Public Information Signatures for Critical Targets

"Geospatial intelligence" is the security neologism for satellite imagery, topographical surveys, environmental data, and other similar geographical information that traditionally has been of critical military value. Today, much of this information (including private-sector high-resolution satellite imagery) is conveniently available to the public through the web.

RAND, under contract with the National Geospatial-Intelligence Agency, produced a study examining the extent to which publicly-available geospatial intelligence is likely to provide both "useful" and "unique" information for the planning of terrorist attacks. The notion was to produce a decisionmaking model which government officials could use to decide what government information to release and what to withhold.

Their conclusions are interesting, and perhaps somewhat surprising. RAND discovered that "very few of the publicly accessible federal geospatial sources appear useful to meeting a potential attacker’s information needs," and that "most publicly accessible federal geospatial information is unlikely to provide significant (i.e., useful and unique) information for satisfying attackers’ information needs." However, this comes with a significant caveat:

In many cases, diverse alternative geospatial and nongeospatial information sources exist for meeting the information needs of potential attackers. In our sampling of more than 300 publicly available nonfederal geospatial information alternative sources, we found that the same, similar, or more useful geospatial information on U.S. critical sites is available from a diverse set of nonfederal sources. These sources include industry and commercial businesses, academic institutions, NGOs, state and local governments, international sources, and even private citizens who publish relevant materials on the World Wide Web. Some geospatial data and information that these nonfederal sources distribute are derived from federal sources that are publicly accessible. Similarly, these nonfederal organizations are increasingly becoming sources of geospatial data and information for various federal agencies. . . . In addition, relevant information is often obtainable via direct access or direct observation of the U.S. critical site.

It is likely a surprise to no one that a great deal of information resides in open/gray sources that would be useful to planning attacks on major critical infrastructure sites. (Witness, for instance, the recent debate over the publication of the "milk terrorism" study prepared by Stanford's Lawrence Wein and Yifan Liu.) The question has always been what, if anything, can realistically be done about it.

Certainly it would be impracticable to deny potential attackers access to all "useful" information about a target site (though the Soviets, in their day, tried classifying virtually all maps). But it does not automatically follow that all information denial efforts would be fruitless; at a minimum, a thoughtful information denial plan may lower the target site's vulnerability profile or at least channelize the likely avenues of attack.

In light of all this, it may be worthwhile for critical site operators to consider performing a systematic assessment of the site's "public information signature." This would not necessarily require the commitment of significant resources, but would shed some light on the question of whether some kind of information denial plan would yield any appreciable security benefits.