"Movie-Plot" Threats: The Danger of Dismissal
Bruce Schneier will soon start his annual "movie-plot threat" contest. I'm one of the people who refused to enter the contest; I've always worried that someone might implement my scenario.
No need for me to worry any longer: Someone just implemented my "movie-threat" plot and successfully carried out the attack. As far as authorities can tell, the perpetrators were drug dealers. They blocked roads all through the town of Monterrey, Mexico, which caused massive traffic jams. At the same time (and it's hard to tell at this point if this was part of the plan or just typical Mexican lawlessness) small groups of armed men attacked various vehicles that were trapped in traffic.
This isn't the first time that an apparent "movie-plot threat" has turned up in real life. If I had entered the contest, I would have proposed as my entry a more violent, higher-casualty version of the Monterrey attack, one with different strategic goals.
The ultimate "movie-plot threat" (MPT) was — of course — the September 11th attacks against the United States. Hijacking airliners? Flying them into two skyscrapers, and the Pentagon, and the White House? No scenario could be more outlandish.
I find the term MPT to be pejorative and dismissive. but it does have potential. In order for the idea of "movie-plot threats" to be useful, we have to find a way to distinguish between realistic and unrealistic attacks. Take the idea of an attack by terrorists on a toddler day care center. Is this an MPT or not? Here in the US I've heard it dismissed as just another MPT; in Israel, bitter experience with Palestinian terrorists forced parents to post armed guards at all day care centers. There is absolutely no question that such attacks are feasible here in the US and would serve the strategic goals of certain terrorist organizations. Does labeling toddler day care center attacks as just another MPT have real meaning? Or does it reflect someone's subjective judgment, or worse, wishful thinking?
Simply because a threat scenario is outlandish, imaginative, new to your locale, or resembles an actual movie is not a reason to dismiss the threat as a mere MPT. Only a proper assessment of the threat will tell you if it's likely to be successful or not, and then you must then judge if it's likely to be perpetrated or not.
From the attacker's perspective, possible attacks incorporate several factors: the risk to the attacker (high to low); the damage to the target (low to high, multiplied by the probability of damage); expected political/social/strategic payoffs; the logistical risk; the operational risk; and the tactical risk.
The September 11th attacks had a very high strategic payoff, and therefore the attackers went forward despite the moderate operational and tactical risks. The attackers correctly assessed their opposition and did not allow themselves to be blinded by the MPT nature of the proposed attack. I admit that do wonder if they misjudged the strategic costs of September 11th — if they failed to understand the difference that a new President (Mr. Bush replacing Mr. Clinton) would make to the US's response.
For any given attack, we can create a cost-benefit analysis to the attacker based on the factors I outlined above. Of course we run a risk: self-assessment remains a difficult task (read Schneier on the difficulties that cryptographers face when they assess their own work), and people easily overlook the weaknesses of systems they design. But is there an objective measurement that puts a threat scenario into the realm of "improbable" or "unrealistic?"
No such objective measure exists, which is my main objection to the idea of "movie-plot threats" (MPT). Take the attack on a day care center here in the US. Certainly such attacks happen in Israel, perpetrated by Moslem extremists; certainly Moslem extremists have attacked the US before; why wouldn't day care centers be a target here in the US? We certainly can't dismiss such a possibility just because such an attack would bring the fury of the US down on the attackers and therefore deter the attack; after all, the Japanese did not understand how the US would respond to the attack on Pearl Harbor.
The strategic payoff of an attack on a day care center would be extremely high; the operational and tactical risks would be very low; the logistical costs negligible. The question then becomes why we don't see such attacks, and I have to wonder if the strategic costs are simply too high — that the attackers believe that a day care center attack will bring certain, furious, and unrelenting retribution from the US. But dismissing such attacks as MPT just because "they have not happened here before" is simply a subjective judgment with a pejorative edge.
Perhaps movie-plot threats can be a useful security tool. From the defender's perspective, movie-plot threats might provide a narrative for brainstorming. For example, most bank managers have considered and defended against ordinary bank robberies; but if they consider a more outlandish MPT, such as a helicopter landing on the roof, the manager might discover a hidden vulnerability to an attacker scaling the roof with a ladder.
The problem of MPT lies in how to constrain the range of possible scenarios — as always, the starting point must be the strategic payoff to the attacker. The other problem — the problem that earns Schneier's ire and notoriety in his blog — occurs when defenders confuse the possible with the probable, and confuse the scenario with the response. If you decide that your bank is vulnerable to helicopter, don't put anti-aircraft guns on the roof; you'll remain vulnerable to an attack by someone with a grapnel gun and a rope. Defenders should implement defenses not be against a specific scenario but against the systemic weaknesses exposed by the scenario. And each weakness must be subject to cost/benefit/probability analysis. After all, any neighborhood bank can be overwhelmed by a platoon of well-armed soldiers, but that does not mean that neighborhood banks must become fortresses.
Dismissing a threat as a "movie-plot threat" because it is similar to a movie-plot or seems outlandish (September 11th) is wrong; instead, dismiss it when the threat poses a low risk. With any luck, we can educate managers to respond to MPTs with reasonable analysis and proper security enhancements; and MPTs might even become a beneficial method to brainstorm security risks.
As for myself, I doubt I will enter Schenier's movie-plot threat contest. After all, one of my scenarios just showed up in the real world, and if I had entered the scenario into a previous contest I probably would wonder (no matter that it would be foolish to do so) if I'd managed to contribute to the plans of the Mexican attackers. What the Mexican attack demonstrates is that attackers can be very clever indeed, vulnerabilities combine in unexpected ways, and we should encourage rather than suppress imagination.
Topics: · security
Link to this story · Leave comment or trackback