Cyber-attacks on an American city

April 24, 2009
Photo: Damien Cox, Flickr

Photo: Damien Cox, Flickr


Slashdot reports on a mysterious case of high tech urban sabotage in California, with lessons for first responders in complex urban environments.

Software innovator Bruce Perens writes,

Just after midnight on Thursday, April 9, unidentified attackers climbed down four manholes serving the Northern California city of Morgan Hill and cut eight fiber cables in what appears to have been an organized attack on the electronic infrastructure of an American city. Its implications, though startling, have gone almost un-reported.

“That attack demonstrated a severe fault in American infrastructure: its centralization. The city of Morgan Hill and parts of three counties lost 911 service, cellular mobile telephone communications, land-line telephone, DSL internet and private networks, central station fire and burglar alarms, ATMs, credit card terminals, and monitoring of critical utilities. In addition, resources that should not have failed, like the local hospital’s internal computer network, proved to be dependent on external resources, leaving the hospital with a “paper system” for the day”

This is an interesting example of emerging threats to urban centres in the future, along the lines of previous posts on attacking the electric grid system.   The entire article, found here, is well worth reading.  

In particular, Bruce has a discussion of the lessons learned from this mysterious attack:

The first lesson is what stayed up: stand-alone radio systems and not much else. Cell phones failed. Cellular towers can not, in general, connect phone calls on their own, even if both phones are near the same tower. They communicate with a central switching computer to operate, and when that system doesn’t respond, they’re useless. But police and fire authorities still had internal communications via two-way radio.

Very rich food for thought about the future of complex urban emergencies.

Stockholm Whiteboard Seminars – excellent informal talks on resilience

April 13, 2009

The Stockholm Resilience Centre  has posted a series of simple and inspiring “back to basics” lectures about resiliency on its website.

From the creator of the project:

The idea is to get away from seminars loaded with lengthy and flashy PowerPoints and go back to basics. So, take the opportunity to get a short and close encounter with a top scientist in the field of sustainable development, who uses the whiteboard to explain an important concept or recent research insight just for you! 

The first video is from  Brian Walker, an Australian ecologist who delightfully explains what forest management, resilience theory and trauma surgery have in common.

Vodpod videos no longer available.

The second is from Elinor Ostrom, a political scientist from Indiana University, who explains the concepts of commong pool resources and how to avoid the “tragedy of the commons”.

Vodpod videos no longer available.

Thanks to the Resilience Science blog for the great tip!

Creating resilient organisations more important than creating good plans, researchers find

March 5, 2009

Researchers find that disaster plans do not produce better responses to surprising crises, but that the processes of preparing them, does.

A researcher from the Arizona State University, Scott Somers, published a somewhat interesting  article in the latest issue of the Journal of Contingencies and Crisis Management (abstract, full text PDF).  In it he reports the results of a survey of 96 public works directors in the United States, evaluating each organisation on their level of crisis preparedness, crises preparation techniques, and organisational flexibility and resilience.

He found that traditional crises management approaches that create detailed, step-by-stop operating procedures produced less resilient organisations than expected.  Instead, he argues that it is more effective to, “create internal processes and organizational structures that build latent resilience within organizations so that they demonstrate positive adaptive behaviors when under stress.”

What does this mean?  Somers evaluated each organisation on six dimensions:

  • Level of perceived risk
  • Degree of managerial information seeking
  • Organisational structure
  • Amount of continuity planning
  • Levels of participation, and
  • Departmental accreditation

The strongest correlate to organisational resilience (by his measures) was the presence of strong continuity planning.  Somers also found that managers who actively sought out varied and diverse information sources were found to be more likely to lead resilient organisations.  Somewhat surprisingly, the research also found that managers which had higher levels of perceived risk were only slightly more likely to head more resilient organisations, and that organisational structure (in terms of levels of hiearchy in the agency) did not correlate very well.

What does this mean?  Somers concludes by suggesting that the plan itself is not as important as the capacity-building process of planning.  This seems to be due to the nature of complex crises; they are often a surprise, often something that cannot be trained for, and often disrupt traditional communication and decision-making frameworks.  Thus any plan which requires following “standard operating procedures” will be less flexible and adaptable than those which encourage more innovative, adaptive behaviour.

The paper concludes by suggesting that highly resilient organisations exhibit the following traits:

  • Teams are trained to systematically improvise solutions
  • Employees are encouraged to address problems with minimal supervisor intervention
  • Has staff whom constantly gather information and consider consequences of alternative actions
  • Fills its key positions with generalists, not specialists
  • Has low reliance on supervisor-centric knowledge and gives its employees access to and involvement in critical knowledge
  • Has work teams which are authorised to purchase materials and access resources without centralised approval

Compare this template to any humanitarian organisation you’ve dealt with lately; or any organisation for that matter.  How does it map?  Comments welcome.

Top three catastrophic risks for London in 2009

February 13, 2009


The London Fire Brigade just updated their series of forward thinking analyses about various risks in the Greater London area and how to prepare for them.  

It may sound a bit dry but their “Community Risk Registers” are actually a very exciting effort to cooperate and share information across agencies in preparation for future crises.  They  list a series of potential hazards by likelihood and impact, then sort them by what they might look like and who should take the lead in responding to them.  They update these lists quite often and just released their new registers for 2009.

The top three greatest risk for Central London in 2009?

  1. Human Health: Influenza type disease (pandemic) – High number of cases and consultations with healthcare providers threatening to overwhelm health and other services. All ages may be affected, but until the virus emerges we cannot know which groups will be most at risk
  2. Industrial Technical Failure: Telecommunications infrastructure, human error – Widespread loss of telecommunications (including public land line and mobile networks) at a regional level for up to 5 days. 
  3. Industrial Technical Failure: Technical failure of electricity network – Total shutdown of the electricity supply over an entire region occurring during working hours and lasting for 24 hours. 

Good to see the LFB is aware of these issues and already making preparations.  An excellent best practice example. HFP recently completed some similar scenario work for Oxfam UK outlining possible Avian Influenza outbreak scenarios, as well as conducting a serious game training simulation for ICVA in Geneva about the impacts of a complex technical failures and a major industrial accident in a politically unstable port city.

UPDATE – By way of background, the BBC did a report on the Avian Flu risk and the Registers back in August, 2008, which can be found here.  Also Charlie Edwards from Demos’ Resilient Nation project and contributor to Global Dashboard did a brief post on the background of the Registers in June, 2008, which has some interesting policy background on the effort and be found here.