here,' the neat trooperish young man went on. 'Nothing, really nothing.' And the forlorn man on the moaning car looked at him, dull, emotionless, incredibly weary, and said: 'So? Well, you ought to see what they got where I come from.' "

The Los Angeles police chief went so far as to send 125 policemen to act as bouncers at the state border, turning away "undesirables". Called "the bum brigade," by the press and the object of a lawsuit by the American Civil Liberties Union, the LAPD posse was recalled only when the use of city funds for this work was questioned...

As roadside camps of poverty-stricken migrants proliferated, growers pressured sheriffs to break them up. Groups of vigilantes beat up migrants, accusing them of being Communists, and burned their shacks to the ground.

Had not Roosevelt intervened, things could have become much worse, much as they did in England during its plague epidemics:

In 1563, London experienced another outbreak of plague, considered one of the worst incidences of plague ever seen in the city. The bubonic plague took almost 80,000 lives, between one quarter and one third of London's population at that time. Statistics show that 1000 people died weekly in mid August , 1600 per week in September, and 1800 per week in October.

Fleeing form the cities and towns was common, especially by wealthy families who had country homes. Queen Elizabeth I was no exception. She took great precaution to protect herself and the court from plague. When plague broke out in London in 1563, Elizabeth moved her court to Windsor Castle. She erected gallows and ordered that anyone coming from London was to be hanged. She also prohibited the import of goods as a measure to prevent the spread of plague to her court.

Later, in 1578, when plague broke out once again, Elizabeth took action. This time she ordered physicians to produce cures and preventative medicine. Also, most public assemblies were outlawed. All taverns, plays, and ale-houses were ordered closed.

Many smaller villages and hamlets imitated court practice, barricading themselves against travelers. Despite this resistance, people moved then and will do so in a current pandemic, i.e., some people will move in an attempt to better their condition while others will see their betterment in obstructing that movement. I also look to series such as SAMP (Southern African Migration Project) for xenophobic responses to migration. (See here and here.) Van Heerden, for example, has an interesting diagram of factors influencing "disease, fatalities, injuries, epidemiology, toxicoligy, sociology and environmental health" in COASTAL LAND LOSS: HURRICANES AND NEW ORLEANS that I would like to see adapted to pandemic evacuation.

The nature of a pandemic will transmogrify in unpredicted ways that defy pat scenario response analysis, but that does not mean that federal and state entities should consider the impacts of evacuations that degrade transportation arteries that are otherwise assumed open to state/federal initiatives to deal with a pandemic.

The travel page (with links to state pages) of the Department of Health and Human Services (HHS) Pandemic Flu page is about as helpful as it gets. A cursory read shows the need for thoughtful individual and community effort as it is unlikely that federal assets will be uniformly available to respond to support requests. See The Need For Personal And Community Preparedness, Preparing for Persuasion and Lessons From Katrina.

The travel industry is planning; the American Hotel & Lodging Association (AH&LA) is one member of the travel community that is already thinking about a flu pandemic, and well they should, as their members will on the front lines of dislocated travelers:

AH&LA is tracking this issue very closely and providing members with the most current information available... AH&LA's Loss Prevention Committee is coordinating with government agencies on industry-wide efforts. AH&LA has established contact with key leaders at HHS and other departments to ensure members have all the tools and information they need to ensure the safety of employees and guests in the event that the worst-case scenario develops. While it is impossible to predict when a pandemic will strike, having a plan in place before that happens is the best way to minimize disruptions at your property... Crafting a plan for a flu pandemic is critical to any hotel's emergency preparedness efforts, and now is the time to develop those plans-before final warning signs are detected.

Preparing for Persuasion
Posted by Nedra Weinreich
Pandemic Flu Leadership Blog May 22-June 27
Posted May 25, 2007 at 7:28 am

Lessons From Katrina
Posted by Albert Ruesga
Pandemic Flu Leadership Blog May 22-June 27
Posted May 25, 2007 at 12:55 pm

The science of New Orleans: Getting out of town alive
Posted by Harry Fuller
May 23, 2007 2:51 PM PDT

The Need For Personal And Community Preparedness
Posted by Greg Dworkin
Pandemic Flu Leadership Blog May 22-June 27
Posted May 21, 2007 at 5:46 pm

Unmasking the 1918 Influenza Virus: An Important Step Toward Pandemic Influenza Preparedness
Anthony S. Fauci, Julie L. Gerberding
National Institutes of Health, Centers for Disease Control and Prevention
October 5, 2005

Ivor Ll. van Heerden, Director and Ahmet Binselam, GIS Supervisor
Center for the Study of Public Health Impacts of Hurricanes
Louisiana State University
20 July 2004


Ivor L. van Heerden, Ph.D.
Center for the Study of Public Health Impacts of Hurricanes
LSU Hurricane Center, Louisiana State University, Baton Rouge, LA
July 2004

HIV/AIDS and Children's Migration in South Africa
Migration Policy Series No. 33
Series Editor: Jonathan Crush
Southern African Migration Project (SAMP)

Regionalizing Xenophobia? Citizen Attitudes to Immigration and Refugee Policy in Southern Africa
Migration Policy Series No. 30
Series Editor: Jonathan Crush
Southern African Migration Project (SAMP)

Surviving the Dust Bowl
written and produced by Chana Gazit
co-produced and edited by David Steward
The American Experience, WGBH Boston, Mass.

Gordon Housworth

InfoT Public  Infrastructure Defense Public  Risk Containment and Pricing Public  Strategic Risk Public  


  discuss this article

Generic elements and process of a Design Basis Threat (DBT) protection system


Part 1, Structured IT risk remediation: Integrating security metrics and Design Basis Threat to overcome scenario spinning and fear mongering

An international design basis threat (DBT)

The aftermath of the 11 September attack brought renewed urgency to US, EU and Russian efforts to strengthen physical protection of nuclear materials and all nuclear facilities, power and weapons. While Sandia's Jim Blankenship noted that a "Design Basis Threat (DBT) has been used by the United States since the 1970s as the basis for the design and evaluation of a nuclear facility’s physical protection system and as a standard for comparison as the threat changes", the DBT was too often scenario-based rather than procedural - a condition not challenged until the Khobar Towers attack. From Multisourcing: belated recovery of forgotten first principles, part 2:

Scenario-based responses are dangerously omissive, driving clients to extraordinary cost and diversion, often without merit, but is prevalent in part because it is simple. It requires no procedural rigor or grounding in fact, only the ability to ask "What if?" endlessly, yet is virtually ineffective for deferring, deflecting, or interdicting an adversary's preparation.

Witness the events of the July 2005 mass transit bombings in London where the UK had had a thirty-year history of dealing with a variety of terrorist attacks and bombings, the "scenario" and "lessons learned" from the earlier transit attacks in Madrid, Spain, were well-known, yet proved little benefit to the British in interdicting the London attacks of July 2005.

Scenario-spinning has no logical end and provides no threat assessment, vulnerability assessment, or risk assessment that would normally be enshrined in a firm’s Governance Model.

Scenarios were an Army staple until the terrorist truck bomb attack along the northern perimeter of Khobar Towers, Dhahran, Saudi Arabia, on June 25, 1996. (Khobar Towers was a facility housing U.S. and allied forces supporting Operation SOUTHERN WATCH, coalition air operations over Iraq.) The report by Wayne A. Downing, General, U.S. Army (Retired) which has become known as the Downing Report (Introductory Letter, Preface and Report), reinvigorated the uphill effort to substitute procedurally consistent threat and vulnerability analyses in place of scenario generation.

Without guiding bounds, scenarios proliferate endlessly, often crippling most well-intended, protective efforts (paralysis by analysis). Defenders must define a coherent view of their risk tolerance before they can craft a response strategy that can reasonably and consistently respond to the threats on offer.

Rising from efforts at Sandia, DoE and the NRC, the "IAEA desired an international approach for a DBT methodology that could be offered to all Member States." By 2002 member states had agreed upon a DBT "international standard model" that reconciled varying approaches as to where "risk" was accommodated.

The DBT has become the basis for the design of the physical protection system (PPS), the evaluation of a PPS under assault and the means to document and absorb future threats. Within this framework, each state can modify "the DBT process to better accommodate their culture, the technical resources of their facilities and authorities, and their regulatory frameworks."

Blankenship paints the need for DBT in bold relief:

  1. If the facility does not know who the adversaries may be and what the adversaries’ resources may be, then the design of the [protection system] probably is inaccurate...
  2. Without a DBT, the evaluator has no objective measure for evaluating the effectiveness of the  [protection system]. This lack could lead to inconsistent evaluations...
  3. [Changes] could not be documented, and in fact might not even be noticed, if there were not a standard DBT created at some point in time, against which the future threats are compared...

Nine steps were recommended for developing, using, and maintaining a DBT:

  1. Identify Roles and Responsibilities of all Organizations
  2. Develop Operating Assumptions for Use with the DBT
  3. Identify the Range of Potential Generic Adversary Threats
  4. Identify an Extensive List of Threat Characteristics
  5. Identify Sources of Threat-related Information
  6. Analyze and Organize Threat-related Information
  7. Develop Threat Assessment and Gain Consensus
  8. Create a National DBT
  9. Introduce the DBT into the Regulatory Framework

The outcome of the first six steps [is] the Threat Assessment (TA) document, which contains a description of the full range of credible threats to the nuclear facilities in the State… This TA is then sent to the competent authority, which implements the State’s regulatory framework and sets policy for the physical security provisions in the State. The competent authority evaluates the risks associated with the DBT, the consequences of a successful attack by the DBT, and the probability of such an attack. The agency knows the State resources that are available or could be made available to counter the DBT. This agency then reduces the threat assessment document to incorporate the risk that the state is willing to accept. This produces a Design Basis Threat (DBT) statement against which the facilities must protect and against which they will be evaluated by the State competent authority.

Redrawing Blankenship's model for added clarity:

Generic elements of a DBT protection system

Axel Hagemann, a GRS (Gesellschaft für Anlagen und Reaktorsicherheit mbH) representative to IAEA undertook a description of DBT for IAEA member states in DBT - Basis for developing a European physical protection concept. Hagemann's DBT procedural descriptions for a state implementation are noted in its appendix which I have attempted to generalize for a corporate setting without losing Hagemann's original presentation model.

The result of Blankenship's threat assessment enters in box 1, having documented an analysis of the credible motivations, intentions, and capabilities of potential adversaries that could cause undesirable consequences:

Generic Elements of a DBT Protection System

The consequences represented in box 2 are defined as the potential level of impact on the interests of the public, nation, key interest groups, and possibly the international community. Consequences could be defined in relation to the class of event derived from end-items. The concern on potential consequences will influence policy of the decision making process in the development of a DBT. This decision making process is represented in diamond 3, which represents the Governance committee’s responsibility to decide with the definition of a DBT on the level of protection. The decision making process represented by diamond 3 can include technical, resource, administrative and political concerns. This reduces the influence of emotions on the concern and opens provides opportunities to adjust existing definitions of the DBT.

The key elements in the creation of a DBT are threat assessment and decision making considering potential consequences. Threat assessment and decision-making are separate and different processes even though in practice they may be carried out simultaneously. The threat assessment process, and the document that describes the conclusions, scopes all the realistic and credible threats that the Governance committee needs to consider.

Some threats may not be manageable in terms of a DBT because some aspects of the protection system fall outside the responsibility of the Governance committee. These threats are described as being out of scope of the DBT, i.e., "Outside DBT" does not necessarily describe a magnitude of threat above that described in the DBT, but can describe threats that are inappropriate to include in a DBT.

Those threats still need to be accounted for and either ruled out of scope or other competent authorities need to be involved to define a response. The diamond 13 represents this additional decision making process for which the Governance committee is responsible. The decisions symbolized by diamond 13 could be of high relevance if new concepts emerge that were not included in the design basis. The goal is to achieve a process which results in achieving acceptable risk, box 14. The Governance committee can, as available, draw on external agencies for provide intelligence and data to support creation of the Threat Assessment and maintenance of the DBT.

The protection definition shown in box 6 must be designed against the DBT and will be evaluated by the Governance committee using the definition of the DBT. Protection objectives will be specific for the items transiting the system. The security functions in box 8, detection, deter, deflect, defend and recovery must be defended against the DBT.

Responses may be graded or immediate depending upon the current evaluation of the threat, the relative attractiveness and potential of items and the potential consequences associated with diversion of that item. The requirements on the security function "Deter" can vary depending on the desired response time, response capability and method.

Process steps

Threat assessment (box 1): An analysis documenting the credible motivations, intentions, and capabilities of potential adversaries that could cause undesirable consequences from diversion of end-items. The result of the threat assessment process describes the credible threats.

Consequences (box 2): The potential level of impact on the interests of the public, nation, key interest groups, and possibly international community.

Decision process (diamond 3): Consideration of the results of the threat assessment, the consequences and the policy leads to definition of the DBT. The corporate Governance committee coordinates the development of a DBT and is responsible for its maintenance.

Outside DBT (box 4): Describes those threats identified in the Threat Assessment that will not be included in the DBT, but still remain as a credible threat. Threats outside the DBT must be considered and ruled out of scope and indefensible or an external authority must be involved to complete the mediation required by the DBT.

Design Basis Threat – DBT (box 5): Describes the attributes and characteristics of potential insider and external adversaries who might attempt acquisition of items deemed sensitive, and against whom a protection system has been designed and evaluated.

Protective envelope (box 6): Describes the total protection against unauthorized acquisition or diversion and will likely require a design that includes procedures, facility design, and hardware.

Specific protection objectives (box 7): Describes the means of protecting items that are moving through the system, and all other items defined as having some risk.

Specific responses (box 8): Describes methods to "Detect" or "Defer" an acquisition of an item or to invoke emergency containment responses as appropriate under the DBT.

Vulnerability assessment and capacity evaluation (box 9): A test of the system’s ability to respond to both the DBT and ongoing threats "in the wild".

Decision process (diamond 10): Represents internal decisions made during the design or evaluation of the protection process to include an evaluation as to whether the specific objectives are achieved. This decision box includes any decision regarding improvement, redesign or post damage crisis management.

Crisis management (box 11): Describes an internal post-incidence damage control in response to an undesired acquisition of an item.

Internal emergency response (box 12): Describes actions required to mitigate an inadvertent breach or loss of control of an item.

Decision process (diamond 13): Describes a process under which the Governance committee achieves an acceptable level of risk for all items in the DBT.

Acceptable Risk (box 14): Defines acceptable risk in which the term "risk" is used as the likelihood that a threat will be able to affect an undesirable consequence. Risk can be reduced but not eliminated. All the judgments and decisions imply an acceptance of a degree of risk.

External competent authority (diamond 15): Describes how to respond to credible threats not included in the DBT. (The DBT may be revised or extended in this process.)

External authority responsibility (box 16): Describes a class of external action, protection or assistance taken by external authority.

External authority response (box 17): Describes external authority response in support of the corporation.

External security (box 18): Describes measures taken by external authority in support of corporation that acknowledge a credible threat as External to the DBT. Any such measures are made in concert with internal emergency response measures.

Use of Design Basis Threat at Department of Energy

It is instructive to consider one of the best practitioners of the Design Base Threat and Vulnerability Assessment process, the Department of Energy (DOE). DOE is also remarkable in its rigor, and among the few in and out of government that reject a scenario based ‘threat’ definition.

The key component of DOE’s risk-based security practices is the DBT, a classified set of characteristics of potential threats to DOE assets. The DBT traditionally has been based on the Postulated Threat, a classified, multi-agency intelligence community assessment of potential terrorist threats. The DOE DBT considers external threats that include terrorists, criminals, psychotics, disgruntled, employees, violent activists, and spies. The DBT also considers internal threats by insiders who have authorized unescorted access within DOE facilities and programs. These insiders may operate alone or in concert with an adversary group, and are routinely considered to provide assistance to a terrorist group noted in the DBT. The DOE generally considers the threat of terrorist groups to be the most demanding threat contained in its DBT.

For over a decade, DOE has employed a risk management approach that seeks to direct resources to its most critical assets (Category I special nuclear material) while mitigating the risks to these assets to an acceptable level. Levels of risk are derived from a mathematical equation that compares a terrorist group’s capabilities with the overall effectiveness of the crucial elements of the site’s protective forces and systems, and then assigned classified numerical values.

DOE counters its terrorist threats noted in the DBT with a multilayered protective system. While specific measures may and do vary among sites, all DOE protective systems at the most sensitive sites employ a in-depth defense that includes sensors, physical barriers, hardened facilities and vaults, and heavily armed paramilitary protective forces equipped with such items as automatic weapons, night vision equipment, body armor, and chemical protective gear. The effectiveness of the protective system is formally and regularly examined through vulnerability assessments.

A vulnerability assessment is a systematic evaluation process in which qualitative and quantitative techniques are applied to detect vulnerabilities and arrive at effective protection of specific assets. To conduct these assessments, DOE uses subject matter experts (SMEs), computer simulated attacks, and force-on-force performance testing in which the site’s protective forces undergo simulated attacks by a group of mock terrorists.

Assessment results are documented at each site in a classified document known as the Site Safeguards and Security Plan which, in addition to identifying known vulnerabilities, risks, and protection strategies for the site, it formally acknowledges how much risk the contractor and DOE are willing to accept.

Historically, DOE has strived to keep its most critical assets at a low risk level and may insist on immediate compensatory measures should a significant vulnerability develop that increases risk above a low risk level. Through a variety of complementary measures, DOE ensures that its safeguards and security policies are being complied with and are performing as intended, e.g., identified high and moderate risks require corrective actions and regular reporting. Response measures can go so far as to curtail operations until the asset can be better protected.

While contractors must perform regular self-assessments and are encouraged to uncover any problems themselves, DOE requires its field offices to comprehensively survey contractors’ operations for safeguards and security annually. All deficiencies identified during surveys and inspections require the contractors to take corrective action.

The DOE’s May 2003 DBT reflecting a post-September 11 environment by identifying a larger terrorist threat than did the 1999 DBT and expanding the range of terrorist objectives to include radiological, biological, and chemical sabotage. Notable issues of the 2003 DOE DBT included an expansion of terrorist characteristics and goals, and an increase in the size of the terrorist group threat:

Expansion of terrorist characteristics and goals: "The 2003 DBT assumes that terrorist groups are the following: well armed and equipped; trained in paramilitary and guerrilla warfare skills and small unit tactics; highly motivated; willing to kill, risk death, or commit suicide; and capable of attacking without warning. Furthermore, according to the 2003 DBT, terrorists might attack a DOE facility for a variety of goals, including the theft of a nuclear weapon, nuclear test device, or special nuclear material; radiological, chemical, or biological sabotage; and the on-site detonation of a nuclear weapon, nuclear test device, or special nuclear material that results in a significant nuclear yield. DOE refers to such a detonation as an improvised nuclear device."

Increase in the size of the terrorist group threat: "The 2003 DBT increases the terrorist threat levels for the theft of the department’s highest value assets—Category I special nuclear materials—although not in a uniform way. Previously, under the 1999 DBT, all DOE sites that possessed any type of Category I special nuclear material were required to defend against a uniform terrorist group composed of a relatively small number of individuals. Under the 2003 DBT, however, the department judged the theft of a nuclear weapon or test device to be more attractive to terrorists, and sites that have these assets are required to defend against a substantially higher number of terrorists than are other sites. For example, a DOE site that, among other things, assembles and disassembles nuclear weapons, is required to defend against a larger terrorist group. Other DOE sites, such as an EM site that stores excess plutonium, only have to defend against a smaller group of terrorists. However, the number of terrorists in the 2003 DBT is larger than the 1999 DBT number. DOE calls this a graded threat approach."

The moral of DBT: a living instrument

The moral is that a DBT must be a continuously maintained instrument as "Things Change" as David Mamet so wittily showed in his film of the same name: New attackers with expanded characteristics and goals will appear. Attacker group size may swell unexpectedly - and that includes swarms of seemingly unrelated attackers operating against different parts of one's organization. Higher authority may mandate extended protective strategies. Corporate environments can weakened under stress, sometimes degraded imperceptibly, due to issues of financial pressure, takeover, expansion, new roll-outs or other restructuring.

A Russian Perspective on Cooperation Threat Reduction
Dmitry Kovchegin
BCSIA Discussion Paper 2007-04, Kennedy School of Government,
Harvard University, April 2007

Systems Security Engineering: An Updated Paradigm
John W. Wirsbinski
INCOSE Enchantment Chapter
November 8, 2006

Nuclear Security: DOE Needs to Resolve Significant Issues Before It Fully Meets the New Design Basis Threat
Report to the Chairman, Subcommittee on National Security, Emerging Threats, and International Relations, Committee on Government Reform, House of Representatives
April 2004

Using Bilateral Mechanisms to Strengthen Physical Protection Worldwide
Nuclear Terrorism and International Policy
Dr. Edwin Lyman
Union of Concerned Scientists
Institute of Nuclear Materials Management, 2004

Approaches to Design Basis Threat in Russia in the Context of Significant Increase of Terrorist Activity
Dmitry Kovchegin
Presented at the INMM 44th Annual Meeting, Phoenix, Arizona. Conference Paper, 2003

DBT - Basis for developing a European physical protection concept
Axel Hagemann
EUROSAFE, Towards convergence of technical nuclear safety practices in Europe, Paris
Nuclear material security, Seminar 5, p. 59-68
25-26 November 2003

Protection against Sabotage of Nuclear Facilities: Using Morphological Analysis in Revising the Design Basis Threat
Stig Isaksson, Tom Ritchey
Swedish Nuclear Power Inspectorate and Swedish Defence Research Agency
Adaptation of a Paper delivered to the 44th Annual Meeting of the Institute of Nuclear Materials Management - Phoenix, Arizona, July 2003

Jim Blankenship, Sandia National Laboratories
EU-High Level Scientific International Conference on PHYSICAL PROTECTION
Salzburg, Austria
8-13 September, 2002

Jim Blankenship, Sandia National Laboratories
EU-High Level Scientific International Conference on PHYSICAL PROTECTION
Salzburg, Austria
8-13 September, 2002

List of Papers
EU-High Level Scientific International Conference on PHYSICAL PROTECTION
Salzburg, Austria
8-13 September, 2002

COMBATING TERRORISM: Threat and Risk Assessments Can Help Prioritize and Target Program Investments
Report to Congressional Requesters
General Accounting Office
April 1998

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Structured IT risk remediation: Integrating security metrics and Design Basis Threat to overcome scenario spinning and fear mongering


Industry absorption of effective metrics for realistic threat and risk analysis in IT is moving far too slowly. A 2003 article, Information security: why the future belongs to the quants, contained a useful metric, Business-adjusted risk (BAR), "for classifying security defects by their vulnerability type, degree of risk, and potential business impact." The BAR used Risk of exploit ("how easily an attacker can exploit a given defect") and Business impact ("the damage that would be sustained if the defect were exploited"). The BAR's use of "relative ratings for both likelihood of occurrence and business impact [allowed it to behave] similarly to insurers’ annual loss expectancy calculations."

Four years on, the quants are still waiting while scenario spinning and FUD continue to flow from the unskilled or the commercially craven; Too many members of management, IT included, are among the former while too many security vendors populate the latter. A co-author of that 2003 piece, Andrew Jaquith, has recapitulated and expanded his work in security metrics in Security Metrics: Replacing Fear, Uncertainty, and Doubt, providing a one-stop shop for defining and implementing IT metrics for risk. It has merit to me as the metrics can form inputs to a Design Basis Threat (DBT) calculation for IT in place of the fear mongering from certain security firms. (Expansion for special nuclear material here.) There are threats, numerous and growing, but often not the threats solvable by the security products on offer. Worse, too many firms, Symantec among them, sell products that are consumptive of system resources while providing attack windows in their own code. Enterprise clients are generally deprived of a realistic means of identifying and interdicting realistic, often trivial, penetrations of their infrastructure.

I refer readers to The danger of confusing terrorist interdiction with the consequences of terrorist action for the perils inherent in pursuing scenario-based responses, and, as a start, to FEMA 452 - Risk Assessment: A How-To Guide to Mitigate Potential Terrorist Attacks for its introduction to assessment of threat, asset value, vulnerability and risk.

I fear that Jaquith's efforts have been ignored in the main as Escaping the Hamster Wheel of Pain which forms the first chapter of Security Metrics has been around since May 2005 as has his criticism of Symantec (easily 2005) and a useful but overlooked The Vulnerability Supply Chain (also 2005).

Useful metrics have been out there but have not been picked up en masse, but then neither has DBT, especially in its pure form used on the weapons side of DoE as opposed to the scenario laden approach on the nuclear power side. The combination of effective metrics shorn of histrionics with the Design Basis Threat process offers a realistic means to enterprises needing to formulate a cost effective and sustainable defense posture. We are among the few that have successfully applied DBT to Intellectual Property (IP) threats and remediation.

It cannot be overemphasized that the solution to this problem is NOT an Information Technology (IT) solution but IS primarily a Counterterrorism (CT) and Counterintelligence (CI) solution applied to corporate infrastructure, augmented by IT as the CT/CI process demands. Were it solely an IT solution, then one might suppose that this class of problem could be solved at least as often as major IT applications succeed (which depending upon whose statistics one chooses to accept, some 40 to 60% of large IT solutions either fail, are withdrawn, or at best suboptimal in their performance). The solution path can only be hinted at in this brief survey and the requisite CT/CI practionership and its understanding of an asymmetric attacker takes years to develop (which is one of the reasons that it occurs in so few instances and why the market tolerates so many pretenders as the clients cannot properly estimate the skill set needed to address the problem).

It is also a substantial systems analysis problem. In asking Scott Borg for a current copy of the Cybersecurity Checklist, I noted that I refer clients to his PPT, The New US-CCU Cyber-Security Check List, and its flagged need to address both physical and IT/cybersecurity, but add the following to it:

  • (First I have to describe Ackoff's three laws of systems - people can grasp the first two but the third floors them)
  • Systems fail at their boundaries, and that includes boundaries between components and clusters of components that act as subsystems.
  • Physical and cyber are two of those subsystems; there are many more, all interacting to Ackoff's third law.
  • A check list is a still frame from a motion picture, but people rip the frame, losing the underlying assumptions and context in the process.
  • A check list without a date/time stamp is useless, even dangerous.
  • Process-based threat and vulnerability assessment are key in defining appropriate levels of protection; remediation steps are then pulsed to insure that they deliver against the threats.
  • Scenario-based defense, while useful in estimating consequences of a particular scenario, is dangerous as it spins out of control, usually missing the fatal payload.
  • Good security is process-based rather than hardware-based (process is 10:1 over hardware, and process comes first as it will define the needed hardware).
  • Defenders never see themselves as attackers do, especially asymmetrical attackers, and so rarely protect the right mix against legitimate threats.
  • Defenders too often look for "peer attackers" instead of a simple asymmetric.

Scott's reply mirrors our own experience:

You are right in pointing out how hard it is for most people to think in terms of dynamic systems and processes.  I like the way you have formulated the problem in your e-mail.  We have been struggling with many of the same issues when it comes to getting people to understand the problems they will increasingly face.

The following is derived from an unclass analysis, Asymmetric Threat Detection in the Material Security Environment, we performed for a DLA unit in 2005. Seasoned practitioners will easily envision frontloading Jaquith's metrics into the threat side of DBT.

Evolving Nature of Threats

Technological surges in many sectors, so many as to effectively shield the collective effect from many investigators, coupled with globalization, the availability of WME (weapons of mass effect) has changed the risk landscape, most notably in the means to effectively address low-probability, high-consequence threats.

Too many fail to properly differentiate threat from risk, i.e., a threat is a source of harm (loss) whereas a risk is the estimation of the likelihood of that harm occurring coupled with the potential impact from its occurrence. Threat assessment is only one aspect of a larger and more complex risk analysis process, yet too many remain fixated on threat analyses as the sole basis of applying protective measures without sufficient attention paid to precision or control in their application.

Too many designs for low-probability, high-impact threat sources tend to skew the design of the security plan to costly countermeasures when precision could have provided cohesion and freed up resources. Too often, an organization adopts what it assumes is an extremely ‘secure’ system that either cannot be implemented, cannot be sustained, is impractical for its users or overlooks active threat paths because finite resources are fully engaged elsewhere.

Threat Levels

A threat can be defined as the intended potential to cause an undesirable consequence. The result of a threat assessment documents the result of an analysis of the credible motivations, intentions, and capabilities of potential adversaries that could cause undesirable consequences... The threat level provides a current estimate of ongoing risk to personnel, facilities, or interests from terrorist attack. Analyses deriving threat levels at Department of Defense (DoD) are commonly performed by the intelligence staff at each command level, and resulting threat levels can differ by echelon. Threat Levels range from Negligible to Critical, are based on a systematic analysis of the factors of existence of terrorism, terrorist capability, history of terrorism, intentions of terrorist groups, and targeting by terrorist groups. The system is not perfect but can be effective in a relatively contained risk environment, as it inherently allows for a concentration of resources for periods of elevated risk, conserving those resources in the process.

Threat Analysis

To supplement a risk responsive approach, such as in the use of threat levels, ICG prefers to create a risk matrix for each identified threat group so as to perform a more precise capabilities analysis. ICG prefers this more extensive version -- as it allows greater ability to profile the group under examination and to create a baseline for ongoing comparative analysis, a means to capture outlier data that may indicate an emerging threat:

Variant 2: Threat Analysis Factors

Factor must be Present: X; Factor may or may not be Present: O


































In response to threat levels, companies or commands adopt or change Force Protection Conditions (FPCONs), which are measures to protect people and facilities from the postulated current threat. Each FPCON potentially entails increasingly stringent security measures. A nominal DoD matrix contains intelligence assessments, warning reports, spot reports and law enforcement reports. The Department of State (DoS) adds broader factors, such as political violence which encompasses terrorism, counterintelligence, anti-U.S. technical intelligence, and activities against the U.S. community in determining its threat levels.

Risk is a function of threat, likelihood, consequence, vulnerability, and asset value. Impact is a function of:

  • Resources (the adversary's resources to execute and the defender's resources to defend, respond and recover post-attack)
  • Unexpected Methods by the adversary
  • Adversary's understanding of our infrastructure and the means to achieve exploitation
  • Defender's vulnerabilities
  • Effect Multipliers -- Where typical effect multipliers are:
    • Disruption of cyber infrastructure
    • Prevention or reduction of response and retaliation
    • Decrease or suppression of initiative to respond politically
    • Employment of psychological operations (Psyops)
    • Generation of fear and indecision
    • Introduction of WME (Weapons of Mass Effect)

Asymmetrical Rules Base (Attacker Rules)

Crafted from the 'success' of an earlier World War I static defensive war, the French Maginot Line failed under the newer concept of a mobile mechanized infantry. Accordingly, current defenses will fail under attack by the small-scale, high-impact operations of an asymmetrical attacker employing unexpected, non-traditional and broadly applicable methods unless we learn the current methods of the adversary and adopt simple effective measures.

Threat assessment must include the ability to impute an asymmetrical rules base as part of the threat definition so as to permit the defender to think more like a terrorist (as opposed to a defender) in defining a realistic threat posture, i.e., act without the self-imposed rules and limitations of the defender so as to view the risk calculation through the eyes of any number of threat groups, be they Muslim fundamentalists, Patriot right, Millennialists, single-interest terrorists such as the Earth Liberation Front (ELF), or various groups aggrieved at US actions. Each threat group has 'rules' such as preferences in targets and timing, varying motives for action, specific means or technical capability for action, and the later the threat detection the greater the threat group’s opportunity for action.

Asymmetric adversaries employ very different variables in their calculations for risk than the defender where the adversary is essentially interested in forestalling detection and accomplishing mission fulfillment. As previously noted in threat definition, a study of each category of attacker and, in specific cases, individual adversary groups, will identify a typology of action such that we can view risk and reward through the eyes of the asymmetric attacker. Without that view, much of successful defense is happenstance.

Introduction to Design Basis Threat (DBT)

The successful approach to defer (delay hostile efforts), deflect (move hostile intent to another target) or defend (interdict an incipient hostile attack) against an asymmetric attacker is almost all proactive process with a modest amount of strategically placed hardware that adds specific and reliable value to the process.

The core of that process is the Design Basis Threat (DBT) that will capture and formulate risk management objectives that balance commercial and security objectives, providng a means to evaluate threats over time. The DBT becomes an integral, inseparable part of corporate governance. The DBT becomes the mechanism that informs management of the types of threats it may face over time and allows them to define the threats that are in or out of scope, the response level that will be committed to each threat, and the cost for that response level.

The DBT absorbs the 5-Step Risk Management Process of FM 100-14, Risk Management, which is the commander’s principal risk reduction process to identify and control hazards and make informed decisions:

  • Identify hazards
  • Assess hazards
  • Develop controls and make risk decisions
  • Implement controls
  • Supervise and evaluate

The DBT, just as all sound risk management, does not:

  • Inhibit the commander’s and leader's flexibility and initiative
  • Remove risk altogether, or support a zero defects mindset
  • Require a GO/NO-GO decision

The DBT will include threat assessment, a safety-oriented hazard assessment, asset value assessment and an asset risk assessment that draw upon technical insights and the results of internal and external pattern detection. Where the best DBT implementations differ from almost all conventional DBTs is that the DBT must NOT be a scenario-based risk process but rather a rigorous procedural analysis. As noted above, a solution to IT risk identification and remediation is not solely an IT solution but rather the application of a CT/CI approach to a firm's infrastructure, augmented by IT as required. The DBT process is used to assess risk more effectively, enshrining speed to flag rising risk for inspection and action.

The DBT process can be used also to identify security guidelines that should be migrated across supplier relationships on both the buy (outsourcing) and make (manufacturing) side. Upstream outsourcing is a too often overlooked failure point. See Multisourcing: belated recovery of forgotten first principles, parts 1 and 2.

If history is any guide, integration, implementation and wider adoption of IT metrics DBT will be slow while phishers and penetrators will lunge ahead (here and here), but at least the path is there.

Part 2, Generic elements and process of a DBT protection system

Security Metrics
Posted by samzenpus on Wednesday May 16, @03:35PM
May 16, 2007

8 Questions For Uncovering Information Security Vulnerabilities
Tips for testing information security vulnerability hypotheses with questions designed to head off potential problems.
By Andrew Jaquith
16 May, 2007

Google: 10 percent of sites are dangerous
By Tom Espiner,
Published on ZDNet News
May 15, 2007, 7:56 AM PT

Do you know what’s leaking out of your browser?
Posted by Ryan Naraine @ 11:22 am
Zero Day
May 14, 2007

Using Metrics to Diagnose Problems: A Case Study
When initially deploying transactional financial systems it's wise to make sure perimeter and application defenses are sufficient.
By Andrew Jaquith
11 May, 2007

Models for Assessing the Cost and Value of Software Assurance
John Bailey, Antonio Drommi, Jeffrey Ingalsbe, Nancy Mead, Dan Shoemaker
Software Engineering Institute,
Carnegie Mellon University
Last modified 2007-05-10 10/07 4:38:24 PM

Security Metrics: Replacing Fear, Uncertainty, and Doubt
Andrew Jaquith
Addison-Wesley Professional; March 26, 2007
ISBN-10: 0321349989

ebook: ISBN: 0321509471
File Size: 4393 kb
Released online for download: 03-03-2007

Making the Business Case for Software Assurance
Nancy R. Mead
Software Engineering Institute,
Carnegie Mellon University
2007-02-06 12:30:16 PM

Victor-Valeriu PATRICIU, Iustin PRIESCU, Sebastian NICOLAESCU
Department of Computer Engineering
Military Technical Academy, Bucharest, Romania
Journal of Applied Quantitative Methods
JAQM, Vol 1, No. 2, Winter 2006

Rational Choice of Security Measures via Multi-Parameter Attack Trees
Ahto Buldas, Peeter Laud, Jaan Priisalu, M¨art Saarepera, and Jan Willemson
In J. Lopez, ed.
Proc. of 1st Int. Wksh. on Critical Information Infrastructures Security, CRITIS '06 (Samos Island, Aug./Sept. 2006), pp. 232-243. Univ. of the Aegean, 2006

NOTE: The following PDF of a PPT presentation by Buldas et al is useful for stepping a reader through the attack tree process under discussion:

Rational Choice of Security Measures via Multi-Parameter Attack Trees
Ahto Buldas, Peeter Laud, Jaan Priisalu, M¨art Saarepera, Jan Willemson
August 30 – September 2, 2006, Samos Island, Greece

Checklist outlines new cyberthreats
BY Michael Arnone
Published on April 26, 2006, updated at 5 p.m. May 5, 2006

The New US-CCU Cyber-Security Check List
Scott Borg
GSC-11 Chicago

The Vulnerability Supply Chain
by Andrew Jaquith
6 December, 2005
last changed on 00:06 07-Dec-2005

Asymmetric Threat Detection in the Material Security Environment
With Initial Recommendations Regarding Disposition of WMD-Related End-Items For Defense Reutilization and Marketing Service
Prepared by Intellectual Capital Group LLC
21 September, 2005

The Symantec Threat Report: Read Between the Lines
by Andrew Jaquith
September 20, 2005
last changed on 09:51 22-Sep-2005

A Few Good Metrics
Information security metrics don't have to rely on heavy-duty math to be effective, but they also don't have to be dumbed down to red, yellow, green. Here are five smart measurements—and effective ways to present them.
By Scott Berinato
July 2005

Escaping the Hamster Wheel of Pain
By Andrew Jaquith
4 May, 2005
Last changed on 11:56 04-May-2005

The Metrics Quest
Under pressure from the CFO to quantify security benefits, a CSO finds measures that matter
November 2004

Nuclear Security: DOE Must Address Significant Issues to Meet the Requirements of the New Design Basis Threat.
Testimony Before the Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, House of Representatives
GAO-04-773T, General Accounting Office (GAO)
May 11, 2004

Collecting Effective Security Metrics
By Chad Robinson
Robert Frances Group
April 09, 2004

Information security: why the future belongs to the quants
Daniel Geer Jr, Kevin Soo Hoo, Andrew Jaquith
Security & Privacy Magazine, IEEE
Volume 1, Issue 4, July-Aug. 2003 Page(s): 24 - 32
Posted online: 2003-08-11 14:23:28.0
ISSN: 1540-7993


Risk Management
FM 100-14
Field Manual Headquarters
No. 100- 14 Department of the Army
Washington, DC, 23 April 1998

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

State of H5N1 Avian flu (Un)preparedness


A recent off the record conversation with a city public health official on flu pandemic preparedness after three years of "preparation":

  • Insufficient vaccine stocks
  • Little discussion of who gets priority access to vaccine
  • Volunteers exist for assisting positions and for law enforcement, yet most do not yet have an N95 mask and, his words, not mine, it is not clear if an N95 mask is effective against H5N1
  • Vaccine distribution plans pivot about airlift distribution from six regional depositories to adjacent states
  • Population urged to store three days of emergency supplies although most avian flu scenarios require some two weeks of supplies in order for flu to transit the available vectors (vulnerable population sectors)

If only the situation were this bright:

  1. Not only is there insufficient vaccine in the abstract, insufficient regional supplies will further suffer from predation on the supply/distribution chain as have-nots realize what is passing by them, hijacking the supply. Stocks not immediately consumed or destroyed will go to black market auction.
  2. There have been discussions as prioritizing vaccine receipt, nominally first responders and hospital staffs and an ill-defined 'command and control' structure but is expected to break down quickly. Human nature predicts a Dr. Strangelove effect to retain key stocks for senior command and control. I would expect attacks on presumed storage sites.
  3. First responders and support staff will dwindle as they know that their chance of infection is greater, some will come in for vaccine, trying to get more for family members and then depart. There are some recent studies that predict a failure of the first responder hospital staffs begged by their families not to go in. Expect to see infrastructure breakdown.
  4. Standard masks, including simple commercial N95 masks, are insufficient. Worse, most individuals are not taught to put one properly and test it for leaks. People with good masks, or with something better than those who have none, will become assault and battery targets.
  5. Most untrained individuals do not function well in the constrictive environment of a mask, e.g., if a mask is easy to breathe in, it is not adjusted correctly. It is a bit like SCUBA; you have to work to draw a breath. In full masks, vision is constrained, etc. By comparison, SARS was actually difficult to contract. A higher H5N1 contagion rate would have made a mockery of common mask strategies employed by the Chinese.
  6. As to airlift distribution from federal depositories, I suspect that infrastructure faults already alluded to will include airports, often starting with the underpaid and the unnoticed. Think hospital orderlies and janatorials for a start.
  7. People will think too late of the needed two week plus stocks of water and food, so resorting raids on supply points, groceries, et al.

Given the kinds of gaming scenarios with which I am familiar, it is not so great a leap to envision a worst case use of bioweapons to create a firebreak in an exceptional epidemic, i.e., there is no transmission if there are no vectors.

See related background items:

Intractable nature of achieving preparedness

Flu preparedness presents few solutions - where solutions are defined as combinations of money, assets, personnel and attention - to solve what is a massive infrastructure and societal issue that has been unable to breach government and public awareness for what might be a "then, maybe" event in the face of immediate and serious problems for which voters are demanding a solution now. It is a signal to me that federal authorities do not have a viable solution if they are still grappling with the concerns that opened this post.

While one might wonder why flu preparedness presents so intractable a problem after three years of thought, there is a prior example at our feet - earthquake preparedness. Flu preparedness is analogous to earthquake preparedness in that both present the possibility of enormous costs, serious disruption and commercial impact for a "maybe event, but maybe not my city or region" event. Earthquake preparedness has been in the public consciousness far longer than flu and we are not appreciably better prepared for it. Stanford University, for example, is slowly working its way to a comprehensive response posture, propelled by a series of quakes.

One of the few 'solutions' that I can see rises from studies of the emergence of Influenza A H1N1 in the 1918-1919 Influenza epidemic which showed that isolation was a significant factor in reducing infection transmissions. Given today's transportation venues, one wonders if isolation still offers a viable solution.

Much about masks

There are many kinds of masks: Non-powered Air-Purifying Respirators (filtering facepiece, half mask, full facepiece), PAPR (Powered Air-Purifying Respirators), and supplied air (Supplied-Air Respirators (SARs), (Self-Contained Breathing Apparatuses (SCBA)). OSHA's Assigned Protection Factors is the best single source that I have found for mask characteristics, applications and effectiveness.

When I see comments from the infrastructure community such as "The N-95 / N95 mask is the mask recommended by CDC and Health care experts," they neglect to say, or are unaware, that a cost benefit analysis has been done, the upshot of which is that this '95%' class of non-powered air-purifying respirator is the most that responder agencies can reasonably be expected to be purchased in volume, is one of the few classes that is even available in any volume yet still will be insufficient for all in the event of an epidemic. I sum it as, anything more and they don't buy; anything more and there aren't remotely enough.

The H5N1 investigative community properly describes N95 as the minimal protection:

Disposable particulate respirators, such a NIOSH approved N-95, are the minimum level of respiratory protection that should be worn. However, wearing respirators that offer a higher level of protection, including full-face piece, hood, helmet or loose fitting face piece respirators also will serve to protect the eyes.

One of nine NIOSH classifications (National Institute for Occupational Safety and Health) for certified particulate respirators, N95 is described as:

N95 rated filters have a filtration efficiency of at least 95% filtration against solid and liquid particles that do not contain oil. In the NIOSH classification system, particulate respirators are given an N, R, or P rating. N stands for Not Resistant to oil. R stands for Resistant to oil. P stands for oil Proof. Each particulate respirator is also given a filter efficiency rating of 95, 99, or 100 when tested against particles approximately 0.3 microns in size (mass median aerodynamic diameter) according to the criteria stated in 42 Code of Federal Regulations Part 84.

While N95 respirators have a 95% filtration efficiency, the key is the Assigned protection factor (APF):

Respirators are designed to help reduce, not eliminate, workplace exposures to airborne hazards... [The] efficiency of the filter material alone does not determine the overall reduction in airborne hazards provided by a respirator. The other determinant in reducing exposure is fit. If a respirator does not seal properly to the face, airborne hazards can penetrate or enter underneath the face piece seal and into the breathing zone. The term that incorporates the overall expected reduction in exposure is called an "assigned protection factor" (APF). NIOSH defines APF as the "minimum anticipated protection provided by a properly functioning respirator or class of respirators to a given percentage of properly fitted and trained users." The APF tells you the factor by which the respirator will reduce your exposure. The APF takes into account all expected sources of facepiece leakage, such as leakage around the edges, valve leakage, and filter penetration. The APF of a NIOSH-certified half facepiece respirator is 10. This means that a properly used NIOSH-certified half facepiece respirator (one that covers your nose and mouth only, such as an N95 particulate respirator) will reduce your exposure to airborne contaminants by a factor of 10. Note, the APF is not intended to take into account factors that may reduce respirator performance such as poor maintenance, failure to follow manufacturer's instructions, and failure to wear the respirator during the entire exposure period. It is important that the respirator is correctly worn and used as part of a comprehensive respirator program...

It gets worse:

I agree that fit-testing is important and an N-95 respirator is much better than a boulder-catching surgical mask. A full-face respirator with HEPA filters would be even better, but my bet is that hospitals are using half-faced respirators. When I did respirator fit-testing in one USEPA course, none of the three half-faced respirators that I tried worked when I talked or moved my head from side-to-side. The movement broke the seal. Needless to say, hospital staff do talk and move their heads.

When I did that respirator fit testing, only a properly fitted full-faced respirator worked, and only 2 out of 3 full-faced respirators that I tried passed the fit test. People with glasses (like me) can get eyeglass inserts. Also, a beard will prevent an adequate fit. Don't ask me how many times I've seen people with beards wearing respirators that they bought at a hardware store. Between not being properly fit-tested and the bypass created by the beard, they're worthless. Personally, I wouldn't trust a respirator that isn't fit-tested, period, with absolutely no exceptions whatsoever (am I perfectly clear?). The U.S. representative who is trying to stop fit-testing for hospital workers is totally ignoring the science, and if passed, I predict increased infections of all sorts. Also, God help us if this passes and some terrorist releases large quantities of Anthrax or the like. They'll take out the hospitals along with everything else...

And of course, wearers must clean appropriate respirators after use:

Disposable respirators should not be cleaned; dispose of the respirator immediately after use according to facility policy. In addition, the CDC and WHO suggest not touching the front of particulate respirators during removal and to follow with hand hygiene procedures. Reusable respirators may be disinfected using a mild bleach and water solution (0.1% sodium hypochlorite).

P100 HEPA as the standard

HEPA is High Efficiency Particulate Air. HEPA filtration is already in common industrial usage as well as by those afflicted by allergies. While HEPA is good for dusts and molds, it only traps particulates, allowing any contaminant in non-particulate form to pass through the filter. For my general purpose usage, I employ combination cartridges designed for pesticides as well as dusts, fumes and mists (Organic Vapor plus P100 HEPA). I have both half face and full face masks, all with Organic Vapor/P100 HEPA cartridges. Both permit use of glasses w/o breaching mask seal.

Compare P100 filtration to the lesser N95 or N99 filters:

Passes NIOSH's most rigorous testing criteria and is approved for minimum 99.97% efficient protection against oil & non-oil particulates.
Typical applications: battery plants, nuclear power facilities, asbestos abatement [and] remediation, lead, cadmium, silver, cobalt fume & dust, radionuclides and radon daughters. Also used for dusts, fumes, & mists with a PEL [Permissible Exposure Limit] less than 0.5mg per cubic meter.

Even that does not guarantee freedom from infection but it is vastly superior to N95 masks, especially the disposables which are intended to be discarded (properly) after a single use.

I find the advisory through DHS (personal email) that, "Doctors, first responders and air traffic controllers can use N 95 masks in work settings as long as they are properly fitted and some training occurs," to be disingenuous. To be frank, a key problem with these N95 "office work" masks is that masks in which you can talk, can be heard and be understood will not seal, yet those employees (physicians should know better) will still take them home with them, using them in the community, unaware of their risk.

Where is the discussion on home or office decontamination?

Seemingly absent from the discussion of mask use by the public is the issue of decontamination. Assume that you have an acceptable mask, properly fitted with active filtration cartridges, and are exposed to H5N1 flu variants. What happens when you remove the mask, possibly touching mucous membranes or mouth? Where is the guidance for disposable or non-disposable gloves, protective clothing, shoe covers or boots, and safety goggles?

How do you prevent tracking the agent into your home? Again, the procedures are simple but rarely addressed in literature for the public. An Expedient Semi-Permanent Decontamination Shower is described in this post 11 September guide to NBC warfare survival.


With the Katrina recovery debacle as yet unresolved, I am not sanguine with the ability of DHS and FEMA to respond to a pandemic. The valiant at CDC and WHO are not enough. See:

I consider a commercial P100 HEPA cartridge in concert with good practice as the baseline. You can get a good half face HEPA cartridge respirator that can be fit properly along with a box of six cartridges for what I consider a modest price but still a price that neither states or Congress is willing to fund. We cannot recommend what we are unwilling to fund so we all collectively blink and admire the Emperor's new clothes. In our business that is called accepting risk by default, which is not a useful survival strategy. I may still not survive infection, or I may be bludgeoned for my respirator, or I may succumb to some other systemic failure, but my odds are better.

'Supermap' Of Avian Flu Yields New Info On Source And Spread
Source: Ohio State University
Science Daily
April 30, 2007

Google Earth files for avian flu virus
Roderic Page at 2007-04-28 10:27
Systematic Biology
The Google Earth file that accompanies the paper "Genomic Analysis and Geographic Visualization of the Spread of Avian Influenza (H5N1)" (Janies et al., doi:10.1080/10635150701266848, or OpenURL) is available here (aiTrees.kmz).

Respiratory Protection and Avian Influenza Viruses Frequently Asked Questions
3M Occupational Health and Environmental Safety Division

Assigned Protection Factors; Final Rule - 71:50121-50192
U.S. Department of Labor
Publication Date: 08/24/2006
Publication Type: Final Rules
Fed Register #: 71:50121-50192
Standard Number: 1910; 1915; 1926
[Federal Register: August 24, 2006 (Volume 71, Number 164)]
[Rules and Regulations]
[Page 50121-50192]

Faculty Senate hears report on emergency-preparedness plan
Earthquakes, disease outbreaks, acts of terrorism weighed in plan
Stanford Report, February 1, 2006

Disease Forecasting
By Jim Duffy
Johns Hopkins Public Health
Fall 2005

from Mass Casualty Incidents Involving the Release of Hazardous Substances
January 2005

Avian Influenza Symposium
Moderator: Nina Marano
Centers for Disease Control and Prevention Symposium on Avian Influenza
November 3, 2004

Mail: Respirators and China
Posted 11:55 PM by Jordan
Confined Space
Wednesday, September 15, 2004

The ABC's of NBC Warfare Survival: A Public Guide to Surviving Nuclear, Biological, and Chemical Terrorist Attacks
Fred H. Lane

Gordon Housworth

InfoT Public  Risk Containment and Pricing Public  Strategic Risk Public  


  discuss this article

To the Panda Software article plant effort: this is not the article that you were hoping for


Panda Software's SEARCH FOR EXCELLENCE apparently has not reached its its plant program attempting to seed articles favorable to its Infected or Not campaign to Highlight the Prevalence of Malware. Today I received an email to our blog info address from an that is worthly of being reproduced in full as it is a very straight forward request to plant an article favorable to Panda, and even offering sample texts from which to adapt.

The fact that Panda Software is based in Bilbao and Madrid, Spain, with substantial Latin and other subsidiaries, will gain pertinence as the reader proceeds.

 I am not the only recipient as Daniel Davenport's think d2c received a comment note from the same gmail Erika to his Mobile TV advances on 18 April:

Erika said...

Hi! Sorry for trying to contact you through the comments section of your blog but I have an offer that might interest you. Please, contact me in

Here is the email item that I received from this same Erika at 4/20/2007 8:59:32 AM (and all of Erika's emails have been retained for our records):

From: Erika Email: Subject: 70% of the computers are infected! And you can be part of the solution Message: Hi,

My name is Erika Brown and I am currently working on an awareness campaign called Infected Or Not.

Let me tell you a little bit about it. The whole story of this campaign began with a report from a Panda Software project. On that report, PandaLabs stated that in 2006 more malware was received than in the previous 15 years combined.

The spread of malware infections was huge and it is now getting worse and worse. And that’s why Panda Software decided to launch their Infected Or Not campaign.

The campaign is based on the web site. On that site, people can quickly check if their computers are infected by any form of malware and, at the same time, they are providing useful information that is collected and used to present prevalence statistics.

So the real value of the campaign is not in the test drive of the upcoming Panda detection tools, but in the stats collected by these tests (stats that are also displayed daily on the web site). So far, the numbers have beenereally impressive: almost 70% of the scanned computers are infected. That is precisely why we need awareness.

Now, This is what I want to ask you: I would like you to publish an article in your web site about this campaign. I can even send you one of several different articles written by other people working on this campaign. Any mention about "Infected Or Not" from any web site is, subsequently, commented and seen by hundreds of thousands of people in our own web site. I guess the free publicity couldn’t hurt you.

I know it doesn’t sound like a great deal for you but, if you think about it, we would provide you with relevant (and rich in keywords) content, and you would be taking part on this awareness effort.

If you want to collaborate with me, just write back and let me know. I will send you the article ASAP.

Thanks for your time and I look forward to hearing from you soon.

Best regards

Switching into honeypot mode, I invited items for review at 20 April, 2007 11:55 with the comment "Have looked at IoN site. Please send items for review."

Almost by return, I received Erika's response at 20 April, 2007 12:00:

Thank you very much for your collaboration to this awareness campaign, I really appreciate it.

Here I send you an article about You won't be disappointed.

Please feel free to tell me if there is any way I can help you adapt the content to your web site or if you have any other question or suggestion.

One last favor, could you please send me the article's URL?



Attached was a short derivative document, infected1, whose properties page states its authorship at "Pablo Diaz" from "SX Networks." There is an SX Networks in Montevideo, Uruguay, and a Pablo Díaz Rigby in Montevideo whose CV states that he is a "Media Executive" devoted to "Online advertising campaigns management" and that he is a "Spanish Native speaker" that is "Fluent in written and Spoken English."

I think it sad that a nominally respected firm in a very necessary field would stoop to this, even using the sham plausibility of denial by a separate address. Other readers may share my opinion of "Shields Up!" and suspicion of all further Panda missives until it repudiates the plant effort and zero times its initiative.

UPDATE: 23 April

Coincident to the original posting, I reported "Erika" to Gmail. Their reply arrived 23 April. "Erika" had spoofed a gmail address:

From: []
Sent: Monday, 23 April, 2007 19:30
To: Gordon Housworth
Subject: Re: [#139428718] Account Status


Thank you for your report. We apologize for any inconvenience this may have caused.

The message you refer to did not originate from Google. Instead, it appears to have been sent by someone who has faked the address so that it falsely appears to be from Gmail. This practice is commonly called 'spoofing.'

We are very concerned about this conduct. We have forwarded the information you provided to the appropriate team for investigation.

Please note that Google will never send unsolicited mass messages asking for your password or personal information, or messages containing executable attachments.

You can also help stop these individuals by sending a copy of such unlawful messages to the Federal Trade Commission at

We appreciate your understanding.


The Google Team

Mobile TV advances
Daniel Davenport
think d2c
Wednesday, April 18, 2007

Panda Launches ‘Infected or Not?’ Campaign to Highlight the Prevalence of Malware

Gordon Housworth

Cybersecurity Public  InfoT Public  Risk Containment and Pricing Public  


  discuss this article

Ali Reza Asghari: an Iranian defection of extraordinary sweep and US advantage


An extraordinary February defection by an Iranian Major General, Ali Reza Asghari (also Asgari and Askari) must restructure the state of US-Iranian relationship in all its aspects. Asghari was a general in the Islamic Revolutionary Guards Corp (IRGC) and its Quds Force (also here), a deputy defense minister and an inspector general. He is credited with building Hezbollah in its current form in Lebanon. Asghari is so important that his impact on unraveling Hezbollah in Lebanon, possibly saving Israel from a second drubbing; his illuminating the Iranian nuclear program (and its chemical and biological efforts), possibly laying it transparent to the point that Russia and China would find it difficult to protect; and his very possible resuscitation of the US position in Iraq, at least reducing back to an internal affair (still no prize but better than an Iraq with sustained Iranian intervention), are only parts of a greater whole.

Until proved to the contrary, I rank Asghari as worthy of Iranian "panic" above and beyond the scope of his access to Iran's nuclear weapons program:

  • Supreme "Follow the Money" architect for anything and everything to the point of rendering Iran transparent
  • Global supply chain and logistics for Iranian acquisitions, nuclear and non, with all the political implications thereof
  • Strategic architecture of global Iranian overt and covert operations, not just Lebanon
  • Operationally useful political portrait of the Iranian government and individuals

An extremely honest man who, as the Defense Ministry's Inspector General, revealed corruption and embezzlement only to be paid with arrest and a fall from power, Asghari makes a formidable spurned lover. Said to be an adversary of the current Iranian government, his eventual rehabilitation and assignment to offshore arms deals only provided the opportunity to orchestrate his escape. Required to secure permission to leave the country, Asghari was sent to Syria to supervise a Farsi-Syrian arms deal (his family shortly went out after his arrival in Damascus). While there, he advised Tehran that one of his arms dealers was in Turkey and wanted to meet. Permission was granted and soon Alice went through the glass.

What was claimed by the Iranains as a kidnapping has now uniformly turned to a defection, and one in the old school by which the entire family was brought out as well. (The departure of Asghari's family coupled with the fact that Asghari "sold his house in the Narmak area of Tehran in December [2006]" makes defection all the more plausible.) Although the Iranians began to spin Asghari as a harmless old retiree, the Turks were saying from the onset that Asghari had broad access to nuclear information. Not only will it be months, perhaps longer, before the Iranians build a picture of what has gone missing, there will be both a pull-back of assets and operations and a diversion of externally focused assets to evaluating Asghari's impact.

Steve Clemons is closer to my thinking in his comment that Asghari's strategic value is his "understanding decision-making in Iran's political system, the general intentions of Iran's Supreme Leader, and a better understanding of the structure and activities of Iran's Revolutionary Guard Quds force [which] probably outweighs what he can establish on real or illusory nuclear weapons programs." Again, Asghari's disclosures likely affect the full sweep of Iranian efforts, not just its nuclear efforts.

The note by MideastWire's Nicholas Noe to Joshua Landis at Syria Comment is the best and most detailed item on Asghari, but even that does reach the enormity of the breach. (As an aside, the annual subscription fees of MideastWire are modest, forming one of the better translation summaries for Arabic and Farsi media feeds. Recommended.) For starters, Noe snips from Arabic/Farsi texts to describe Asghari as:

[Asghari] was the IRGC liaison [in] Lebanon prior to the 2000 withdrawal and, as a principle of the armaments industry going forward, would have detailed knowledge of Hezbollah capabilities even after he left Lebanon:

Ali Reda Askari or Asghari:

* He holds rank in the Iranian Revolutionary guard equivalent to that of a Major-General.

* He succeeded Ahmad Kana’ni and Hussein Muslih in the command of the Revolutionary Guard units in Lebanon where he stayed for two years in the 90s. He frequented Sudan, Syria, Pakistan and Afghanistan.

* He was one of the top officials in the logistics department in the defense department during the Iranian-Iraqi war in the 80s.

* He headed the general committee responsible for running the largest weapons production facility in Iran.

* He was appointed an aide to the defense minister Admiral Ali Shamkhani responsible for logistics affairs and military purchases during the reign of President Ahmad Khatami.

* He was known for his financial integrity and gained fame after he uncovered a corrupt network inside the ministry headed by one of the top commanders of the Revolutionary Guide. This network had managed to swindle more than 160 million dollars in commission as well as 60 million dollars from bogus weapons’ deals.

* He was responsible for acquiring spare parts and equipment used in producing the Shehab 3 ballistic missiles.

* Turkish newspapers report that he was opposed to the Iranian government and that he possessed knowledge of the Iranian nuclear secrets.

Kenneth Timmerman's piece in NewsMax adds details to these points. English language articles early in the publicizing of Asghari's gone missing were largely a regurgitation of two items, one from Haaretz and the second from Ynet. A later Haaretz piece offers more data from the initial source, al-Sharq al-Awsat, which stated that Asghari defected to the US "along with the secrets he carried." CSM's Tom Regan offered a nice round-up of sources.

While most sources are channeling the idea that either the US or Israel are responsible, it is possible that the Iranian dissident group, Mujahedin-e-Khalq (MEK), was responsible (also here). (The MEK has a checkered past, is listed as a terrorist group by the US yet resides or is held captive - take you pick - on a US facility in Iraq, operates in Turkey and interrogated the Iranian diplomats captured by the US in Irbil. Nothing is free of secondary effects; one of the bargaining chips that the US had in a potential negotiation with Iran was the ejection of the MEK from Iraq. If true, given the impact of Asghari's defection, one should expect Iranian efforts against the MEK as well as the MEK being a rising point of contention between the US and Iran.

While the Iran-initiated state visit of Ahmadinejad to Saudi Arabia for a summit meeting with King Abdullah went ahead, it is likely that Asghari's defection figured into Tehran's opening position to Riyadh. One wonders if the US can, and will, feed Riyadh in advance of the summit. Asghari can touch every interest of Iran, domestic, regional and global:

King Abdullah and Mr. Ahmadinejad are expected to discuss ways of ending the political standoff in Lebanon between the American-backed government of Fouad Siniora and Hezbollah, which is supported by Iran. Both countries are also concerned that growing sectarian tensions in Iraq, Lebanon and elsewhere in the region could fuel further instability. "The last visit by an Iranian official to Riyadh was by national security chief Ali Larijani last month, but the Iranians were left feeling quite unsatisfied," said Adel al-Toraifi, a Riyadh-based Saudi analyst with close ties to the government.

Experts said talks had broken down when the Iranians balked at a deal that would increase Hezbollah’s representation in the government, but would also start an international tribunal to try suspects connected to the assassination of the former Lebanese prime minister, Rafik Hariri, in 2005, a Saudi priority. Hezbollah took to the streets of Beirut in December demanding a greater role in the government, and threatening to continue its protest until Mr. Siniora resigns or gives its allies more seats in the cabinet.

"The Iranians want to come to an understanding with the Saudis," said Khaled Dakhil, professor of political sociology at King Saud University in Riyadh. "The Iranians want the help of the Saudis on the nuclear front, and they do want to improve relations between Syria and Saudi Arabia."

For a deeper structural look, see Nasser's The regional implications for the Saudi-Iranian dialogue. In any case, Ahmadinejad's one-day visit did not go swimmingly, at least for Tehran.

One wonders if the knowledge of Asghari's defection made the one day international security conference in Baghdad (10 March) slightly less contentious and how it influenced the one-on-one US-Iranian conversations. In the wake of IAEA punitive sanctions suspending a series of nuclear aid programs to Iran, Ahmadinejad has signaled his desire to attend a UN Security Council meeting to defend Iran's nuclear program. One wonders how the Asghari data will deflect his desire. Perhaps it is too early to see any Iranian deflection, nor might the US immediately be interested in showing its hand. Expect to see sparks eventually as Asghari is simply too powerful a source.

I do wonder about the extent of discontent within Iranian military and possibly some paramilitary cadres. In addition to the external aspects of Asghari's defection, the Iranian government has to concern itself with internal resistance:

Such an act would be interpreted as a major sign of discontent within senior Iranian military figures against his aggressive policies. With increasing dissatisfaction against Ahmadinejad emanating from Iran’s population; such a blow is something which Ahmadinejad can currently ill afford, and something that those who view him as a danger have been hoping for.

I am not the first to think that Asghari's defection reverses US failures vis-à-vis Iran noted in James Risen's State of War in which the CIA inadvertently released enough identifying information to a double agent that allowed Iran to roll up the agency's network in Iran (forcing the US to depend upon "European, Israeli and Saudi intelligence capabilities") and Operation Merlin, a disinformation effort to mislead the Iranians in warhead trigger designs that boomeranged, handing a working design to Tehran. The Guardian has a good excerpt from the book describing these events, and also a note of interest.

While CIA chastised Risen for the "serious inaccuracies" in "every chapter of 'State of War'" and his "reliance on anonymous sources [that] begs the reader to trust that these are knowledgeable people," the agency then puts forth "knowledgeable current and former officials" to confirm that the leak occurred but that the "allegations that agents were lost as a result are not true." (See also Daniel Benjamin's comments.) But then what else can the agency say to domestic political ears and potential agents abroad.

Ahmadinejad intends to visit UNSC
Jerusalem Post
Mar. 11, 2007 10:18 | Updated Mar. 11, 2007 10:24

Iran Calls Baghdad Talks Constructive
The Associated Press
March 11, 2007; 8:12 PM

U.S., Iran Trade Barbs in Direct Talks
Associated Press
March 11, 2007, 5:23 a.m. ET

The regional implications for the Saudi-Iranian dialogue
Shehata M. Nasser
The Arab Washingtonian
Saturday, March 10, 2007

Former Iranian Defense Official Talks to Western Intelligence
By Dafna Linzer
Washington Post
March 8, 2007

Defection or abduction? Speculation grows after Iranian general goes awol in Turkey
· Former minister vanished from Istanbul hotel
· Fingers pointed at Mossad and anti-Tehran rebels
Julian Borger
The Guardian
March 8, 2007

Did top Iranian general defect?
Reports say 'missing' former deputy defense minister may seek asylum and offer intelligence to the West.
By Tom Regan
posted March 08, 2007 at 12:00 p.m. EST

Iran: Ex-Defense Official's Whereabouts Remain A Mystery
By Golnaz Esfandiari
March 8, 2007

U.S. Denies defection of Iran’s deputy defense minister
Ya Libnan
Thursday, 8 March, 2007 @ 2:39 AM

Key Iranian General and former Deputy Defense Minister May Haved Defected to United States
Steve Clemons
Washington Note
March 07, 2007

Report: Missing Iranian official being questioned in N. Europe
By Yoav Stern, and Haaretz Service
Last update - 16:33 07/03/2007

Panic in Tehran
PJM in Tel Aviv
Pajamas Media
March 7, 2007 12:30 AM

Saudi visit of Iranian president fails to lessen tensions
By Peter Symonds
Ya Libnan
7 March, 2007 @ 5:13 PM

"Iranian General Defects with Hizbullah’s Secrets," by Nicholas Noe
Joshua Landis
Syria Comment
March 7th, 2007

Federal News Service Moscow Bureau
7 March 2007

Iranian General Reportedly Defects
Kenneth R. Timmerman
March 7, 2007

Iran: West May Have Kidnapped Missing Official
News numbre: 8512160287
13:49 | 2007-03-07

Iran: Retired Defense Minister Missing
The Associated Press
March 6, 2007; 6:45 AM

Missing Iranian official may have information on Ron Arad
By Yoav Stern, and Haaretz Service
March 06, 2007 Adar 16, 5767

No U.S. Backup Strategy For Iraq
Outside Experts, Not White House, Discuss Options
By Karen DeYoung and Thomas E. Ricks
Washington Post
March 5, 2007

Israel involved in Iranian general's disappearance?
Former Iranian deputy defense minister vanished about a month ago on his way from Damascus to Turkey. Iranian officials say Mossad, CIA may have been involved in his disappearance
Dudi Cohen
Published: 03.04.07, 22:24 / Israel News

Iranian President & Saudi King plan summit talks on ME crises
Ya Libnan
2 March, 2007 @ 5:46 AM

Iran Says Its Leader Will Join the Saudi King for Talks on the Region's Conflicts
New York Times
March 2, 2007

The Elusive Quds Force
By Christopher Dickey and John Barry
Feb. 26, 2007 issue

The New Enemy?
Bush blames Iran’s Quds Force for a spike in anti-American violence in Iraq. Who are they, and how tight are their ties with Tehran?
By Michael Hirsh, Babak Dehghanpisheh and Mark Hosenball
Updated: 6:46 p.m. ET Feb 15, 2007

After the Mecca Accord, Clouded Horizons
New York Times
February 21, 2007

The Relationship Between Hizbullah & the United States In Light of the Current Situation in the Middle East
By Nicholas Noe
MPhil Thesis, Cambridge University Centre for International Studies
(N.B. - Modified October 10, 2006 after submission and approval)
July 2006

US blunder aided Iran's atomic aims, book claims
Julian Borger in Washington
The Guardian
January 5, 2006

George Bush insists that Iran must not be allowed to develop nuclear weapons. So why, six years ago, did the CIA give the Iranians blueprints to build a bomb?
The Guardian
January 5, 2006

Officials: Error tipped Iran to CIA agents
January 3, 2006; Posted: 8:43 p.m. EST (01:43 GMT)

The Scoop from 'State of War'
By Jan Frel
Posted January 5, 2006

Risen vs. Risen
Or, book standards vs. newspaper standards.
By Jack Shafer
Posted Tuesday, Jan. 3, 2006, at 10:05 PM ET

Underestimating Intelligence: Why it's not fair to give the CIA a failing grade.
By Daniel Benjamin
Posted Monday, Jan. 9, 2006, at 12:44 PM ET

Where Spying Starts and Stops: Tracking an Embattled C.I.A. and a President at War
Books of the Times | 'State of War'
January 9, 2006

State of War: The Secret History of the CIA and the Bush Administration
by James Risen
ISBN-10: 0743270665
Free Press (January 3, 2006)

Iran: Defending The Islamic Revolution -- The Corps Of The Matter
By Houchang Hassan-Yari
Friday, August 5, 2005

Gordon Housworth

InfoT Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Chlorine is only the beginning of a spectrum of instant asymmetrical chemical weapons


A chemical weapon (CW) in the hands of an asymmetrical attacker or terrorist will generally not be 'WMD-scale,' certainly not in the context used in connection with Iraq under Saddam Hussein and OIF, but it will be a chemical weapon nonetheless. (Under current (but not future) means of delivery, the most likely "WMD chemical event" will be the placing of conventional explosives in an existing chemical plant.)

We must recalibrate our definition of a chemical weapon in order to understand how a terrorist can add chemical leverage to their attacks, likely using one or more items (mixtures greatly complicate defensive responses) drawn from local industrial chemical and pesticide stocks. In conflict situations where hazmat protection greatly complicates combat operations and/or local infrastructure is inept or unprepared to deal with chemical events, a simple chemical additive (even a benign additive if the defenders momentarily believe it to be a chemical additive) can be a significant force multiplier - directly against combat formations and indirectly against domestic public opinion.

The increasing use of industrial chlorine in Iraq is very good technique, so long in coming but so quickly emulated. There are many industrial chemicals that are far more toxic than chlorine. The plastics, fire retardant and semiconductor industries are examples of industrial production containing highly toxic, generally commercially available and invariably unprotected, either at the industrial supplier or on the consumers' facility.

Many common toxic industrial chemicals could be used as weapons. What they lack in toxicity is made up by the large quantities commonly available and accessible. During WWI, the Germans used common chlorine gas as a weapon by simply opening containers and allowing the chemical to drift downwind into enemy forces. Chlorine and phosgene gases are industrial chemicals that are regularly transported in bulk road and rail shipments. Saboteurs could easily target commercial containers and rupture them to release the gases. The effects of chlorine and phosgene are similar to those of mustard agent. Chlorine and other chemical spills from trucks and railcars are not uncommon; terrorists would simply need to select targets and timing to maximize the effects on the public. Trucks and railcars are notoriously vulnerable targets to which little attention has been directed.

How to Handle a Chlorine Bomb is a good introduction to addressing a chlorine release, although its pertinent recommendations will be harder to implement in a combat environment. Copies of the Emergency Response Guidebook (ERG2004), a first responder guide to "(1) quickly identifying the specific or generic classification of the material(s) involved in the incident, and (2) protecting themselves and the general public during this initial response phase of the incident" should be on their way to Iraq along with the NIOSH Pocket Guide to Chemical Hazards.

Many retardants are precursors to organophosphates - nerve agents. It is only a matter of time before asymmetricals talk to an industrial hazardous materials specialist, consult the standard industrial toxicology handbooks (many in the end list), leaf through MSDS (Material Safety Data Sheet) listings, or remember Bhopal where an accidental release of methyl isocyanate, a key ingredient to resins, killed thousands and incapacitated thousands more, often critically. Methyl isocyanate is often sold in 55 gallon drums as an industrial staple. From Plastics: Overview, a warning note to artists likely to handle unfamiliar compounds:

Isocyanates are extremely toxic by inhalation, causing bronchitis, bronchospasm, chemical pneumonia, and severe acute and chronic asthma at very low concentrations, even in people without a prior history of allergies.  They also cause severe eye irritation.  Methyl isocyanate was the chemical that killed over 2500 people in Bhopal, India when released into the atmosphere several years ago.

The degree of hazard depends on the volatility of the diisocyanate and its physical form.  TDI (toluene diisocyanate) is the most volatile and the most hazardous.  MDI (diphenyl methane diisocyanate) is less volatile and, less hazardous than TDI.  Polymeric isocyanates usually contain about 50% MDI.  If heated or sprayed, any isocyanate is extremely hazardous.  Note that isocyanates cannot be detected by odor until the concentration is many times higher than recommended levels.

The NIOSH Pocket Guide to Chemical Hazards contains a datum for Immediately Dangerous to Life or Health Concentrations (IDLH) that defines a "threat of exposure to airborne contaminants when that exposure is likely to cause death or immediate or delayed permanent adverse health effects or prevent escape from such an environment." While its original purpose was to "ensure that the worker can escape from a given contaminated environment in the event of failure of the respiratory protection equipment," it can be used by an attacker as a selection criteria.

The semiconductor industry has for decades been accorded a free ride by the lay populace as a green industry far removed from rustbelt smokestacks. Nothing could be farther from the truth as the industry is swollen with toxic processing agents, notably gases. To show how easy this is to find, search on "gases in processing semiconductors." One click will get you to Database of the Thermophysical Properties of Gases Used in the Semiconductor Industry, and one more will get you to the Index of Semiconductor Process Gases. While not an issue in Iraq, the semiconductor sector is a good example of a WMD-class event in place that only needs conventional explosives to release. Any reasonably industrialized state has materials in situ that are at risk of exploitation by terrorists.

It can get worse. There are many chemicals and formulations that share the ability of organophosphate nerve agents to kill by inhibiting the enzyme that controls the nervous system's ability to communicate. From NERVE AGENTS, PESTICIDES, AND CHOLINESTERASE INHIBITION, which I recommend as a readable introduction to a usually technical subject:

What is Cholinesterase Inhibition?

Let's take a look inside the human body. The human body, as well as other animals, contain electrical switching centers called 'synapses'. The body manufactures a chemical called 'acetylcholine' which turns on the switches and another enzyme called 'acetylcholinesterase' which breaks down the acetylcholine and turns off the switches. All this happens very fast. This is how the brain signals information throughout the body, to control respiration, muscle action, digestion, and other life functions.

Certain chemicals can throw this out of balance. A cholinesterase inhibiting chemical (nerve agents and some pesticides) interferes with the enzyme that breaks down the acetylcholine and excessive acetylcholine builds up at the synapses. There is nothing to switch off the synapses as acetylcholine builds up. Electrical impulses fire away continuously. Repeated and unchecked firing of electrical signals causes uncontrolled and rapid twitching of muscles, paralyzed breathing, convulsions, and in extreme cases, death.

Any chemical that can bind, or inhibit, cholinesterase (e.g. acetylcholinesterase) making it unable to breakdown acetylcholine is called a "cholinesterase inhibitor", or an "anticholinesterase agent". The nerve agents (chemical warfare agents) are the most potent. Certain pesticides can also show some degree of cholinesterase inhibition. The pesticides that can result in cholinesterase inhibition fall into broad classifications of either (1) organophosphates or organophorphorous pesticides, (2) carbamate pesticides, or (3) pesticides based on chlorinated derivatives of nicotine. There are also many pesticides on the market that do not inhibit cholinesterase.

The offending chemical can be ingested, absorbed through the skin or eyes, or inhaled. The amount of chemical required to kill a human being can be as little as one drop of agent VX applied on the skin. On the other hand, some of the pesticides, which possess cholinesterase inhibition are of low enough toxicity that it would be difficult for a person to poison himself.

Look, for example, at the Material Safety Data Sheet (MSDS) (also here) for SEVIN 80WSP CARBARYL INSECTICIDE and its nerve agent capacities if misused. Contrast that to Chlorine or Methyl isocyanate.

Regardless of the source or scale of attack, chemical weapon attributes can be described as:

  • Chemical weapons (CW) are relatively inexpensive to produce.
  • CW can affect opposing forces without damaging infrastructure.
  • CW can be psychologically devastating.
  • Blister agents create casualties requiring attention and inhibiting force efficiency.
  • Defensive measures can be taken to negate the effect of CW.
  • Donning of protective gear reduces combat efficiency of troops.
  • Key to employment is dissemination and dispersion of agents.
  • CW are highly susceptible to environmental effects (temperature, winds).
  • Offensive use of CW complicates command and control and logistics problems.

The Chemical Weapons Convention (CWC) is clearly inclusive in its interpretation of what constitutes a chemical weapon. It certainly includes any agent or combination of agents that an asymmetrical attacker would employ:

[All] toxic chemicals and their precursors, except when used for purposes permitted by the CWC in specified quantities, are chemical weapons. Toxic chemicals are defined as "any chemical which through its chemical action on life processes can cause death, temporary incapacitation or permanent harm to humans or animals." Precursors are chemicals involved in production stages for toxic chemicals.

Determining whether genuinely dual-use chemicals are chemical weapons is more difficult. For example, chemicals such as chlorine, phosgene and hydrogen cyanide (AC) - all of which were used during World War I as chemical weapons - are also key ingredients in numerous commercial products. To make the determination, toxic dual-use chemicals are subjected to the so-called general purpose criterion...

According to the general purpose criterion, a toxic or precursor chemical may be defined as a chemical weapon depending on its intended purpose. [A] toxic or precursor chemical is defined as a chemical weapon unless it has been developed, produced, stockpiled or used for purposes not prohibited by the Convention. The definition thus includes any chemical intended for chemical weapons purposes, regardless of whether it is specifically listed in the [CWC]...

Chemicals intended for purposes other than these are considered chemical weapons. A basic component of the general purpose criterion is the principle of consistency. A toxic chemical held by a State Party and in agreement with this principle will not only be produced, stockpiled or used for a legitimate purpose, but also will be of a type and quantity appropriate for that purpose.

Terrorists will be able to overcome the historical limitations of employing chemical weapons, in the near term, doing so by incorporating 'found' industrial materials:

Chemical weapons have a relatively small area of influence and quickly disperse into the air or settle to the ground. When combined with explosives to increase dispersion the active chemicals are often destroyed or degraded by the explosive blast. Terrorist groups have extensive experience with conventional explosives and gain little advantage from chemical weaponry... It's simply impractical for terrorists to secretly obtain, transport and disperse the large quantities of chemicals required to attain a significant result...

As soon as the asymmetricals talk to a blasting expert, as opposed to a demolition expert, they will be taught about low brisance explosives (where brisance is a measurement of the rapidity that an explosive achieves its maximum overpressure and velocity) for bursting chemical stocks; Low brisance explosives are used to heave and fracture rock strata rather than pulverize the strata as would a high brisance explosive (C4, Semtex and other military explosives).

In the near to medium term, terrorists will not have to start from ground zero, building, weaponizing and deploying CW on a WMD scale. They will learn to include industrial chemicals, pesticides and some herbicides in pointed tactical engagements combined with other attack vectors that will complicate defensive response.

Iraq Rebels Expected to Use More Chlorine Gas in Attacks
New York Times
February 23, 2007

How to Handle a Chlorine Bomb
Kris Alexander
Danger Room
Friday, February 23, 2007

Militants Using Chemical Bombs in Iraq
New York Times
February 21, 2007

Plastics: Overview
by Michael McCann, Ph.D, C.I.H and Angela Babin, M.S.

NIOSH Pocket Guide to Chemical Hazards
NIOSH Publication No. 2005-149
National Institute for Occupational Safety and Health (NIOSH)
September 2005

Deriving Toxicity Values for Organophosphate Nerve Agents: A Position Paper in Support of the Procedures and Rationale for Deriving Oral RfDs for Chemical Warfare Nerve Agents
Young, Robert A.; Opresko, Dennis M.; Watson, Annetta P.; Ross, Robert H.; King, Joe; Choudhury, Harlal
Human and Ecological Risk Assessment
Volume 5, Number 3, June 1999, pp. 589-634(46)

Jeff Slotnick
Security Driver

Terrorists, WMD, and the US Army Reserve
Parameters, Autumn 1997, pp. 98-118

Creating an explosion: The theory and practice of detonation and solid chemical explosives
J A Burgess and G Hooper
Physics in Technology 8 257-265

Toxic Substances
Agency for Toxic Substances and Disease Registry (ATSDR)
US Department of Health and Human Services

Database of the Thermophysical Properties of Gases Used in the Semiconductor Industry
NIST Standard Reference Database 134
National Institute of Standards and Technology

Index of Semiconductor Process Gases
NIST Standard Reference Database 134
National Institute of Standards and Technology

Thermophysical Properties of Gases Used in Semiconductor Processing
J.J. Hurly, K.A. Gillis, and M.R. Moldover
NIST - Physical and Chemical Properties Division

by John S. Nordin, Ph.D.
The First Responder
Tuesday, June 17, 2003

Handbook of Chemicals and Gases for the Semiconductor Industry
Wiley InterScience
March 2002

Emergency Response Guidebook (ERG2004)
US Department of Transportation, Transport Canada, and the Secretariat of Communications and Transportation of Mexico (SCT)


ChemINDEX (ChemFinder professional)

Expert Consulting and Expert Witness Services

Britney's Guide to Semiconductor Physics
written and designed by Carl Hepburn, post-grad student, at University of Essex

Chemical, Biological, Radiological and Nuclear (CBRN) Weapons
Weapons of Mass Destruction
Global Focus
Open Source Intelligence

What Is A Chemical Weapon?
FactSheet 4
Organisation for the Prohibition of Chemical Weapons (OPCW)
Last revised: 25 July 2000

Monitoring Chemicals With Possible Chemical Weapons Applications
FactSheet 7
Organisation for the Prohibition of Chemical Weapons (OPCW)
Last revised: 25 July 2000

Gordon Housworth

InfoT Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Prev 1  2  3  4  5  6  [7]  8  9  10  11  12  13  14  15  16  17  18  Next

You are on page 7

Items 61-70 of 177.

<<  |  January 2020  |  >>
view our rss feed