Can Publicly Available Geospatial Information Present a Homeland Security Risk?
John C. Baker and Beth E. Lachman

   Geospatial information is crucial to U.S. homeland security. Emergency planners and responders, the public, government agencies, the private sector, and others have legitimate needs for geospatial information both for day-to-day uses and for dealing with emergencies. However, the risk exists that potential attackers, such as terrorist groups, could also exploit geospatial information in planning and undertaking attacks on U.S. critical sites. One of the challenges of homeland security, therefore, is striking the right balance between providing public access to useful geospatial information while limiting the risk that terrorists or other potential adversaries can exploit public access to obtain geospatial information that they need for striking targets in the United States.

   To examine this question, the RAND Corporation, a nonprofit research organization, undertook a study that assessed whether geospatial information made publicly available by federal agencies and others can present a homeland security risk. The study resulted in recommending an analytical process that can assist decision makers in identifying truly sensitive geospatial information.

   The RAND study’s sponsors were two federal agencies with extensive experience in producing and disseminating geospatial information: the National Geospatial-Intelligence Agency (NGA) and the Department of Interior’s U.S. Geological Survey (USGS). This article presents the key findings of the RAND study, Mapping the Risks: Assessing the Homeland Security Implications of Publicly Available Geospatial Information, which is publicly available (see box).

An Important Question Needs Answering

   Federal agencies, along with state and local governments, industry, and other organizations, produce, distribute, and use a wide variety of geospatial data and information. Much of this information—maps and nautical charts, aerial and satellite images, and detailed geographic information system (GIS) databases—is used to help protect, operate, and manage various U.S. critical sites, including critical infrastructure facilities and other key assets such as national monuments, public gathering locations, and military installations. Other geospatial data provide a range of societal benefits, such as improving public safety and transportation access, advancing scientific understanding, and providing economic benefits.

   In the wake of the September 11th attacks, several U.S. government agencies took steps to limit public access to certain geospatial information sources based on new concerns that terrorists could exploit such publicly available information to identify potential targets and plan attacks. RAND was asked to develop an analytical framework to help the study sponsors and others better understand how to identify publicly accessible geospatial information with potential homeland security sensitivities. Using a “demand” and “supply” approach, a multidisciplinary team of RAND researchers analyzed the information that potential attackers would find most useful and assessed what geospatial data concerning critical U.S. sites is publicly available from federal agency and other sources.

What Data Do Attackers Need?

   Adversaries can take advantage of the relatively accessible nature of open societies, such as the United States, where a substantial number of critical infrastructure facilities (e.g., airports, power plants, dams) and other key assets are either publicly accessible or can be directly observed from a distance. Terrorists and other potential attackers can choose opportunistically among the broad range of U.S. homeland locations, different strategic objectives and a variety of attack modes. In general, attackers will possess two distinctive information needs: (1) what they need for selecting a target (i.e., which target, where is it located); and (2) what they need for planning an attack (i.e., what is the target’s layout, vulnerabilities, security measures, etc.). The RAND analysis revealed that in targeting U.S. homeland locations, attackers have a broad of range of choices about why, where, and how to attack. Terrorists have substantial flexibility in choosing among potential targets and the information they use in planning and undertaking an attack. If they encounter a problem, then they can adjust their target choices and information needs to satisfy their objectives.

   The study concluded that although publicly accessible geospatial information has the potential to be generally helpful in selecting and locating a target, terrorists need very detailed and up-to-date information to plan and carry out their strikes. There is “information abundance” concerning sources of geospatial and non-geospatial information on U.S. critical sites that adversaries can obtain to select and locate targets. In comparison, planning an attack requires detailed and timely information, such as information on the target’s internal features (e.g., control centers), potential vulnerabilities, and current security practices. Here, attackers confront a situation of relative “information scarcity” because such information is not normally made publicly accessible. Thus, terrorists are more likely to turn to non-geospatial sources, including direct observation, academic textbooks, trade journals, and individuals familiar with the operations of a particular type of facility, to satisfy their information needs.

What Types of Geospatial Information Are Publicly Available?

   What federal geospatial information is publicly available, and how significant is it to attackers’ needs given the usefulness and uniqueness of the information? To answer these questions, the RAND research team undertook several tasks.

   First, the RAND team conducted a structured survey of publicly accessible federal geospatial data sources. This survey identified and assessed publicly available geospatial information about critical sites at 465 federal data sources (i.e., federal programs, offices, and major initiatives, such as The National Map, Figure 1), which involved searching more than 5,000 federal websites.

   Second, a selected sample of 629 federal datasets was identified for closer examination because they appeared most likely to contain sensitive geospatial information about U.S. critical sites. Third, a sample of more than 300 non-federal (e.g., private, state, and local governments, academic institutions, non-governmental organizations, and foreign geospatial data sources), involving a search of more than 2,000 websites, was undertaken to assess the availability of non-federal sources of geospatial information.

   Figure 2 depicts the study’s findings from examining these samples. Fewer than six percent of the 629 federal geospatial information datasets examined appeared as though they could be useful to meeting a potential attacker’s information needs. Furthermore, the study found no publicly available federal geospatial datasets that might be considered critical to meeting the attacker’s information needs (i.e., those that the attacker could not perform the attack without). Additionally, most publicly accessible federal geospatial information appears unlikely to provide significant (i.e., useful and unique) information for satisfying attackers’ information needs (i.e., less than 1 percent of the 629 federal datasets examined [4 datasets] appeared both potentially useful and unique). Moreover, since the September 11th attacks these information sources are no longer being made public by federal agencies. In many cases, diverse alternative information sources exist. A review of non-federal information sources suggests that identical, similar, or more useful data about critical U.S. sites is available from industry, academic institutions, non-governmental organizations, state and local governments, foreign sources, and even private citizens who post relevant information on their own Web pages.

   The RAND study suggests that sensitive geospatial information that is publicly available, if it exists, is not distributed widely and may be scarce. However, the RAND findings do not rule out the possibility that potential attackers could exploit existing or future geospatial information that is publicly accessible. Thus, U.S. decision makers need an analytical process for assessing the homeland security implications of geospatial information.

Importance of Weighing Societal Benefits and Costs

   Any decisions to restrict public access to all or part of a particular geospatial dataset need to consider whether the expected homeland security benefits outweigh the likely societal costs. Although making such judgments is neither easy nor exact, decision makers have a responsibility to consider the societal costs of restricting public access, even if such costs can only be roughly gauged at best.

   Federal geospatial information (Figure 3) provides many benefits to a wide range of users, including other federal agencies and state and local governments, private firms, non-governmental organizations, community groups. Emergency responders and public safety planners at all government levels need up-to-date geospatial data to provide services in the event of natural disasters, accidents, or terrorist incidents. Furthermore, people who work, recreate, or live near a critical site need the geospatial information about the site to access or to avoid the location when conducting their activities. The boating, fishing, and oil and gas industries, for example, need accurate nautical charts (Figure 4). Public availability of such geospatial information is often required by federal, state, or local laws. In addition, broad access to geospatial data and information is integral to increasing productivity, reducing private- and public-sector costs of doing business, facilitating knowledge sharing, and enhancing U.S. international competitiveness.

   Although the societal benefits of particular geospatial information are often difficult to quantify, decision makers who are responsible for deciding on what information should be public accessible should seek to identify the range of potential information users and assess the opportunity costs that limiting access would impose on users.

An Initial Framework for Analysis

   The RAND study recommends that the federal government should be proactive in making the process of reviewing publicly available geospatial information more coherent and consistent among a wide range of federal agencies and relevant non-federal organizations. RAND researchers developed an initial framework that decision makers can use to assess the homeland security implications of publicly availability geospatial information that incorporates three distinct filters as depicted in Table 1. Such an analytical process, if used widely, can assist decision makers by providing both a structured and consistent approach to identifying sensitive geospatial information. It also offers an explicit methodology to justify and explain decisions that affect public access to geospatial information.

   For the longer term, the federal government needs a more comprehensive model for addressing the security implications of geospatial information. This model should provide a means to match desired protection levels for U.S. critical sites with threats. It should also identify relative protection profiles to defeat these threats, and set forth a structured set of evaluation criteria. Facilities and installations, in turn, could be associated with those protection levels based on their particular needs.

Need for Guidance

   The federal government has a leading role to play in encouraging both government and non-governmental decision makers to adopt a more consistent analytical process for identifying publicly available geospatial information with significant homeland security implications. Federal agency staffs are not the only ones who need practical guidance. Non-federal organizations (e.g., state and local governments, private firms operating critical infrastructure facilities, and other geospatial data producers and distributors) have a strong need for federal government insights and guidance in this area. Along with this RAND study as background, organizations that produce and distribute geospatial information can benefit from new federal guidelines for decision makers responsible for making geospatial information publicly accessible that could homeland security implications (see box below).

Acknowledgments

   The authors wish to acknowledge the contribution of their RAND colleague Gordon Lee, in contributing to the writing of this piece.

About the Authors

   John Baker is a policy analyst at the RAND Corporation.

   Beth Lachman is a science and technology policy analyst at the RAND Corporation. 

Back