Talk:Lecture 9

From CyberSecurity
Jump to: navigation, search

Altin Dastmalchi, UCB So if i understood correctly from tonights lecture, the CW/RW threat is possible within our boarders. And the rate of clean up is relatively quick. But the question i wonder is why arent citizens and/or the Govt. doing more to ensure our safety if something was to break out. (ie raise awareness)... The second lecturer mentioned that water is a good method because it helps dilute it from your body. Now i want to know how many people in the US would know usefull information like that?

SMM: You occasionally see manuals that the Army puts out on this sort of thing in book stores, but you're right that they hardly push the information at all. Like a lot of this subject, there is a Cold War analog. It turns out that if you do something minimal like dig a hole in the backyard and put a door on top of it, that cuts down the radioactivity pretty dramatically. That's just physics, there's not much doubt it's true. But the last time the government tried to point this out in a big way was during the Reagan Administration. The problem with this pitch -- they called it "with enough shovels -- was two-fold. First "everyone knows" that we will all die in a nuclear war, so everyone translated "with enough shovels" as evidence that Reagan "must be senile." Second, people like to avoid thinking about nuclear war. Saying "the government should do something" does that, saying "we'll all die" does that, but saying "you are the first line of defense" ask people to think which makes them anxious. So what you end up with is physically sensible advice that people would desperately want to know in a nuclear war but will create a huge political backlash if you bring it up in advance.

Remember the satire about DHS's advice that we should stock up on duct tape a few years ago? Same phenomenon.

BTW, there's another version of the "why don't they give us clean up instructions" objection. If there's a contagious disease, the best advice is to stay home -- trying to leave town not only spreads contagion (fine by me if I'm sick!) but raises the risk to the people who are running. So why doesn't the government do lots of public service spots? If they start educating us now, we might believe them. If they give us the advice after an attack, we'll surely believe that they're lying.

Jeff Davis Isn't this the sort of thing that should be taught in Health class in High School?

Yi-Kai - I think there's another reason why people weren't impressed with Reagan's "with enough shovels" plan. Even if you reduce the number of casualties in a full-scale nuclear war, say from 100 million to 50 million, that's still an incredible level of destruction, plus crippled infrastructure and possibly a nuclear winter. Objectively, 50 million dead is much better than 100 million dead; but people don't necessarily feel that way. Instead, they feel that the only solution is to prevent nuclear war at all costs; and if the "with enough shovels" plan causes you to believe that nuclear war is not so bad after all, then it's a dangerous distraction.

But I think civil defense is much more credible for protecting against a terrorist attack, or even a limited nuclear exchange. (Incidentally, this article notes that Switzerland has established civil defense capabilities.)

Marty Lyons, UW A fundamental reason it would be difficult to shield large portions of the U.S. population from the effects of radiological/blast effects is simply one of density. With 3000 miles of land from coast to coast, and a large percentage of the U.S. (everywhere except the northeast) fairly spread out, building large numbers of shelters within easy reach of the population is nearly impossible. Switzerland and the Moscow metro shelters (primarily in the subway system) were workable because the government had useable plans on how to move large numbers of people to shelter quickly. Note that in the Russian far east, Urals, and other "non-Moscow" areas, there was no design for sheltering, for many of the same reasons it would be impractical in the U.S.

Synthetic Biology => Computer Viruses

Chris Fleizach - J. Keasling and others raised the obvious point that a synthetic biological agent is like a computer virus in a way (what isn't compared to computers these days?) In synthetic biology, the goal is to create small building blocks whose function is already known, put them together to achieve a more powerful, deterministic, interaction. Viruses (and all programs) also have small basic building blocks, instructions, that when you combine them together can form very powerful programs. This led me to think about how to protect against synthetic biological agents, which could also be analogous to anti-virus programs. It seems like you can create your own synthetic object that can pattern match a bad DNA sequence (anthrax, smallpox), then when the pattern matches, instruct it to destroy that object. Molecular computing is all about using DNA to match patterns, but mostly to solve computer problems. Surely, these methods can be applied to other fields.

Keasling then raised another point when he said it is possible to fool these DNA synthesis companies if you can re-order your sequences, which sounds a lot like a polymorphic virus in a way (it also sounds like DNA mutation, too). Virus scanners have, for the most part, succeeded in defeating polymorphic code through pattern analysis and other ideas. The advantage, I imagine, in biology, is that you can only change things around so much before they just don't do the same things anymore, perhaps invalidating the original, evil, goal. Whats the timeline on synthetic virus creator and a DNA virus scanner? Well the ebay prices were still too much for me.

Jameel Alsalam People do like making the comparison to computer viruses, huh? I think that there are perhaps some similarities, but also a host of differences that make the computer protection model not a very useful concept. It sounds like synthetic biology will make it possible to construct microbes with novel properties - both malignant and otherwise, but unlike the computer virus world, replication is a major cost. Suppose ten people are exposed to a synthetic virus by attackers, within some larger population (of say, 500,000 people in a city). Like in the case of the postal facility, really proper cleanup would require administering the antidote (if it could be developed quickly enough) to all 500,000 people (since you can probably not easily identify the 5 people who have actually been exposed). This same problem of not being able to identify just the real victims applies to computers, but in the computer world there is neglible cost to replicating the antidote - once it is developed 10 doses is the same as 500,000 (except maybe for the distribution).

Perhaps I am wrong, but another place where the analogy fatally breaks down is in the way a virus-scanning program can react to thousands of patterns. Since synthetic biology still relies on biological systems, the flexibility seems highly dependent upon the structure of the virus. It seems unlikely that you could create a single microbe that could combat thousands of virus definitions, stay dormant within the body watching for infection, etc. This would basically constitute redesigning the human immune system - maybe this is something that will happen eventually, but it seems much further out (politically, technologically, etc) than simply applying a strict engineering processs to the development of new vaccines, etc. --Jameel 11:10, 28 October 2005 (PDT)

--Chris DuPuis 11:59, 28 October 2005 (PDT) The similarity to a computer virus is that it's an attack that can be carried out entirely by a lone operator in his garage, rather than an international terrorist ring. The attacks are (or will become) trivial to implement, but the defenses are expensive, inconvenient (e.g. quarantine for humans, firewalls for computers), and far from perfect in the protection that they offer.

I don't see replication of the attack agent being a major cost, when that's what infectious diseases do.

Jeff Davis I do not look forward to getting a shot everyday to update my virus-scanner to the latest patterns. This sounds more like a job for Nanobots than biologicals.

Marty Lyons, UW The real worry is the asymmetry that someone creating "designer biology" introduces. It's easy to imagine that one motivated individual upon procuring equipment and lab conditions to make one virus, will want to make more (no one said that despite the start-up costs, someone would stop at one). And with the educational requirements for getting into the game (as noted in lecture, a smart undergrad in organic biology/pharmacology) *much* lower than one for producing an explosive (nuclear) or dispersion (aerosol/fluid) device, it offers great bang for the buck.

The asymmetry becomes a major problem when there are hundreds, perhaps thousands, of these virii being introduced into a community. The reverse engineering required to determine how the agent works is potentially massive -- a huge sequencing problem. Perhaps when the entire human DNA has been sequenced we'll have a head start, but the math still works against the defenders. The simplest way to start towards a solution will be to capture a sample of the virus before it has escaped into the wild. This comes back to good police work, and as discussed in last weeks wiki ([1], see Ted Zuvich's comment under "Spreading a highly contagious disease), what happens when you've injected your carriers in a far off country, and loaded them on airplanes as "biological bullets"?

Asad Jawahar Although computer virues and synthetic biological agents are similar in a lot of ways, I think the "human factor" makes putting up defences against biological agents very differnt and a lot harder. For example it is not as easy to quarantine a whole bunch of infected people as it is to disconnect a bunch of computers from the network -- simply put human beings are not machines. Also when talking about human beings we need to think about long term side effects. You may fix one problem with an antidote but how can you be sure that you are not creating others or may be even worse problems. On top of this our medical/drug-admin system and rules and regulations arent exactly prepare for this situation. Even if you came up with an antidote you would you probably need an approval from FDA which could be a very long process. All this makes the reaction time to a biological agent attack a lot slower as compared to the reaction time to computer worms and viruses. Given this and the fact that synthetic biology is becoming more accessible makes it a very scarey situation for us (and attractive to terrorists).

Manish Mittal Another thing that differentiates computer viruses is that people that do this kind of thing are rather sloppy, they're not very good at covering their tracks (and get caught easily) The potential for danger in this new technology really depends on how effective the emerging techniques will be in actually creating viable biomachines like artificial viruses.The danger in biosynthesized systems stems from the ability of biological processes to easily support self-replication. Some observers believe that self-replication itself should be strictly banned as the only way to fend off the threat of some engineered molecular system running rampant. But such a restriction would take away much of the power of synthetic biology.

Uranium for sale

Chris Fleizach - Christine L. Hartmann-Siantar, in her talk, brought up the story of a Turkish citizen, stopped at the Bulgarian border in 1999, with possession of a small vial of enriched uranium. It seemed she felt more secure because old-fashioned police work had managed to apprehend the criminal where newer detection devices would probably have failed. What I think is more frightening is that a nervous man was willing to offer a $10,000USD bribe in a vain attempt to get away. If bumbling, part-time smugglers are able to obtain enriched uranium, then certainly there are professionals who are into the game and moving much larger quantities of the materials. The fact that this man was stopped was due only to luck and his own incompetence. The number of other cases that have gone undetected must be larger by an order of several magnitudes. Which points to the ever greater need for automatic devices which can detect nuclear material. The past few lectures have all driven home the point that nuclear weapons, more so than radiological, biological and chemical, pose the greatest threat of all. Unfortunately, as it was also pointed out, it is quite difficult to build such a machine, which means the government needs to step in with a large infusion of cash. Has anyone mentioned the budget used for research into detection yet?

Dennis Galvin 19:24, 31 October 2005 (PST) It seems that good powers of observation by border agents can do a lot to defuse many potential threats. I recall vividly an NPR interview with the customs agent who intercepted Ahmed Ressam (aka the Millenium Bomber) [2]]. She noticed he was nervous and edgy getting off the car ferry from Victoria to Port Angeles with a 100 plus pound highly explosive bomb in the spare tire well of his car. If Ressam had been a little more cool and collected, he would have likely escaped her notice completely, and Ressam would have proceded to his destination with the bomb.

I spotted the 2006 budget press release at DHS ( "The budget includes the establishment of the Domestic Nuclear Detection Office (DNDO). The DNDO will develop, acquire and support the deployment and improvement of a domestic system to detect and report attempts to import, assemble, or transport a nuclear explosive device, fissile material or radiological material intended for illicit use." The document also mentions a $125M line item for Radiation Portal Monitors and a pilot for the next generation RPM's.

Mark Ihimoyan I certainly find it very refreshing to read from the link mentioned above that the government is taking steps and making effort to address possible nuclear threats by the deployment of these detection systems. I begin to wonder though on how effective these systems would be. If a terrorist organization realized that this systems are being deployed and a DNDO office is set up, I will suppose that this will give them time in advance to begin to investigate other means to achieve their aim.

A nonproliferation treaty for synthetic biology?

Yi-Kai - As was pointed out last night, synthetic biology is a tool with great promise and great dangers. So I wonder if governments and corporations that want this tool would be willing to make a bargain: agree not to pursue harmful work (such as bioweapons), and in return, receive assistance in using synthetic biology for therapeutic purposes (such as pharmaceuticals). This is the same basic idea that underlies the Nuclear Nonproliferation Treaty. Furthermore, anyone who agrees to this deal would have to undergo intrusive inspections, done by an international agency similar to the IAEA.

There are some problems with this approach. First, it's not clear that the Nuclear Nonproliferation Treaty really works that well. Nations that want nukes simply don't sign the treaty. Second, for synthetic biology, it's harder to verify compliance with a treaty. Unlike nuclear energy, synthetic biology doesn't require a large industrial base, and it's harder to distinguish between "good" and "bad" uses. So an international monitoring agency may not be enough; we may need to rely on governments to keep watch of what goes on inside their borders. We may end up cooperating with other countries to help them comply with the treaty.

Keunwoo Lee 14:07, 28 October 2005 (PDT): From this lecture, I concluded that it is inevitable that the tools of biological research (including weapons research) will, in the near future, be roughly as cheap and as widely-available as personal computers are today. It seems to me that treaties like the NPT are irrelevant when it comes to activities for which the prerequisites are that cheap and widely available. States and corporations may cooperate, but that doesn't do anything about the gang of biohackers in a garage. And, as an earlier lecture pointed out, the least deterrable actors are the most dangerous when it comes to the use of mass-casualty weapons.

Yi-Kai - I don't think it's inevitable that tools for biological research will be as widely available as personal computers. For instance, many countries do not allow their citizens to have guns, and they place restrictions on drugs and alcohol. These laws aren't 100% effective, but that doesn't mean they are worthless.

Maybe the goal of a nonproliferation treaty should be to create incentives for governments to regulate the use of synthetic biology. Even if we cannot prevent terrorists from acquiring these tools, we can increase our chances of detecting them.

--Gorchard 21:41, 29 October 2005 (PDT): Dr. Rob Carlson of UW seems to be against the idea of government regulation (J. Keasling mentioned Rob Carlson's web site in his lecture.) I came across an essay by Dr. Carlson in which he discusses foreign policy as it relates to synthetic biology. I found it interesting that one of Dr. Carlson's concerns is that a research group/company's fear of not being able to obtain insurance coverage due to technologies they are working on will slow the rate of scientific progress in this area. Insurance needs will also most likely start having a sizeable impact on software companies' development rates too. If a company is not meeting certain security requirements, they may not qualify for 'malpractice' insurance when a security flaw in their product results in losses to a customer.

Another interesting site i discovered, also from a link on Dr. Carlson's web site, is a page dedicated to DNA hacking! Among other things, this page lists do-it-yourself techniques for things like extracting DNA from a pea using household chemicals, and suppliers of molecular biology equipment.


SMM: One of the things that Dr. Raber said was that NBC and ABC brought in a hazmat team and re-opened for business at fairly minimal cost (~ several $100K?) while EPA and the Feds spent several hundred million cleaning Post Offices and Senate office buildings. Some of this might be driven by building size, but that isn't likely to explain differences that are several orders of magnitude. Dr. Raber also mentioned an EPA argument that maybe NBC and ABC got lucky that there was none of their employees got sick afterward. I wonder. NBC and ABC aren't stupid. They may have told employees to come back to work, but they surely consulted experts before deciding how much decontanmination was enough.

To me, the moral is that federal spending is driven 1) by the fact that EPA does not pay from its own pocket the way NBC/ABC do, and 2) by the idea that we have to achieve something like zero risk, even if that means pushing the risk from a failed cleanup far below the risk of, say, crossing the street. If you buy the idea that the amounts spent on clean up were pathological, then we are paying for our own reluctance to have a sensible discussion about bioweapons (or radiation, or drugs, or chemicals in food) in this country. Zero risk makes no sense, you can't achieve it -- but you can sure waste lots and lots of money pretending that you can.

Finally, a silver lining. It is clearly not true that remediation damages from a large scale bioweapons attack will look anything like ($200m) x (Large Number of Office Buildings). We pay for avoidance when it's affordable, but when you get to the famous scenario about shutting down downtown Boston then NBC and ABC and the rest of corporate America will force the discussion that EPA so cheerfully ducked the last time around.

Dennis Galvin 16:40, 31 October 2005 (PST) Well I think in this case NBC and ABC did gamble a bit, and it did pay off with nobody else coming down with anthrax. The talk we did not see on the 26th (Stephen Maurer "Nuclear Fear") deals with what is the value of a human life at various federal agencies. What is a reasonable risk here for ABC/NBC to take? There was likely a tremendous drive to be "open for business ASAP." One impacting factor for the difference in cleanup cost is that a USPS mail processing facility is generally a much dustier, cavernous, and more industrial environment than a typical office building. That still does not even come close to explaining the three-order of magnitude difference in cleanup cost. I put the question to a private industry Industrial Hygienist who has overseen and participated in hazmat interventions -- he said "off the top of my head, and off the record" the amounts for the post office was "probably at least 10 times too high." In the case of the ABC building, the only area of the building sampling positive for anthrax spores was the second floor mailroom, so perhaps a very small area was decontaminated and the air handling ducts and equipment cleaned.

Jameel Alsalam My understanding of why the postal facility cleanup was orders of magnitude higher than ABC/NBC was because they undertook a fundamentally different type of cleanup. While NBC/ABC had hazmat teams essentially spray everything down with bleach (surface cleaning), the EPA decided to use a gaseous cleaning of the postal facility. I imagine the hazmat/bleach system just involving a bunch of guys in suits with sprayers (and maybe something else to clean up the bleach). The gaseous cleaning involves building an enormous production on-site to produce, deliver, and dispose of the gas - a major construction project in itself, let alone the fact that you are trying to conduct the entire project in a lab-sanitation manner. The advantage of the gas method is that the cleaning agent gets into every crevice and crack, including inside the walls, air systems, etc. Surface cleanings will probably only cover the areas that humans can get to easily. So the difference in cost was a choice (although inefficiency may have accounted for a factor of 2, say...).

It is hard for me to get my head around how the government should consider cost - Maurer is right that right now it seems like zero risk is the only amount of risk that people are willing to have the government officially assume in relation to terrorism. This dovetails perfectly with the way the U.S. government has avoided spending on civil defense, which would definitely reduce the damage in the worst case scenario, but contradicts the notion the nuclear deterrence and pre-emptive war are the answers to creating zero risk. It is probably impossible to try to compare the risks incurred by everyday activities, such as driving a car, side effects from medications, etc with risks in which terrorism and the government are implicated, such as airport security, anthrax cleanup, or nuclear material detection - if only because the earlier ones are individual choices and the latter are of necessity chosen by the government (which is responsible to ensure our protection in those areas) and apply to everyone. --Jameel 18:48, 31 October 2005 (PST)

Marty Lyons, UW To Steve's point (above) -- I'd make the observation that part of the reason there was a massive cost in cleanup of federal buildings is the "big project" view versus the "profit view" of the private sector. The federal government through DARPA and NSF spent a relatively small amount of money in the early days of ARPAnet development, but the funds were expended over a long period of time. Eventually we got a set of technologies (high speed routing, packet architectures, etc) that needed a long time to come to fruition. No one would argue that this type of long-term fundamental research was a bad idea, especially in hingsight.

But the government never funded the actual construction of the "net". In the early days funds were doled out to help connect non-profits to the still ARPAnet, but as we all went through the transition to "acceptable use" and then to "open connections" government got out of the way. And that's when things REALLY started happening online, since lots of smart motivated people were let loose to build creative applications, and for the first time MAKE MONEY.

No one in D.C. was going to make any more money by getting federal buildings cleaned up fast. National TV production studios are motivated by possibly losing viewers, and therefore revenue. I'm sure people in D.C. will stand up and say their buildings were cleaned up "right". And that might be true, but I'd bet if those identical buildings were owned by General Motors to build automobiles, they'd have been opened up a lot faster with the same level of human-readiness.

Trevor Thanh Nguyen Prof. Maurer, you did bring up the interesting fact and reasons why ABC/NBC studios opened immediately after supposedly "quick" decontaminations. One possibility I want to share is that their quick actions could have been serious messages of not being terrorized to the sender of the anthrax and "instiller of terror." In the earlier lectures on terrorism, the main physical act of terror only has profound impacts if its subjects/victims were left stunned, incapacitated, defeated and withering in terror. Perhaps ABC/NBC's quick rebound shows their unwillingness to be victimized. Even though the studios may have gambled in opening early, the financial cost of their gambling (i.e. paying for liability damages if someone died immediately after the reopening) could have been much less than the priceless social cost of sending their messages indicating strenth and resistance. In essence, they had more to gain socially and publicly by reopening quickly and standing tall. Shouldn't that be any terrorized victim's message to their terrorists?

Lecture 9: Thoughts & Questions

Ms. Siantar, does the Materials Protection Control & Acct. regime that is in place in the former USSR also cover chemical and biological weapons or does it strictly cover materials concerning nuclear devices?

Ms. Siantar, with respect to RDDs, you mentioned that the US focuses on prevention while Canada focuses on response, do you favor one of those focuses over another, if so, why? Also, is there much interaction between the US and Canada, are they working together on the same issue but each covering a different aspect in a coordinated fashion?

Dr. Raber, do we know how the anthrax escaped from Sverdlovsk?

Why wasn't Aum Shin. shut down after its attempt to release anthrax? Was round up of the organization carried out? Did the Jap. authorities focus intelligence operations against the organization after the attempt or not? If not, were there certain laws and policies that Aum Shin. sought refuge behind?

What type of chem agent was used in the Chechen theater situation by the Russian authorities?

How much of a concern are people fleeing the scene for authorities after a chem or bio attack? For instance, after the Tokyo subway attack did the authorities fear that those leaving might infect or subject others to danger and, if so, how did they deal with that? Is it likely that persons caught up in such attack would be quarantined for a period before being allowed to flee a scene?

I realize that the EPA was in charge of the clean up of the postal centers in NJ and DC but the $200 million figure seems absurd, especially when compared to the clean up experiences of ABC and NBC. Did the government have to deal with any special liability concerns -- ones that may have ended up adding to the cost and contributing to its elevation?

How much do liability concerns play into determining when a clearance phase is complete? Are persons making decisions pertaining to clearance worried about irrational public fears leading to lawsuits or not really?

Professor Keasling, I thought I over heard you discussing slides you had prepared but did not have the opportunity to submit in time for Wed's lecture, if that was the case, could you please make them available now?

Professor Keasling, I understand that Pres. Nixon's 1969 executive order ended chem and bio weapons research and maintenance in the US. Does synthetic bio allow the defense establishment away around that ban or not -- that is, can the DOD effectively engage in research re: synthetic bio and not violate the order?

A fellow classmate suggested that a nonproliferation treaty-type model might be employed to the synthetic bio situation. I would suggest a regime like that used for advanced missile technology -- the Missile Technology Control Regime (MTCR). It places limits on exporting tech know how and tech relating to advanced missile systems -- it seems to be more effective than the non-proliferation treaty -- thought it too has its problems.

Research and Development

Marty Lyons, UW -- 1 November 2005

In Christine Siantar's lecture, Mike Carter from DHS (on Page 8) is referenced as saying "a vigorous R&D program is essential". Yet all the indications thusfar in the academic community indicate that fundamental R&D has fallen in disfavor, replaced by a concern for immediate tactical level solutions. Meanwhile, in the same presentation (Page 18), there is a list of false alarm causing substances including kitty litter at 34%. How are we to solve this dichotomy of numbers when the departments mandated with solving the "kitty litter problem" are failing to fund long-term hard science?

FYI:Student Project Web Page

Avichal 10:58, 2 November 2005 (PST) FYI I have setup a page White_Paper_Projects which lists all suggested project topics and people can add their names to topic(s) of their intereset. This could facilitate team formation for the project. I am putting the notice here since most people read the latest discussion thread