Open-Source Warfare

Reading Robert N. Charette’s article [November 2007], it is difficult to remember that, right after 9/11, we were told that the strength of al-Qaeda was the close-knit nature of the organization. The group was composed of individuals who knew each other and had worked together for years. Collecting intelligence about such a group would be next to impossible. Their familiarity with each other would make it difficult to monitor their communications or to infiltrate spies.

Charette now tells us that al-Qaeda’s strength lies in their not knowing to whom they are talking and in using a communications medium that is relatively easy to monitor. I suspect that what this really does is make them vulnerable to all the hacks and scams that bedevil the rest of us Internet users.

I also doubt that the information the terrorists are posting is actually being used. If would-be terrorists were using the online recipes to make explosives, they would end up with an unreliable product as dangerous to themselves as to their targets. Getting to the point where the explosives are reliable and of consistent quality requires lots of testing, trial, and error. Testing explosives will attract attention of the kind that the terrorists don’t want and would undoubtedly make the evening news. Since we haven’t been hearing reports of homemade bombs going off prematurely, I doubt that it is happening.

Possibly the most important use of the Internet from the terrorists’ standpoint may be as a conduit for disinformation. Just posting an idea, like mixing two otherwise innocuous fluids to make an explosive mixture, can cause drastic changes in security procedures. The resulting disruptions can be almost as effective as an actual attack at reminding the public that they are at the mercy of the terrorists.

Also, the Internet has not eliminated the need for state sponsors. The more sophisticated improvised explosive devices (IEDs) being used against hard targets had to be designed. The designs then had to be tested. Finally, they have to be manufactured in a facility with reasonable quality control. This cannot be done in a garage or basement. Having a state sponsor gives the terrorists a place where these activities can be conducted without fear of interference from U.S. forces.

Victor Skowronski

IEEE Member

Woburn, Mass.

I squirmed throughout my reading of the article. The premise that our military must strive to match the development life cycle of IEDs misses the central principle of battling an insurgency. Insurgent warfare is about building trust through close relationships with locals, not developing weaponry.

“What do you do when women and children come out with spray cans and hammers and start attacking your robots?” You talk to them! Because you have invested months living among them and honoring their culture, you already know the names of those women and children and speak their dialect. You make your case with words, wielding the power of mutual respect from a position of understanding. Asking Congress to fund a spray-can-resistant robot is akin to a local police department developing night-vision goggles to investigate a rape that occurred at night.

We are reaching for the wrong toolbox in framing the response to terrorism as a war. The sooner we see terror as a collection of individual crimes requiring individual investigations and arrests (as the Europeans do), the sooner we will regain the respect of the world community and prevail over this new threat.

Costa Gillespie

Pleasanton, Calif.

In a recent article, Robert N. Charette quoted my writings in support of John S. Robb’s thesis that terrorist behavior in Iraq and elsewhere can be analyzed as “open-source warfare” with a strong analogy to the way that the open-source community develops software.

I’ve encountered John S. Robb’s analogy between modern terrorism and open-source development before, and I think it is flawed and dangerously misleading. I think it very unfortunate that when I sent Robb a critique in 2004 he did not respond.

There are at least four respects in which the terror network is structurally different from the community of open-source hackers.

1. Visibility is safe.

   The network of open-source hackers can be entirely visible without risk, but the terror network must remain almost entirely invisible (except at the edges, where it recruits through deniable cut-outs). Thus, communication between terrorists is much riskier than it is between hackers. This matters, because it means that every attempt at coordination has to be traded off against the probability that it will result in exposure.

   Robb noticed that this tradeoff implies a maximum feasible network size. It also implies a minimum feasible action-reaction loop; the riskier communication is, the longer coordination at an acceptable risk level will take (thus al-Qaeda’s observed pattern of long latency periods between attacks).

2. Outcomes are easy to measure.

   Success is easier to measure for open-source hackers than for terrorists. A program either runs and gives the expected output, or it doesn’t. Of course, there are important kinds of programs for which you cannot predict the output, but it is usually possible to check that output for correctness by various means and be confident that you know whether or not it meets your objectives.

   Terrorists have more difficulty measuring outcomes. Let’s take the Chechen separatists as an example: presuming their outcome is to break the Russians’ will to fight in Chechnya, how are they to know whether the massacre at Beslan succeeded or not?

3. The cost of failure is low.

   There is very little downside risk in what open-source hackers do. If a particular way of writing a program fails, you throw it away and write a new one. Failure can be sad for individuals or project groups but does not threaten the network as a whole.

   The terror network, on the other hand, can be badly damaged by the blowback from its actions. In the aftermath of the 9/11 attack, al-Qaeda lost its base camps in Afghanistan, and state sponsorship of terrorism became covert rather than overt. The Iraq war has compounded their problem by killing experienced jihadists faster than the terror network can recruit and train new ones.

   No analogous loss is really imaginable for hackers. They are protected partly by the fact that there are large demand sinks for what they do in the aboveground economy—our equivalent of state sponsorship is the Fortune 1000.

4. Problem solutions are perfectly transmissible.

   When open-source hackers successfully attack a problem, they produce code and algorithms that can be cheaply replicated anywhere. Terrorists, on the other hand, rely on skills that are difficult to replicate (such as bomb making) and materiel that isn’t easy to get (consider the relative cost of a personal computer versus a role-playing game).

A bazaarlike, open-source-like model will only work for terrorists insofar as they can suppress all these differences—that is, the terrorists would be safely visible and be able to measure outcomes, control the cost of failure, and transmit problem solutions.

Conversely, successful counterterror strategy depends on magnifying these differences. Here’s how we can do that:

1. Make it more dangerous for terrorists to be visible.

   Terrorists can afford to be visible only where either (a) no local authority can suppress them, or (b) they are sponsored by the strongest local authority. (It is immaterial whether said local authority is a nation-state; this analysis applies equally to Iran, preliberation Iraq, and Somalia.)

   Thus, raising the perceived risk from sponsoring terrorism will force terrorists to operate undercover, making their network less like a bazaar in both communication richness and action/reaction time.

2. Make it more difficult for terrorists to measure outcomes.

   The most effective step we could take towards this is probably for responsible news media to voluntarily stop covering individual terrorist attacks. Note that this would not be the same as denying or covering up the phenomenon; monthly aggregate statistics on terrorist attacks, for example, would suffice for purposes such as risk evaluation.

3. Make the cost of failure higher.

   This can be best achieved by the traditional method of giving no quarter—killing terrorists swiftly and without mercy whenever they present themselves as targets by mounting an operation. A covert Mossad-style campaign of assassinations directed against terrorist leaders might be even more effective, if the targets can be found.

4. Make it more difficult to transmit problem solutions.

   This implies that destroying terrorist training facilities should be a priority in counterterror operations. It also underlines the importance of shutting down jihadist Web sites and Internet drops.

I find the promotion of Robb’s analogy especially misleading because it suggests that civilization is outmatched by the terrorists at the very time when the objective evidence says that we are winning.

Al-Qaeda has been unable to replicate either the body count or the media impact of 9/11 since. In Afghanistan, the Taliban have been reduced to regional banditry and drug warlordism; they’re a criminal threat but no longer a political one. Postsurge, Iraq is looking more like a normal country by the day; U.S. and civilian casualties have dropped precipitously, jihadist attempts to foment a civil war have failed, and the breaking news is all about 46,000 refugees returning home and Iraqis joining the police and army and civilian watch groups in droves.

It would be perverse to hand the terror network a propaganda victory, feeding the myth of its invincibility, exactly when it is most obviously being defeated on the ground.

Eric S. Raymond

via e-mail

Smart Cars

“Cars Get Street Smart” in the October 2007 issue shows how future technology will make cars more smart and autonomous. There was the conclusion that the Defense Advanced Research Projects Agency’s robotic-vehicle technology will not be adapted for future civilian vehicles due to the high cost of high-resolution cameras and sensors. Instead, more emphasis was given to vehicle-to-vehicle (V2V) communication–based systems.

Now, I have a fundamental apprehension about V2V communication–based systems due to the fact that my vehicle would take action on data provided by other vehicles whose authenticity is not known. This system would work well if all vehicles transmit their real data to each other. But it would be possible to easily tweak the transmitter module and send wrong data to other vehicles—for example, to send data showing a vehicle ahead accelerating while it is actually deaccelerating! It would be easy for someone with the wrong motivations to transmit such data from a virtual vehicle to create devastating accidents on the road. This is analogous to the viruses and spyware of today’s Internet. In the case of V2V, simple data encryption would not help because one can easily tweak vehicle-sensor data that is on the input side of the transmitter module. Thus the biggest challenge for the V2V system is how to prevent unauthenticated data transmission and making sure that real information is exchanged between vehicles. This is easier to implement on a close group of vehicles: for example, vehicles owned by the same organization, in which a vehicle will accept information provided by the group of vehicles whose identity is well known.

Himanshu Patel

Ahmedabad, India

Google Not So Green

Having read “The Greening of Google” [October 2007], I believe there are a number of issues about the full-life-cycle energy yield, carbon footprint, and business issues that Google is apparently not talking about regarding their solar photovoltaics (PV) and plug-in car installation in Mountain View, Calif.

Google’s installation, which generates about 9000 kilowatt-hours of electric power per day, has a retail value of about US $1350 per day, or $492 000 per year. On an investment of $13 million, that provides a 3.8 percent annual return, an unacceptable rate for any business proposal. Any subsidy for high daytime rates with a multirate program is only political money.

Unfortunately, the analysis is much worse if you factor in the lifetime of the solar panels, which is uncertain. Solar radiation efficiency degradation has been a major problem for over 40 years, and most manufacturers will not guarantee any long-term life efficiency. The best hope is for a 20-year lifetime, which requires a reserve replacement fund of $368 000 per year for Google’s installation, lowering the return to 1 percent.

Additionally, PV’s high cost is fundamentally more energy. Solar panel manufacturing is extremely energy intensive, which includes process energy and the energy to support the labor force (their entire lives) to manufacture them. In a stabilized free market economy, there is a direct correlation between the cost of an item and the cost of the energy required to produce it (between 50 and 80 percent). Solar panels for the indefinite future produce a net negative in energy and have an infinite carbon footprint unless they have at least a 20-year lifetime.

New solar technology may improve the outlook; however, solar PVs have had significant research efforts for at least 30 years, and there has been little advancement.

Germany’s leadership in solar power is dominated by solar hot water, which is much more efficient. Additionally, many of their solar PV panels are manufactured in China, where coal-fired power is used to manufacture them, with a large carbon footprint. Germany, along with many other European countries, is facing a short-term “survival issue” if Russia shuts off the natural gas supply for electric power production, as they have done in the past. Clearly, the political situation in Russia is not getting any better. North America is rapidly running out of natural gas reserves, and we will be importing liquefied natural gas and face the same price and supply volatility.

Google’s promotion of plug-in cars is similarly not very green. Before the electric grid is burdened with a new demand like plug-ins, there are a host of first-defense actions that are necessary and easy to accomplish to level the grid demand, as discussed in California Energy Commission workshops. Consequently, the only reasonable comparison is between a hybrid and a plug-in hybrid using electric power fired by natural gas. The real effect when someone plugs in a plug-in at Google is that a natural-gas-fired peaker plant increases output to charge the plug-in, as the solar panels are already in full use (the California Independent System Operators keep the grid flow confidential, so it might even be coal-fired power!).

The best hybrid has a conversion efficiency of fuel energy to mechanical energy to the road of about 40 percent, and our average natural-gas-fired electric-power production efficiency is 45 percent. If the transmission, charging, discharging, and electric motor efficiencies and battery weight penalties are included, plug-in hybrids have a lower efficiency and a higher carbon footprint than a hybrid, contrary to much publicity in favor of plug-ins.

A key conclusion is that subsidies do not necessarily result in energy efficiency or minimize the carbon footprint. Subsidies may be a good path for technology advancement, but clearly, cash-rich companies installing solar energy is mostly a marketing campaign to attract customers and employees. What may be good for Google may not be good for the people, or the planet.

Bob Giebeler

IEEE Senior Member

San Francisco, Calif.

California and Electric Vehicles

I’m glad somebody is going to rule on electric vehicles [“California to Rule on Fate of EVs,” News, November 2007]. In your article you say that “fuel cells remain 20 times as expensive as combustion engines and last as little as three years, hydrogen storage tanks are inadequate, and hydrogen fuel stations are nonexistent.” Then you infer that plug-in hybrids, which can be recharged if they are plugged in at night, are problematic because “there is no guarantee that drivers will plug them in.”

Well, I’m ready to buy a plug-in! And I will plug it in every night. GM, Ford, Chrysler, and others gave up on battery-powered EVs. Toyota, with its commitment to hybrids, continues to beat the pants off them and is also coming out with a plug-in hybrid. I want one!

Larry M. Jeppesen

Henderson, Nev.

CARB, Not Cabal

The top headline on the cover of the November 2007 issue of IEEE Spectrum spoke of “A California Cabal.” The article inside provided information on the activities of the California Air Resources Board (CARB). My dictionary defines cabal as “a conspiratorial group of plotters or intriguers” or “a secret scheme or plot.” The same dictionary, among several choices, defines “conspiracy” as “an agreement between two or more persons to commit a crime or to accomplish a legal purpose through illegal action.” Did Spectrum mean to make such charges? Not the slightest evidence supporting the cover headline is found in the article.

Floyd Gardner

IEEE Life Fellow

Mountain View, Calif.

Catching Criminals

Don Kirk and Bill Green’s trail-camera controller [Spectral Lines, November 2007] would be ideal to help identify vandalism and thievery on construction sites. Stripped-out copper wire and plumbing is commonplace in new construction, and while identifying the thieves won’t prevent that theft, the controller could slow down and perhaps aid in the arrest and prosecution of the criminals.

When I had heard about my brother’s problems in building a house (stolen battery, stripped-out wiring, vandalism) I wondered about an automated means of catching the bad guys in the act, but then I worried about the security of the system from the flash. This system, simple, inexpensive and covert, seems ready made for this role.

Bruce Greer

IEEE Member

Hillsboro, Ore.