Rand: Feds protect maps
But the company's report on the security of geospatial data found that nonfederal sites have some sensitive data.
Terrorists have lots of options in gathering mission-critical information, so they're not likely to turn to geospatial information as their first source, according to a report from Rand Corp.
Publicly available geospatial data often lacks the detail and timeliness that terrorists require for planning, researchers said. As a result, Rand officials found that less than one percent of the 629 federal data sets they studied appeared to have notable value to would-be attackers. These sites, which have since been removed, combined useful and unique information, according to the Rand report, entitled "Mapping the Risks."
The study looked at what federal geospatial data is available to the public and how critical that information is to the attackers' missions. The report drew distinctions among what is necessary to complete an attack; what is useful, but not necessary; and what is nonessential.
"Even prior to [Sept. 11, 2001,] there were security reasons for not putting certain information out there," said Beth Lachman, a policy analyst for Rand and one of the researchers of the report. "It's like a bank isn't going to advertise where their video cameras are."
But what came as a surprise to Rand researchers were sources of potentially sensitive information that appeared on state and local sites, international sites and even Web pages devoted to hobbies. For example, one site showed scuba divers how to circumvent offshore oil sites, Lachman said.
"We identified over 300 nonfederal sources for similar types of information," she said. "It was interesting that we found other sources of info that we considered potentially more sensitive than federal sources."
The report recommended the federal government work with state and local governments and the private sector to standardize the process used to evaluate the usefulness and risks of making public certain information.
"Our study suggests that decision-makers need to use an analytical process for identifying sensitive geospatial information because no 'one-size-fits-all' set of guidelines is likely to work," said John Baker, a Rand technology policy analyst who is lead author of the report.
In the long term, the report urges the federal government to develop a more comprehensive blueprint to assess the security implications of geospatial information for U.S. critical infrastructure facilities and installations.
Lachman noted: "If information is out here, and it's public domain in a lot of different ways, then there's no point in restricting it. There's a complex relationship there."
The study was sponsored by the National Geospatial-Intelligence Agency along with its study partner, the U.S. Geological Survey of the Department of the Interior.
Researchers reviewed a cross-section of geospatial information about critical sites, including more than 5,000 federal Web pages. Researchers also identified 465 federal sources — programs and major initiatives — providing publicly available geospatial information. They gave closer analysis to 629 federal databases identified as being likely to contain geospatial information about U.S. critical sites, such as power plants, chemical plants, military installations, dams, and public spaces like national monuments.