Pacific Connection(英語)

Digging out and Digging in: American Business and the September 11th Attack

The week after the terrorist hijacking, I received an e-mail from my translator, Hiroshi Iwatani, arguing that a conventional American war would do more harm than good. "Terrorists mode of whereabouts resembles those of the network," he wrote. "Destroying one specific site or one specific person will not bring the intended effect."

I got to thinking about that notion: that terrorists, as well as other guerilla movements, resemble the Internet, itself. Both are decentralized, with semi-autonomous operating units---which make their destruction difficult. Builders of the Internet said they designed the architecture to withstand a nuclear blast. Al Qaeda, the terrorist organization the U.S. holds responsible for the mass destruction in New York and Washington, appears to have taken a similar approach---putting operatives in multiple countries and giving them some autonomy. America and its allies are fighting a foe that has used the benefits of distributed intelligence, of decentralization, for vile ends.

The strength of a Net structure, for better and worse, is that it's hard to kill. Conversely, the centralization of the World Trade Center and the Pentagon made them visible monuments to America's financial and military powers. Like the victim of a severed limb, New Yorkers, and to some extent, the rest of us, keep looking with disbelief at the altered skyline.

From an IT perspective, the legacy of the attack is one of re-evaluating centralization versus decentralization. Do we amass computer facilities and IT professionals in one place? Or do we distribute them geographically? Telecommuting and remote conferencing have never taken off in this country, but perhaps that will change. "The Sept. 11 tragedy will accelerate a profound trend already well under way from centralized technologies to distributed ones and from the real world to the virtual world...." said AI researcher Ray Kurzweil, in a New York Times roundtable discussion. "In the immediate aftermath of this crisis, we already see a dramatic movement away from meetings and conferences in the real world to those in the virtual world, including Web- based meetings, Internet-based videoconferencing and other examples of virtual communication."

Do we rely on cell phones for emergency communications or on wireless Internet, which, at least in New York, proved more reliable. And what about security versus privacy? We Americans have always worried about George Orwell's Big Brother, which in technology terms, amounts to a central database. Do we give up some of our civil liberties by carrying citizen identity cards, each with a number keyed to a database record? Do we place more cameras in public places that can identify people by facial characteristics, in hopes of arresting a terrorist? Americans are reconsidering.

Tales from ground zero

True to its name, the World Trade Center housed companies and people from around the world. The 6,000-plus lives lost, including fire fighters, office workers, people sipping coffee on a clear morning, as well as the passengers on four flights all bound for California, are the lasting tragedy, what is mourned and remembered.

"It's impossible to overestimate the carnage on Wall Street," wrote Shawn Tully in Fortune magazine. "Of the nearly 5,000 dead or missing, some 2,000 worked for financial firms, meaning that one Wall Street worker in 100 has been lost. More than 15 million square feet of office space was either obliterated or badly damaged, equivalent to the entire downtowns of Atlanta or Miami. Early estimates suggest that anywhere between $2 billion and $5 billion worth of telecom and computer equipment was destroyed."

The technical sector also suffered, with most on the hijacked flights that took off from Boston, a U.S. technology center. The best known was Daniel Lewin, Akamai's co-founder and technical officer. Sun lost Phil Rosenzwieg, who directed the company's software organization. Other companies losing personnel include Cisco, Oracle, Applied Materials, Compaq, and Netregrity.

At ground zero, where all the buildings of the World Trade Center collapsed, companies were shaken but unbroken. In part, that's because few were actually headquartered at the World Trade Center. Sun Microsystems, for example, began leasing two floors in 1999. All 340 of its employees escaped without harm. The same was true of Asahi Bank's 94 employees, The hardest hit: Cantor Fitzgerald Securities, the largest broker of U.S. Treasury bonds, which lost about 700 of its 1000 employees, including the president and CEO, Frederick Varacchi and several other members of management, as well as many security traders. And yet, Cantor was back trading bonds just two days later, working out of its offices in nearby Connecticut.

The investment firm Morgan Stanley had some 3,700 employees who worked in the complex, losing less than 40. (The company called it "a near miracle.") Two days later, Chairman and CEO Philip J. Purcell announced the firm was ready to serve all of its clients in financial markets all around the world. Morgan Stanley relocated offices to nearby New Jersey and Brooklyn and said that all of its systems were intact and operational, and went on to pledge $10 million to a victims relief fund.

The Wall Street Journal, America's leading financial newspaper, continued to publish, even though it was headquarted adjacent to the World Trade Center. And remarkably, the New York Stock Exchange reopened the following Monday, ringing the opening bell at 9:30 in the morning, as it has done for the last 209 years.

For larger companies, in particular, the tragedy demonstrated the value of preparation. "This incident showed that a lot of big companies backed up their data and had contingency plans," said Linda Clark, managing director of the Association of Information Technology Professionals. "But it also demonstrated that no matter how well you write the plans, you can't plan for everything."

Morgan Stanley analyst Charles Philips noted that large companies had already amassed disaster recovery plans, as well as hot data backups that could be switched in with minimal interruption. Smaller firms were less prepared, but needed less effort to get back to business. For most businesses in the World Trade Center complex, the biggest IT problem was not data recovery but where to go back to work.

Falling rubble damaged the busy central office of Verizon, the largest telephone company on the East Coast, disrupting more than 300,000 telephone lines. The event showed how vulnerable voice communications can be, especially in large population centers. "The ideas we previously had about diversifying our networks have become much more important," said Lawrence T. Babbio Jr., Verizon's vice chairman, in a Wall Street Journal interview. Diversifying means distributing switching, reducing decentralization, making the conventional voice more like the Internet. But Babbio said that it would take five years to build alternative routes for the lower Manhattan region and would be prohibitively expensive. The alternative: better security for the central location.

A test of recovery efforts

The disaster became a test for services personnel from both hardware and software vendors. IBM, which has grown global services into a $33 billion business, began fielding calls just 22 minutes after the first hijacked plane struck. The company made available its 175,000 square foot facility in nearby New Jersey as a temporary corporate location for its customers.

Dell Computer responded to customer requests by trucking in 5,000 computers, promising delivery within 24 hours. One law firm didn't wait: it dispatched its own carrier half way across the country to Dell's Austin, Texas headquarters to pick up 400 computers and printers.

Crisis teams at Hewlett-Packard used its customer relationship management software to determine which of its customers were in the destroyed buildings and what equipment those customers owned. CRM applications are typically used to personalize service and make additional sales, but proved invaluable in emergency conditions.

Novell created a technical team of volunteers to contact more than 200 of its customers. "We explained to the Red Cross that we weren't doctors or firemen, but we wanted to help and felt that our technical skills could be of some assistance in helping business recover in the coming days, weeks and months," said Laurie Teal, president of IT Systems and Consulting, and a member of Novell Users International, in a press statement.

Teal's team of 26 people, including employees from Novell and her own company, helped the New York City Department of Health, rounding up volunteers and entering damaged buildings and removing equipment. "We obtained masks for protection from the dust and---because of the power outages in both buildings---we used flashlights to navigate through the darkened hallways and stairwells," Teal said. "Our main goal was to get the equipment off the sixth and twelfth floor computer rooms. Once we were given the 'go ahead' the team scaled six flights in the dark to get to the computer rooms where the servers were located. Other team members also retrieved a large file server from the 12th floor. Once all the equipment was recovered, it was loaded into vans and taken back uptown to the new location. Our volunteers work to reconnect the equipment and get it up and running." Recovery efforts included Novell volunteers helping the U.S. Census Bureau get a copy of its eDirectory database and assisting the Federal Emergency Management Agency (FEMA) with setting up a server and eDirectory trees for its command center.

Lessons learnedAnother company heavily involved with recovery efforts was Comdisco, which operates 45 disaster recovery centers around the globe. In total, the company had 46 customers make 92 disaster declarations and has utilized 13 of its 45 recovery centers. (Comdisco also had to recover 2500 seats at its own workplace recovery facilities in New York and New Jersey.) The chief customer request: work spaces equipped with PCs and telephones, as well as a variety of server platforms and even mainframes: including Sun, Hewlett-Packard, Tandem, Compaq/Digital, RS-6000, AS/400, Intel servers and mainframes.

Among the lessons learned:

  • Make sure employees know where they are to gather in an emergency. One Comdisco customer, a financial services organization, went person to person to employees houses to verify their status. (All 600 survived.)
  • Executives should carry emergency management procedures at all times, even when traveling. This information need not be long, but should describe the company recovery teams and their responsibilities.
  • Maintain a list of critical applications, and their recovery times. That will give the company as a whole an idea of when information technologies will return to normal.
  • Maintain land lines. Mobile phones have long been considered a backup to land lines for emergency use. But in the disaster, mobile phone circuits in New York were immediately overloaded. In New York, wireless e-mail also proved a good alternative to mobile phones. In some cases, Blackberry's got through where cell phones didn't. Security versus privacy

The attack has altered the continuing debate in this country over technology and privacy---how much power do we give to the former and give up of the latter. Some U.S. law enforcement agencies, for example, have experimented with biometrics technologies, which identify individuals by analyzing their physical characteristics. The most controversial is facial biometrics---in which a combination of video cameras, software technology, analysis software and a database are used to identify people on the street.

Last January at the Superbowl football game---one of America's most widely watched sporting events---in Tampa, Florida images of the fans and workers were digitized, then checked against a database of known criminals, terrorists and con artists amassed by the local police, the Federal Bureau of Investigation, and other law enforcement agencies. Critics were not amused, labeling the event "Snooperbowl."

But with the terrorist hijackings, biometrics has gained new interest, the argument being that some emergencies justify giving up some degree of freedom. "Terror is not faceless," said Dr. Joseph J. Atick, chairman and CEO of Visionics Corporation, one of the largest biometrics companies. The company proposed a framework in the use of face recognition technology for airport security, including general crowd surveillance using hundreds of cameras, instant terrorist background checks on boarding passengers, employee screening, and a centralizing of database information across international borders and agency jurisdictions.

Another technology getting a second look is the Federal Bureau of Investigation's e-mail system widely known as Carnivore, and recently named more benignly, DCS1000. The FBI says that the DCS1000 device "works much like commercial 'sniffers' and other network diagnostic tools used by ISPs every day, except that it provides the FBI with the unique ability to distinguish between communications which may be lawfully intercepted and those which may not....Carnivore serves to limit the messages viewable by human eyes to those that are strictly included within the court order. ISP knowledge and assistance, as directed by court order, is required to install the device."

Encryption is also getting a second look. While nobody has proven the hijackers used encrypted e-mail, the technology is easy to obtain and hard to crack. The Clinton administration argued without success that encryption products sold in the U.S. contain a "back-door" entry for law enforcement personnel. But others have pointed out that the U.S. is hardly the sole source of this technology ant that other countries would be happy to supply it.

A personal note

Like you, most Americans watched this tragedy unfold on television. On the morning of September 11th, I had brought up a small TV from my office to stand in for our Sony, whose power supply had gone out the night before. I plugged in the cable and turned it on. The picture was of an airline crash in Pennsylvania. The announcer was saying something about a hijacking. American news programs sometimes put additional information as running text at the bottom of the screen. I started reading. Two planes crashed into World Trade Center. The towers have collapsed. Another plane had hit the Pentagon. Disbelieving my own eyes, I flipped the channel. The news was the same.

The World Trade Center was hit because it was a monument---to free enterprise, capitalism, or freedom, or perhaps to American hubris and disproportionate power, or, as some suggest, to the modern world itself. Take your pick. The novelist Haruki Murakami thinks it's a war between two mindsets---closed and open. The first believes that a single belief system---be it Islam or Christianity, Aum Shinrikyo or white supremacy---provides all the answers. The second mindset is a willingness to live with ambiguity. A closed "circuit" mentality does not necessarily lead to terrorism, but has been the source of much of it, to date.

Terrorism operates in the shadows. Like the Internet, it is robust because it's distributed, and these days, is mostly anonymous---like the anonymous envelopes of anthrax powder sent across the U.S.

A monument is built to be seen. It stands out, but is vulnerable. And so, cities, those monuments to civilization, are vulnerable. Cities are places with the critical mass of people needed to produce civilization's institutions: museums, galleries, newspapers, universities---of course---but also, as the late William H. Whyte noted, the theater of the sidewalk, plaza and city park. "What attracts people most," he wrote, "are other people."

I don't want to play down the accomplishments of the Net. It has created a global village, a distributed, virtual civilization. But the distributed intelligence of the Net has augmented, not replaced, the concentrated intelligence of cities and their institutions. Their mass of humanity makes city life exasperating and exhilarating---both emotions sometimes experienced at once. That is what binds cities around the world together. A New Yorker walking the streets of Tokyo might not be able to read the signs, but he would understand the language of the streets. Concentrated humanity is the obvious terrorist target, and fear is the aftermath: fear of crowds, cities, flying and foreign faces.

It would be all too easy to retire full-time to the seeming safety of the Internet. It might feel safer to stay home. But if we, the citizens of the world, do that, the bad guys will have won.

Harry Hochheiser:
Computer Professionals for Social Responsibility

Harry Hochheiser is a member of the board of directors for the Computer Professionals for Social Responsibility, which considers the impact of computer technology on society. After the attack, he wrote the organization's response. ("> Hochheiser is working on a Ph.D. in computer science at the University of Maryland, and has done development work at AT&T, Tufts University Medical School and elsewhere.

Does America need to trade privacy for security?

I don't think anybody actually knows what that kind of tradeoff means. It's easy to say yes: if we take certain steps, then in theory we make certain kinds of attacks harder to accomplish. However, there is a universe of possible damage people can commit, countered by our relatively small ability to increase wiretaps and other forms of intelligence gathering. It's not clear that increasing eavesdropping would make any difference.

These measures include an increase in wiretaps and a ban on encryption. They consider whether a hacking can be defined as a terrorist act. That's a pretty severe definition.

Are Americans more sensitive to privacy than the rest of the world?

Part of the issue is how privacy is being done and how it's presented, and who is sensitive and how. Europeans have been much more sensitive to privacy issues, at least with e-commerce. The data directors of the European Union have had strong rules about what online data is supposed to be collected and how it can be used. We in the U.S. still don't have any rules or laws regulating that.

As far as the face recognition, I don't know about its use in Britain. But England has had IRA attacks, so they've been more concerned about terrorism. If the Superbowl had happened after September 11th, I don't know that you'd get the same uproar against face scanning. As a technologist, I want to know: what is the accuracy, what is the application, what are the possibilities for abuse.

If it could be proved to your satisfaction that these terrorists had used 128-bit encryption, would you soften your stance?

It's not that cut and dry. If you make certain terrorists can't encrypt anything, that might mean that your ATM transaction might be going over an unprotected network that somebody could tap into. But this is a moot point. Encryption technology exists. The software is available, and the algorithms are published. And even with an unencrypted message, there are still things like steganography, where you hide messages in other messages, rendering them virtually undetectable.

What about Carnivore?

The government still will want to use it, but I'm not convinced that's it going to do much of anything. Messages can be hidden in so many different ways. One could even set up a convention that says "when I send you a recipe for Waldorf salad dressing, that means get out of the country." How are you going to figure that out? So, in theory, Carnivore could do some things in terms of traffic analysis and understanding patterns of communication. And if it were used with appropriate oversight and were limited only to the people being involved, it might be helpful. But I'm skeptical. Particularly if it's being used as a fishing net-watching all the e-mail phrases hoping to find phrases like "bomb" and "attack." That's pretty useless.

One piece of conventional wisdom is to never treat email as a private discussion. If that's true, why worry about government eavesdropping?

I was at a coffee house this morning where people were sitting around talking, and I'm sure they weren't worrying about whether the people next to them were listening. They weren't making plans to commit adultery or rob a bank. But suppose there were microphones hanging from the ceiling in that coffee house that were going to the FBI van parked across the street?

That would put a different tinge on it, even though no one had the illusion it was a fully private conversation.

Exactly. That's part of being a free society. We have these models that say our communications generally are private unless we've got some legal order to tap a phone, for example. A body microphone can at times be entrapment. Recording people for potential analysis would be a very different world and with ramifications for civil liberties. But in any case, the genie's out of the bottle. If I want to get PGP or some other software tomorrow and send you encrypted mail, there would be no problem, and as far as we know, nobody else could read it.

So your answer to the question about the tradeoff between security and privacy is: we ought to be careful.

Yes. The question is what are we losing and what are we gaining.

People have thought a lot about the gain, but haven't given full consideration to the loss.

Not a lot of people. Many groups have raised alarms, and even a lot of conservatives are concerned about the impact. I have no problem with calls for increased security and searching at airports. That seems like a very reasonable tradeoff, where I have the option not to take the plane. The costs and dangers are real, but the benefits could be substantial. At the other extreme are people who are labeling anybody who is even vaguely Arabic or Middle Eastern as a terrorist.

Somewhere in between is where we are in this debate over security and liberty. We have to find some point where we can say that certain situations do warrant government scrutiny. In other cases the proposed remedies are so broad or likely to be so ineffectual that they are going to harm legitimate actions of law abiding citizens without any commensurate gain.