Here's Big brother...now we're all going to be spies on our fellow citizens.
August 23, 2002
By Caron Carlson and Dennis Fisher
In an effort to bolster the nation's cyber-security, the Bush
administration has plans to create a centralized facility for
collecting and examining security-related e-mail and data and will
push private network operators to expand their own data gathering,
according to an unreleased draft of the plan.
The proposed cyber-security Network Operations Center is included in a
draft of The National Strategy to Secure Cyberspace, which was
developed by the president's Critical Infrastructure Protection Board
with input from the private sector and is due to be released Sept. 18.
The call for expanded data collection and analysis results from
administration concerns that efforts to secure cyber-space are
hampered by the lack of a single point of data collection to detect
cyber-security incidents and issue rapid warnings, according to the
draft strategy, obtained by eWEEK. Critics, however, worry that such a
system would be expensive and difficult to manage, and would allow
government agencies to expand their surveillance powers.
Other recommendations include restricting the use of wireless
technologies by government agencies; requiring corporations to
disclose their IT security practices; establishing a "test bed" for
multivendor patches; creating a certification program for security
personnel; and mandating certifications for all federal IT purchases.
Howard Schmidt, vice chairman of the PCIPB, said that the center would
consolidate threat data from the country's collection end points, such
as the FBI's National Infrastructure Protection Center, the Critical
Infrastructure Assurance Office, the Department of Energy and
commercial networks. Private companies would be encouraged to increase
the amount of data collected and share it with the government.
"Major companies generally report this information internally,"
Schmidt told eWEEK. "We're looking for that to come back to a central
According to the draft strategy, the public/private initiative would
involve the major ISPs, hardware and software vendors, IT security
companies, and Computer Emergency Response Teams, in addition to law
enforcement and other agencies.
Some feel that the government's internecine rivalries and
information-sharing rules will hamstring any attempt at centralized
collection and analysis.
"There are such high barriers in government to being able to
disseminate information and adjusting the environment to react to
threats, I don't think it will have much impact," said William Harrod,
director of investigative response at TruSecure Corp. in Herndon, Va.,
and a former FBI computer forensic specialist. "They'll have different
information coming in from different analysts, and they'll have to
weed through it."
The proposed strategy recommends that the center be partially
federally funded, but it would inevitably impose new costs on the
private sector without commensurate benefits, critics charged.
"Government doesn't have a good track record when it comes to
collecting and disseminating massive volumes of data," said Kevin
Baradet, network systems director at Cornell University's Johnson
Graduate School of Management in Ithaca, N.Y. "We could be drowning in
data, most of it noise."
Then there are the privacy concerns.
"Whatever the federal government wants to do with its own data is OK
with me as long as it doesn't waste my personal and corporate tax
dollars," said Karl Keller, president of custom software developer IS
Power Inc., in Thousand Oaks, Calif. "The privacy aspects, however,
concern me greatly. This sounds like a dramatic and evil expansion of
Echelon and Carnivore."
The strategy also calls on the FBI, Secret Service and Federal Trade
Commission to establish a single system for corporations to report
Internet fraud and extortion, illegal hacking, and unauthorized
network intrusions. It recommends that the federal government
systematically collect data on cybercrime victims and cyber-intrusions
from businesses. The administration hopes to assuage industry fears by
recommending legislative changes--including exemptions from Freedom of
Information Act requirements and exemption from antitrust laws--that
would reduce liability for companies turning over communications to