FC: "Project Matrix" seeks to map federal vulnerabilities, from WSJ

[Declan McCullagh <declan () well com>]

*********

From: "Bridis, Ted" <Ted.Bridis () dowjones com>
To: "'declan () well com'" <declan () well com>
Subject: Project "Matrix"
Date: Fri, 8 Jun 2001 10:03:46 -0400

http://interactive.wsj.com/articles/SB991951198507643529.htm

Obscure Team Scans Systems
To See Where Enemy May Hit

By TED BRIDIS
Staff Reporter of THE WALL STREET JOURNAL

WASHINGTON -- Once upon a time, the nation's military airfields, missile
silos and radio towers were its Achilles' heel. In today's increasingly
computerized world, the key vulnerability is likely to be an unlocked
computer server, a software bug or a network password too easy to guess.

The U.S. government has an excellent sense of where its old-style
vulnerabilities lie -- yet hardly any idea what today's weaknesses are. Now,
a small team of experts is out to fix that with an effort called Project
Matrix.

The eclectic, low-profile researchers -- among them, a college physics
professor, a nuclear engineer and a veteran of the federal government's Y2K
preparations -- are working in near-obscurity at the Commerce Department.
The team is trying to map the government's electronic underbelly to identify
the systems and services whose failure or disruption by a hacker or foreign
enemy could cripple the U.S. military or economy or threaten public health,
and to determine how those systems are linked with, or "cascade" upon,
others.


"We put ourselves in the shoes of our enemy. What part of a nation's
infrastructure would bring about cascades?" says team member John Tritak,
who heads the office from which Matrix is run, the Commerce Department's
Critical Infrastructure Assurance Office.

In the past decade, government and civilian computer networks were expanded
with little planning or even documentation. "We didn't understand what kind
of house of cards we were building," warns Glenn R. Price, who heads Project
Matrix. For instance, a crucial weather-forecasting system in a guarded
concrete bunker may depend on information from computers hundreds of miles
away that aren't as protected. A failure there could cause unanticipated
ripples of disruption that cascade across many networks.

Mr. Price, on temporary assignment from the secretary of defense, and Mr.
Tritak, formerly a State Department analyst and high-paid Washington lawyer,
work in musty, sixth-floor offices at Commerce Department headquarters. Much
of the Matrix work is done in the building's largely abandoned basement
mezzanine; employees joke about mushrooms growing on the carpets.

But the real work goes on outside that building -- sometimes using
distinctly low-tech methods. When the Matrix team traveled to south Florida
to trace the intricate systems of the National Hurricane Center, they spent
more than two days at a round oak table in a conference room with top
technology experts from the weather service.

Their tools of choice: butcher-block paper and felt-tip markers. The
computer specialists scrawled out as much detail as they could remember
about their systems; some pulled charts and diagrams off their office walls
and carried them into the meetings to jog their memories.

"We take the chain as far as we can until it doesn't make sense to take it
any further," says Matrix researcher Patricia Burt, who taught physics at
the U.S. Naval Academy. "Then we start looking at other chains."

When they finished, they had produced a chart three feet high and five feet
long that for the first time mapped how information flows across private and
government systems before it reaches hurricane forecasters, who depend on
such data to decide whether to evacuate coastlines. One Matrix researcher,
Hilary Lombardo, describes this as pulling on a virtual thread to see what
unravels.

"There were a few elements we weren't familiar with, sort of outside the
weather service and outside the government linkages," says Edward Rappaport,
former head of the hurricane center's technical-support branch. "They took
it three steps beyond when it enters our field of view."

When the Matrix work is done, Mr. Price imagines advisers one day presenting
the president with an elaborate digital map of the nation's most important
computer networks predicting how a single failure could affect other systems
down the line.

Skeptics say the enormity of the task undermines its odds for success. "The
federal government is connected to the state and local governments, the IRS
is connected to everybody else in the banking system, [and] then you connect
to the electrical utilities. All those are connected to the telephone
system," says Paul Strassmann, who has been a top information officer at the
Pentagon and several big corporations. "It's a fair estimate that 30 million
to 50 million computers are involved. Even assuming the mapping would be
feasible, and it's not, then it would take so long and conditions would
change that it would move away from you," he says.

The Matrix team says it is concentrating initially on the most essential
federal systems. So far, researchers have looked at more than 4,000 systems
across 10 U.S. agencies, including the network used by the Treasury
Department to track the money supply, the Social Security Administration's
setup to send checks and satellites used by the Coast Guard to detect
signals from distressed ships. In a sign of the sometimes surprising
interrelationships of these systems, parts of this satellite network also
are used by the government to covertly track both radioactive materials and
federal VIPs around the world.

But the team, launched under the Clinton administration, deemed only 50 of
the networks it studied to be so critical that they deserve full Matrix-type
scrutiny. "What's the alternative?" says Mr. Tritak of the Matrix skeptics.
"Throw your hands up and not do it at all?"

Though the Bush administration has yet to formally endorse the effort, it is
expected soon to urge the largest U.S. agencies to cooperate with Matrix
researchers. Administration officials plan to meet later this month to
discuss how to keep the Matrix findings secret, since they will, in effect,
amount to a detailed, "how-to" guide to bringing down the government.

The Commerce Department's Critical Infrastructure Assurance Office budget is
tiny, at $4.8 million last year, and Matrix got only part of that, giving it
just five full-time staffers. The Bush administration has proposed spending
$5 million this year on the CIAO, with about $500,000 of that going to
Matrix if the project is endorsed.

Write to Ted Bridis at ted.bridis () wsj com




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------