Freedom and Information: Assessing Publicly Available Data Regarding U.S. Transportation Infrastructure Security
Jul 18, 2007
With the ever-growing presence of the Internet in people's lives, it is easier than ever to obtain information from publicly available sources on a wide range of topics. This raises the question of whether terrorists can exploit this availability of information when planning terrorist attacks. Conversely, familiarity with public sources of information can also be useful to policymakers in defending potential targets. However, given the vast array of publicly available information, identifying all the information relevant to a potential target and assessing its possible value to terrorist planners is daunting. What is needed is a way to define the kinds of information that would be useful for planning and executing attacks on particular targets.
A RAND Corporation study developed a framework to guide assessments of the availability of such information for planning attacks on the U.S. air, rail, and sea transportation infrastructure and applied the framework in a red-team information-gathering exercise. Working with six plausible attack scenarios—two each in air, rail, and sea transportation infrastructures—and a modified intelligence preparation of the battlefield (ModIPB) framework based on U.S. Army doctrine, red-team members serving as proxies for terrorists were instructed to find information sufficient to complete an operation plan for each of the six scenarios.
Based on the exercise, the study found the following:
Based on these findings, the authors recommend that, to prevent information that includes security details from becoming public, infrastructure owners should review and revise procedures for operational and informational security. This is especially pertinent given that new information becomes public every day, as do new capabilities for searching and fusing information.
The authors also recommend that infrastructure owners consider information that can be obtained from easily accessible public-information sources, such as the Internet, in vulnerability assessments. Given that new information can become publicly available at any time, such vulnerability assessments should be conducted frequently.