- The Washington Times - Monday, August 4, 2003

If Sean Gorman were a man of ill intent, his project would pose a significant threat to America’s national security.

But Mr. Gorman, 29, is no terrorist. He’s a bright, happy-go-lucky doctoral student with a soul patch. And his dissertation, a detailed mapping of the nation’s information technology infrastructure, could just as easily be a boon to national security, helping government and business pinpoint potential weaknesses in the network.

But as his dissertation nears completion, some have questioned whether academia, with its traditions of openness, is the best realm for a detailed evaluation of the strengths and vulnerabilities of a crucial infrastructure network.

To others, the project is a real-life demonstration that anybody with the will and the knowledge can cull through the reams of data in the public domain and assemble potentially damaging information, and that government and industry need to devise ways to thwart such attacks.

“This guy proves to industry that the threat to their networks is real and imminent,” said Chris Fedde, a senior vice president with SafeNet, a Baltimore firm that provides technology security. “They don’t want to believe it.”

Mr. Gorman acknowledges the initial reaction he receives from many industry professionals when he briefs them on his work is a suggestion that it should be classified.

“There’s kind of a gut reaction that if you’re putting together maps that people can take those maps and do bad things with them,” he said. “I think there’s two schools of thought. One is security through obscurity — if nobody knows about it, it’s not a problem. The other is security through revelation.”

Mr. Gorman and his professors at George Mason University in Fairfax think in the latter, though they have done much to assuage concerns about security breaches. They have met with government and business leaders to explain their project.

They plan on publishing two papers: a dissertation that will be publicly available but withhold key data and a full report that will have sensitive information and only limited circulation.

Brian Roehrkasse, a spokesman for the Department of Homeland Security, said the agency is comfortable that the university will handle the project responsibly.

“We certainly need to find the balance between the interest of academia and homeland security,” he said. “We are pleased that the academic community has taken an interest in homeland-security issues. And it is good to see the university has not published the entirety of the report.”

From Mr. Gorman’s perspective, the project can help policy-makers in government and business determine changes that need to be made to the network.

Mr. Gorman’s team said the overall network is remarkably efficient, especially when you consider that it has been cobbled together by a variety of interests. But that efficiency can also be a problem because the network, of which 85 percent is privately owned, often lacks the necessary redundancies to stay up and running if key nodes are attacked or malfunction.

“From a public policy standpoint, you want to know about those redundancies because it relates to how things can be fixed,” said Roger Stough, a public policy professor at George Mason and one of Mr. Gorman’s advisers.

“The natural economic tendency is not to have redundancy,” he said. “There’s no return on the investment for security.”

Mr. Fedde agreed that industry has been slow to recognize its security needs and often unwilling to spend money on security.

Mr. Gorman’s dissertation “is another hammer to get them to understand, make it very apparent that they’re exposed.”

John McCarthy, who heads up the university’s Critical Infrastructure Protection Project, which has provided some of the funding for Mr. Gorman’s research, said he immediately recognized the potential security concerns when he learned of Mr. Gorman’s dissertation. But he also recognized the project’s value.

“We need to have as many good people as possible looking at the system’s weaknesses, and working to resolve them,” he said.

Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times is switching its third-party commenting system from Disqus to Spot.IM. You will need to either create an account with Spot.im or if you wish to use your Disqus account look under the Conversation for the link "Have a Disqus Account?". Please read our Comment Policy before commenting.


Click to Read More

Click to Hide