RE: [emergency] Identity and Authority ( was RE: CAPVisualization...)

[Art Botterell <acb@incident.com>]

At 12:17 PM -0700 5/20/04, Kon Wilms wrote:
>Do we really want the hackers and script kiddies sending biological
>alerts, or the old lady sending a 'cat stuck in my tree' CAP alert? :)

My practical concern isn't whether a message comes from a hacker or a 
bureaucrat or Homer Simpson... what I really care about is whether 
it's accurate.  We tend to draw an inference from source to 
accuracy... and usually it's right but sometimes it turns out to be 
sadly mistaken.  Besides, while a hacker might be a dubious source 
for a bio-terror alert, she might be a first-rate source for a 
cyber-attack warning.

The cat in the tree illustrates another dimension to the problem.  It 
probably wouldn't be appropriate for city-wide or nation-wide 
broadcast, but it might be perfectly appropriate to a residential 
community-watch network.  (Plus the SPCA might like to know about it, 
even all the way across town.)

So again... being able to tell where the message comes from, 
reliably, is necessary but not sufficient.  We also need to be able 
to assess the credibility of reports, based partly (but perhaps not 
solely) on the reputation and standing of the source... while 
understanding that we may not always know a-priori who every source 
is.  We also need to be able to filter message flows (or provide 
enough bandwidth) so that low-level cat-sightings don't become 
problematic... while remembering that necessity is ultimately in the 
eyes of the recipient.

I guess what I'm saying boils down to the old Internet dictum: "We 
should resist the temptation to standardize what we don't yet 
understand."  CAP can be used in a lot of contexts and a lot of ways; 
we can certainly devise systems that use it effectively, but we 
should beware of trying to impose one application's requirements on 
other implementations.

>There at least has to be one level of human filtering of the alert if it
>comes from a source other than the defined 'chain of command'.

Again, that depends on the particular system we're talking about.  In 
most cases, I'm afraid that the closer you come to that "chain of 
command" the more you'll realize that it's not all that well defined 
after all... especially for unusual events that tend to fall between 
the chairs of routine jurisdiction.

There's a strong and understandable desire among vendors to use 
government as a sort of "liability circuit-breaker" but... especially 
in a time of shrinking government budgets... we may want to be 
careful about turning officialdom into a single point of failure for 
alerting.

- Art