Cover Image

PAPERBACK
$54.25



View/Hide Left Panel

Cybersecurity and Urban Terrorism— Vulnerability of the Emergency Responders

Anita K. Jones, Linton Wells III, Michael Wolin


During any type of crisis, the inhabitants of an urban area rely on emergency services provided by the government. Emergency responders remove or reduce the cause of the crisis, where possible, and also provide protection and aid to those affected. To do so, emergency services must take timely, coordinated, and appropriate action. They make use of critical information that must be accessed and transmitted to a variety of irregular players along uncertain channels. At any time, emergency services are vulnerable to disruption by groups using cyberattacks, but during a time of intense emergency, this vulnerability is heightened. During a crisis, normally autonomous emergency responders must by necessity act coherently and cohesively. This requires a dynamic and ad hoc flow of information. Because the emergency responders themselves are crucially dependent on information, a coordinated and well-executed cyberattack could degrade effective emergency response.

This cyberthreat causes emergency responders to be at risk from a common tactic used by terrorists—that is, to amplify a main attack with a supporting attack. After a main attack, terrorists might make a secondary assault on assembled emergency responders or their supporting information systems. This could reduce their ability to respond and possibly create more casualties. A secondary cyberattack may be employed before or coincidentally with a physical attack to impede effective deployment of emergency responders and thus amplify the damage from the physical attack. If the public were to perceive that the emergency response service were crippled or inoperable, terror among citizens is likely to be substantially increased. Both individual emergency response organizations and entire emergency systems must be defended against cyberattacks while at the same time the ability of the individual organizations to communicate and coordinate action is not impeded.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 14
Countering Urban Terrorism in Russia and the United States: Proceedings of a Workshop Cybersecurity and Urban Terrorism— Vulnerability of the Emergency Responders Anita K. Jones, Linton Wells III, Michael Wolin During any type of crisis, the inhabitants of an urban area rely on emergency services provided by the government. Emergency responders remove or reduce the cause of the crisis, where possible, and also provide protection and aid to those affected. To do so, emergency services must take timely, coordinated, and appropriate action. They make use of critical information that must be accessed and transmitted to a variety of irregular players along uncertain channels. At any time, emergency services are vulnerable to disruption by groups using cyberattacks, but during a time of intense emergency, this vulnerability is heightened. During a crisis, normally autonomous emergency responders must by necessity act coherently and cohesively. This requires a dynamic and ad hoc flow of information. Because the emergency responders themselves are crucially dependent on information, a coordinated and well-executed cyberattack could degrade effective emergency response. This cyberthreat causes emergency responders to be at risk from a common tactic used by terrorists—that is, to amplify a main attack with a supporting attack. After a main attack, terrorists might make a secondary assault on assembled emergency responders or their supporting information systems. This could reduce their ability to respond and possibly create more casualties. A secondary cyberattack may be employed before or coincidentally with a physical attack to impede effective deployment of emergency responders and thus amplify the damage from the physical attack. If the public were to perceive that the emergency response service were crippled or inoperable, terror among citizens is likely to be substantially increased. Both individual emergency response organizations and entire emergency systems must be defended against cyberattacks while at the same time the ability of the individual organizations to communicate and coordinate action is not impeded.

OCR for page 14
Countering Urban Terrorism in Russia and the United States: Proceedings of a Workshop This paper examines the emergency response to a terrorist attack on an urban area by viewing it as a system that is vulnerable to disruption. It focuses on the critical aspects of emergency response that are at risk of being impeded by an attack on the computer or telecommunications networks of the emergency responders themselves. It examines the possible cybertactics a terrorist group may use to amplify the effects of a physical attack by limiting emergency response. CRITICAL INFORMATION In any emergency there is a wide array of critical information that is central to an effective response. Some of this information is general in nature and commonly possessed by highly trained emergency response units, but much of it will be specific to the time, location, and type of attack. This critical information forms the input information that any emergency response system must possess to effectively respond to the situation. This critical information includes, but is not limited to, building blueprints and city utility plans, crisis response plans, chemical cleanup procedures, treatments for specific biological or chemical agents, duty rosters and personnel contact information, individual victim medical records, and public announcements. One of the frustrating aspects of emergency preparation is how much detailed situation-specific information becomes critical to operational success. There is a wide array of different, relevant kinds of information, and some of these data inputs are voluminous. By its nature a cyberattack will be against the content, accessibility, or flow of critical information. Because some of the needed information is incident specific, some information is accessed in (close to) real time. Because the attacker is aware of the specifics of the attack, and can deduce what information will be most helpful to responders, prearranged corruption of this information is a threat. EMERGENCY RESPONSE PLANS FOR URBAN AREAS IN THE UNITED STATES Urban areas are especially vulnerable to high-profile attacks because of the concentration of people, resources, and critical infrastructure in a small area. Hence most urban areas in the United States have developed emergency response plans that define how the various emergency services and government agencies will interact and work together during a crisis. For Washington, D.C., this plan was created by the D.C. Emergency Management Agency and is titled the District Response Plan (DRP).1 The DRP describes how D.C. agencies will 1 This plan is available on the D.C. Emergency Management Agency web site: http://dcema.dc.gov/dcema/cwp/view,a,1226,q,533529,dcemaNav,|31810|.asp.

OCR for page 14
Countering Urban Terrorism in Russia and the United States: Proceedings of a Workshop work collaboratively within the city and with regional and federal partner organizations in an emergency. In this paper the DRP is used as a representative example of urban emergency response plans in the United States. At its heart the DRP identifies 15 emergency support functions. Each one is a vital task that the government must perform during an emergency response. Functions include transportation, firefighting, medical services, urban search and rescue, law enforcement, and media relations.2 The DRP defines the city agencies and departments that have a part to play in each function. It then outlines the purpose and scope of each function and in what ways each organization will be involved and finally, how operations will proceed for each function. The 15 functions can be seen as the spokes of a wheel with the D.C. Emergency Management Agency at the hub of the wheel. Operating out of the agency’s Emergency Operations Center (EOC), the central emergency management decision makers will coordinate the actions of these largely autonomous emergency support functions. Responding to any emergency will require many different types of emergency services. For example, responding to a simple building fire requires firefighters to put out the flames, emergency medical care providers for the victims of the fire, and police officers to secure the area and control the flow of traffic around the area. In large-scale crises, a larger variety of services will be required—all at the same time. For an effective response to an emergency, the central EOC must efficiently and effectively coordinate the actions that support the emergency support functions. While at the planning stage, the responders should give thought to the alternative technologies they would elect to use. In Tokyo, for example, the first responders and a network of decentralized command and control officials use VHF (very high frequency) radios, which, unlike cellular phones or wired phones, are relatively invulnerable to both physical and cyberattacks, although they can be jammed. Plans should consider the vulnerabilities inherent in the technologies used. EMERGENCY RESPONSE Emergency response in an urban environment on a large scale has several key aspects, all of which rely on the deployment of information technology, and thus may be vulnerable to attack. These aspects are a timely response, preplanned and coordinated operations, informed responses, and assured communication. This paper discusses each aspect in turn, with an emphasis on its vulnerabilities to cyberattacks. 2 For a full list, see p. 2 of http://dcema.dc.gov/dcema/lib/dcema/info/pdf/basic.pdf.

OCR for page 14
Countering Urban Terrorism in Russia and the United States: Proceedings of a Workshop TIMELY RESPONSE The speed at which an emergency response is initiated can be critical. In crisis situations the presumption is that delay costs lives. A rapid arrival of the appropriate responders depends upon identification of the nature of the emergency, the notification to responders that an identified form of crisis exists, acknowledgment by those responders that it must be acted on, preparation by the responders for the appropriate response, and finally, rapid transportation to the crisis location. There are a number of ways in which cyberattacks could be used to delay the arrival of emergency responders. Terrorists might try to delay notification of the crisis by misdirecting the initial notification, misrepresenting a critical need, or hindering the mobility of the first responders. The first two means of attack usually center on tampering with the notification system that citizens use to call upon the government and emergency services for aid. In the United States this is predominantly the 9-1-1 telephone system that is answered 24 hours each day by government-paid emergency response operators. Terrorists could use a computer attack against the functioning of this system or might inject a false alarm in order to erroneously send responders on misleading emergencies, thus evoking skepticism when a true emergency occurs. A more direct attack on the 9-1-1 system may be to sabotage the system outright, hindering the ability of the public to directly connect with representatives from the emergency services system. This was accomplished on a limited scale by a Swedish hacker in 1997. He used a denial-of-service attack to jam the 9-1-1 emergency telephone lines in west-central Florida. From Sweden he accessed the telephone network and generated 60,000 unauthorized calls. This served to block access to the 9-1-1 service for Florida residents with real emergencies. In addition, the hacker diverted 9-1-1 calls to other destinations and harassed the 9-1-1 operators. He was tried as a juvenile in Sweden and fined the equivalent of $345.3 This example demonstrates that the 9-1-1 system in the United States is vulnerable to cyberintrusion. Such an attack could originate from any point on the globe and could effectively cripple the ability of citizens to solicit aid from the emergency responders. Another possible attack could involve falsifying the type of danger, leading the responders to prepare and deploy unnecessarily, or to arrive ill-equipped for the real emergency so that taking appropriate action on site is unduly delayed. This could be accomplished by planting false 9-1-1 calls or by falsifying the information flowing from 9-1-1 operators to emergency service organizations. A final possible attack involves hindering responders on their way to the emergency. This might include co-opting supervisory control and data acquisi- 3 Correll, John T. 1998. War in Cyberspace. Air Force Magazine 81(1). See http://www.afa.org/magazine/Jan1998/0198warin_print.html.

OCR for page 14
Countering Urban Terrorism in Russia and the United States: Proceedings of a Workshop tion (SCADA) systems for traffic signals to increase traffic congestion along routes to the emergency, or to even reroute the path taken by the responders so that it takes longer to arrive. Plans should include provision to understand the nature of problems. For example, authorities should be able to determine where excess traffic on phone lines is due to a denial-of-service attack or legitimate attempts by citizens to communicate with authorities. PREPLANNED AND COORDINATED OPERATIONS The response to an emergency situation will usually take the following form: preplanning, implementation of that plan, and then coordination during execution as adaptations to the plan are made. This sequence of events offers terrorists various opportunities to disrupt smooth operations of emergency responders. First, through various means, terrorists may attack, corrupt, or limit access to digitally encoded plans already in place for an emergency response but which must be consulted even by trained personnel. These plans may specify firefighting response procedures for specific buildings, cleanup procedures for chemical spills, and even organization flowcharts dictating how agencies will interact during a crisis. A cyberattack targeted at these plans could take many different forms, from corrupting the plans so they are inconsistent or contradictory to denying access or even destroying the plans. Corrupting the plans might involve action by a trusted insider or the unauthorized access of an outside hacker, likely before the main attack. They might identify and replace the target plans with false ones. In this situation, emergency responders might follow procedures that they believe will help but really just increase the damage. This form of attack could take place at any point before the emergency. If the corruption remains undetected and unrepaired, it will have a detrimental effect on emergency operations. Another form of attack might employ a virus or denial-of-service attack on a database of plans to prevent access. Next, we turn to execution of a response plan. As large-scale emergencies require action on the part of numerous individuals and agencies, terrorists may try to prevent the orders for execution from reaching some or all of the emergency response services. This could be accomplished mainly through attacking communication or computer systems. Communications disruptions are discussed in more detail below. Military wisdom dictates that a good commander will plan extensively, and then modify the plan once on the battlefield. This idea also applies to emergency response. Once a crisis situation begins, it is important that emergency response managers adapt the original response plans as the situation requires. To maintain a disciplined response even when plans are adapted requires coordination throughout the entire response. In the Washington, D.C., emergency manage-

OCR for page 14
Countering Urban Terrorism in Russia and the United States: Proceedings of a Workshop ment plan, this is achieved by providing a central command and control activity in the EOC. By centralizing command and control, a high level of coordination is achieved even when plans change on short notice. However, communication between the EOC and the deployed responders is critical. The centralized nature of the emergency command and control system makes it a prime target for terrorist disruption. Terrorists could shut down computer systems in the EOC using worms or other viruses or they could jam communications in and out of the center using denial-of-service attacks or other cyberattacks on the telecommunications systems. Another possibility is the use of an electromagnetic pulse (EMP) weapon against an EOC. This weapon is a portable device that delivers an electromagnetic pulse sufficiently strong to physically damage the operating condition of electronic systems such as computers, digital telephone switches, and other systems without necessarily causing permanent damage to the hardware.4 If unshielded, an EMP device detonated within range of a city’s EOC could effectively put it out of operation. Emergency operations centers rely heavily on computers, which creates a number of vulnerabilities. Bugs and backdoors may exist in both the commercial software used (especially the Windows operating system) and the proprietary software developed specifically for emergency response coordination. Examples of this software include the Crisis Information Management System (CIMS), which the Washington, D.C., Emergency Management Agency uses. CIMS is a system for effectively sharing information among the various terminals in the EOC. With software increasingly being developed in foreign countries, there is an increased risk of bugs, exploits, and mistakes that terrorists could use being built into the software. Finally, it is possible that the EOC could be damaged during a physical attack to the point of disrupting operations. This happened in the September 11, 2001, attack on New York City. The city’s original emergency operations center was located in one of the World Trade Center towers and was destroyed when the towers collapsed. One of the main sources of vulnerability for emergency response is the highly centralized nature of its command and control apparatus. This gives terrorists one target that, if neutralized by cyberattacks, could greatly hinder the ability of emergency responders to implement an effective response to a physical attack. INFORMED RESPONSES: ACCESS TO CRITICAL INFORMATION Uncertainty characterizes emergency operations; the full situation on the ground may be unclear for some time. When emergency responders receive a 4 Branscomb, L. M. 2004. Cyberattacks as an Amplifier in Terrorist Strategy. P. 95 in Terrorism— Reducing Vulnerabilities and Improving Responses: U.S.-Russian Workshop Proceedings. Washington, D.C.: The National Academies Press.

OCR for page 14
Countering Urban Terrorism in Russia and the United States: Proceedings of a Workshop call to respond to an emergency at a certain location, they usually only receive the most basic information about the nature and extent of the emergency. Emergency responders may not know what situation-specific information is needed until they are on site and have evaluated the crisis situation. This information must be obtained by the emergency responders not while they are at a central base of operations but while they are deployed. This may be especially true after a terrorist attack, in which full information about the attack would substantively impact the type of response required. In contrast to a natural disaster, terrorists may deliberately hide some of the elements of the emergency situation. For example, in a chemical attack, certainty about the exact chemical agent employed would allow responders to be safer and to be more effective and timely in their resource allocation. Future terrorist attacks could invoke combinations of different types of threatening situations. As discussed in the section entitled “Critical Information,” there is a wide range of information that could be critical in the response to a terrorist attack on an urban area. Responders in the field will need to call upon and receive various sorts of records, such as medical records to help correctly treat patients, building or city architectural and construction plans, or contamination and cleanup information on specific chemical or biological agents. Some of this information, such as individual medical records, needs to be current. It is not possible for the emergency responders to acquire all of the information ahead of time; instead, they need to access it from the definitive source. The necessity of this critical information about the specifics of the situation and the situation-specific response procedures opens up a variety of possible threats from cyberattacks that will disrupt the ability of responders to address an emergency situation. Terrorists may attempt to corrupt critical information at its source using computer worms or entry by a trusted insider or hacker with unauthorized access. In this case, emergency responders would unwittingly acquire incorrect information. Medical records present a special challenge in this regard. Medical patient records should of necessity be available to doctors broadly and in near-real-time. The need for accessibility of this information and also its sheer volume make it a difficult target to secure against unauthorized entry. By breaking into these databases and, for example, changing the blood types or drug allergies of individuals, terrorists could cause incorrect blood or drugs to be administered to individuals in a crisis situation. Medical mistreatment may hurt the individual, but in addition, treatment errors may cause citizens to distrust the emergency responders. This increases the terror induced by attacks. Another example is databases of contact information for emergency management officials. The D.C. Emergency Management Agency maintains databases of text messaging numbers and formats for emergency officials and databases of phone numbers of D.C. citizens. This information will be critical in quickly communicating with emergency officials and the public in a crisis. Un-

OCR for page 14
Countering Urban Terrorism in Russia and the United States: Proceedings of a Workshop authorized access by hackers or tampering by a trusted insider could falsify these databases so that communications are interrupted. It is also possible to corrupt critical information that is not stored in centralized databases by emergency response agencies. For example, in any type of chemical or biological attack, emergency management officials will use information from remote meteorological sensors to create a computer plume model that will illustrate the spread of the chemical or biological agent based on wind patterns. Attacking the control programs of these sensors or corrupting the flow of information from the sensors to the EOC could seriously impair this effort. Even such a small change as replacing “east” with “west” in a wind report could have disastrous consequences for civilians. Terrorists may attempt to limit the ability of responders to access this critical information while in the field. This may be achieved by limiting access to the applicable databases through a denial-of-service attack or by disrupting the communications of emergency managers or first responders. Denial-of-service attacks could bring down electronic mail servers and hacking or virus tactics could be used against cellular phone networks. As emergency responders begin to carry more portable computers with Internet access, attacks on Internet servers and databases could have an impact on the ability of first responders to access needed information. ASSURED COMMUNICATION Communication is the backbone of an emergency response. Effective, coordinated action requires communication between disparate groups and individuals. During an emergency response, communication flows in a number of different ways. Each of these channels or lines of communication can be potentially impacted or disrupted by a cyberattack. The first essential line of communication is from the public to the responder. This is the means by which the public will alert emergency services that an emergency exists and solicit aid. As discussed above, the 9-1-1 system is vulnerable to disruption in a variety of ways. Beyond the 9-1-1 system there are other communication methods within this category that are also vulnerable to disruption. For example, many high-rise buildings have fire evacuation procedures that rely on disabled or trapped victims notifying rescuers of their location via an internal telephone system. Such a system, if not secured, might be vulnerable to attack. Likewise, in a widespread biological attack, citizens may need to call hotlines or hospitals to inform them of the spread of contagion. The second main category of communication is within the emergency response apparatus. This category breaks down into a number of different forms of communication: communication within one autonomous emergency response agency (a fire department, for example), communication between emergency

OCR for page 14
Countering Urban Terrorism in Russia and the United States: Proceedings of a Workshop response agencies or with the emergency management system, and communication between the emergency management system and nonlocal emergency organizations such as the Federal Emergency Management Agency (FEMA), the National Guard, and state and federal governments. Lastly, there is necessary communication from the government back to the citizens. All of these different forms of communication are both vital and vulnerable to a cyberattack. Within one emergency response agency, communication will flow usually from a central dispatcher or management center to various units in the field. Within an organization the lines of communication are used in normal day-to-day operations, so they may not be strained as much during a large-scale emergency situation. Communication between the various autonomous emergency response agencies and with the central emergency management agency is not used as frequently, and it is likely to be more vulnerable during a crisis. As noted in the section on preplanned and coordinated operations, communication between the different agencies on a macroscale will usually be coordinated by a central EOC. Disabling the computer and telecommunications systems of this center will impede communication. At the scene of the emergency, however, most communication will be face-to-face between the commanders of the different agencies responding to the situation. Although responders may coordinate their actions on the scene, their ability to call for additional resources may be impaired. Because crisis situations strain communication bandwidth and range, emergency responders may turn to more ad hoc forms of communication. That is, they may use methods of communication that are not built into the system. For example, emergency responders and managers may use cellular phones and electronic mail to augment the existing communication. Both can be helpful in a crisis situation, but they are also vulnerable to disruption from a cyberattack. Cellular phones rely on towers and nodes to connect to the telephone network. These are vulnerable to a cyberattack that could disable cellular service across an urban area. Electronic mail can be disrupted by overloading the mail servers of the emergency response agencies through denial-of-service attacks or by shutting down these agency servers all together through the use of worms, viruses, or sabotage by trusted insiders or hackers. Telephone, cellular phone, and electronic mail may also be the main way in which emergency responders and managers call upon regional and national resources to help in the emergency. In a large-scale emergency, urban area managers will need to effectively communicate with the regional, state, and federal governments. They may need to call upon the forces of the National Guard and the resources available through FEMA. Equally important, EOC officials will need the resources of business organizations that have their own communications networks, their own trucks, and possess a broad range of valuable expertise. Many of those businesses will be volunteering assistance. They will be using—or trying to use— conventional telecommunication methods such as the telephone and Internet. Dis-

OCR for page 14
Countering Urban Terrorism in Russia and the United States: Proceedings of a Workshop rupting telecommunications and electronic mail through the cybertactics discussed above could greatly impede this communication. The necessity of integration with regional emergency services and agencies presents another facet to the security problem. Rapid communication with regional partners of an emergency management agency is necessary in a large-scale crisis situation. To ensure this, the communications systems have been designed in most cases to trust information coming from regional partners. This assumption of trust presents a situation where the security of an urban emergency management agency is only as good as the security of the weakest partner agency on which it relies. For example, the D.C. Emergency Management Agency works closely with the Virginia and Maryland emergency management groups and various emergency response units in neighboring jurisdictions. An attack on any of these regional partner agencies could be used to spread misinformation. Misinformation planted at a regional partner agency will be considered trustworthy by the urban emergency management agency. This is a real problem, as many county and local emergency response units do not have the resources to implement the computer security that urban emergency response groups may have. The final vital form of communication is from the emergency response system of agencies to the general public. Emergency responders need to inform victims of the emergency what their course of action should be. In addition, those who are not directly a victim of the attack need to know that the government is taking action to alleviate the situation or they might lose faith in the ability of the government to protect them. This communication will mostly take place through television and radio. It is unlikely that this communication could be substantively disrupted because of the many alternative media channels and the existence of the preplanned emergency radio broadcast network (in the United States). Increasingly, government agencies post information on web sites and send electronic mail directly. The D.C. Emergency Management Agency maintains an EOC web site with which it communicates both with the public and with emergency services of surrounding areas. Terrorists may attack the computer systems that operate television and radio stations. They might prevent the government from making use of some of these media outlets or they might plant false broadcasts that will increase public terror. Web sites where information is posted are easy targets to attack. Denial-of-service attacks could be used to disrupt access to a particular site or hackers could gain unauthorized access to the site and plant false messages. There are numerous examples of hackers defacing web sites for political goals. Pakistani hackers have in the past gained unauthorized access to the web sites of the Indian Parliament and India’s Department of Atomic Energy, stealing information and defacing the web sites. In the Israeli-Palestinian conflict, statistics show that politically tumultuous events have caused increases in the

OCR for page 14
Countering Urban Terrorism in Russia and the United States: Proceedings of a Workshop defacement and disruption of Israeli computer systems by hackers. Finally, after the April 2001 midair collision of a U.S. surveillance plane and Chinese fighter plane, Chinese hacker groups organized and sustained a week-long cybercampaign against U.S. targets. They used denial-of-service attacks to limit the operability of U.S. systems and inserted pro-Chinese images into many U.S. government web sites.5 It is possible that hackers could gain access to web sites on which the government would post emergency information and replace it with incorrect information for the public to access. In summary, communication during a crisis situation will be a critical part of the emergency response. Coordination is required for an effective response, and rapid, secure communication is the only way to conduct such coordination. A large-scale emergency will stress the communication between organizations that are normally autonomous and in some cases competitive. The necessity of communication and the stress on the system make the lines of communication an attractive target for terrorists hoping to disrupt an emergency response and amplify the effects of a physical attack. CONCLUSION Cyberterrorism is often dismissed as an unlikely tactic of serious terrorist organizations because its results are seen mainly as a nuisance and unlikely to produce casualties. It is clear, however, that a well-thought-out cyberattack on emergency responders could significantly amplify the damage resulting from a physical attack. This paper has attempted to identify the salient properties of an emergency response effort, and then examine a few ways in which the emergency response might be impeded by cyberattacks. Not only must individual agencies work on protecting themselves from cyberattack during a crisis, they must be able to mount a coherent cyberdefense under the stress of a crisis. Our working group believes that Russia and the United States share this problem. The governments in both countries need to think through how to avert cyberattacks directed at emergency response activities. Policies, plans, and budgets need to be put in place to assure the functioning of emergency responders. 5 Vatis, M. 2001. Cyber Attacks During the War on Terrorism: A Predictive Analysis. Hanover, NH: Institute for Security Technology Studies at Dartmouth College, September 22, 2001. See pp. 7– 11 of http://www.ists.dartmouth.edu/lib_assessments2.php.