Timetable Set for Better Intelligence Network
The US government's executive and legislative branches have quickly heeded recommendations from the National Commission on Terrorist Attacks Upon the United States (the "9/11 Commission") to improve information-sharing capabilities between federal agencies and among federal, state, and local officials. Both the legislative and executive branches have for the first time established firm deadlines for agency heads to submit plans for architectures and procedures that will enhance data sharing.
The commission released its final report, which included its recommendations for a shared intelligence network, in late July 2004 ( www.9-11commission.gov/report/911Report_Ch13.pdf). On 27 August, President George W. Bush signed an executive order establishing a timetable in which agency heads must begin planning for such a network ( www.whitehouse.gov/news/releases/2004/08/20040827-4.html). Two weeks later, Senators John McCain (R-Ariz.) and Joseph Lieberman (D-Conn.) introduced a 281-page omnibus antiterrorism bill with 17 pages dedicated to establishing a new information-sharing network and stipulating deadlines for agency heads to report on their efforts to build it ( http://govt-aff.senate.gov/_files/090704bill911commission.pdf).
The executive order gives a newly formed Information Systems Council 120 days to submit a seven-step plan for building the network.
The proposed legislation, in turn, orders the president to submit a "system design and implementation plan" for the network to Congress within 270 days of the bill's passage.
The 9/11 Commission's report isn't the real impetus of the recent governmental action, however. The commission took much of its technology ideas from a report that the nonprofit and nonpartisan Markle Foundation wrote in December 2003. This report is acknowledged as the wellspring inspiring current consensus on enhancing information sharing ( www.markle.org/downloadable_assets/nstf_report2_part1_homepage.pdf).
"The commission was influenced to a fair degree by the foundation report," says James Lewis, director of the technology program at the Center for Strategic and International Studies. "There was a lot of overlap, most significant being that the executive director of the commission, Phil Zelikow, had been the first executive director of the Markle Foundation," says Lewis, who worked on the report. "I think Bush was responding to the commission, but the commission was responding to the foundation."
Lewis believes the commission report's timing—as the 2004 presidential campaign began in earnest—was also responsible for the quick action.
"Most of this is politics. There's a real problem, but the problem has been around for a few years, and the sudden attention and rush has more to do with worrying about outcomes in November. Neither side wants to hand the other guys a club they can be beaten over the head with. The Bush guys have tried to encourage information sharing. The Markle [report] had an effect even before the commission report. People knew it was a problem, and they've been working on it."
However, Lewis also says establishing a timetable for submitting plans is fine, but actually detailing the technological, procedural, and cultural attributes of data sharing that bridges multiple federal agencies as well as state and local entities will be extremely difficult.
"It's nice to get a Presidential Decision Directive or an executive order, but it doesn't count for much unless you put people in who are going to implement it and pursue it," Lewis says. "Right now, that would fall on the FBI director, the director of Central Intelligence, and a little bit on the secretary of defense. My question is, what are those guys going to do to make sure the order's carried out? To be fair, FBI Director Robert Mueller and former CIA Director George Tenet have made a strong push to get the two agencies to work together better. The question now is what more needs to be done? The Markle report notes that on the federal level, the FBI and CIA have been working together better, but pumping information down to state and local levels is still a problem. They haven't figured out how to do that."
Lewis says an overall lack of funding means it's likely that agencies will try to piggyback law enforcement communications onto state and regional high-speed networks already existing or under construction.
Even if street-level information can be bootstrapped onto existing networks, Lewis says technological integration would be just part of the problem.
"The issue we haven't resolved is how much of this is a law enforcement problem and how much is a traditional counterintelligence problem. Linking those two together has been the hard part."
Another obstacle to establishing better data sharing has been balancing civil liberties and the government's asserted need for information. Lara Flint, staff counsel for the Center for Democracy and Technology, says the new flood of emphasis on better data sharing might also help encourage wider debate about new technological capabilities' privacy implications.
"I think the public, as we get further away from 9/11, is becoming more concerned with the privacy implications of the fight against terrorism, and I think that's started to be reflected in government policy," Flint says.
Greg Goth is a freelance writer based in Connecticut.
Secure Real-time Operating Systems at Lower Costs
The mission for vendors of real-time operating systems (RTOS), should they choose to accept it, is to increase safety and security while meeting government-imposed certification requirements and keeping costs down. Although this is a tall order, most vendors appear to be meeting it.
"We see [the security-cost conundrum] as more of a continuum rather than two mutually exclusive requirements," says Joe Wlad, certification manager for Wind River Systems in Alameda, Calif. "Our challenge is to create a foundation that supports both objectives, but if a common foundation is used along with some of the artifacts from previous certification activities, the process is simplified."
John Carbone, vice president of Express Logic in San Diego, Calif., says that keeping it simple also keeps it safer and cheaper. "By keeping solutions simple, cost can be contained and many of the largest problems facing developers can be solved," he says.
In demanding more security for less money while meeting more stringent certification standards, the military has made clear its desire for commercial off-the-shelf products. But rather than providing even more of a challenge, the insistence on COTS products has actually gone hand-in-hand with other considerations.
"From our vantage point, the COTS reusability question is answered by use of standard interfaces such as ARINC 653 and Posix," Wlad says. "These standards are the foundation for modularity and reusability."
Carbone agrees, saying that standards such as ARINC 653, MILS, and DO 178B combine to provide strong protection against hackers, viruses, and sabotage. This leads to certifiable versions of COTS products that successfully address the military's certification and security needs.
Carbone also says that while this issue is much less severe outside of military design, it exists to some extent in other government agencies—such as the FDA—and commercial groups, in the automotive sector in particular.
Kevin Nilsen, chief technology officer for Aonix, an international military vendor, says that with the war on terrorism and the Iraq war, military spending has increased, but not necessarily with respect to research and development.
Nilsen says that as products are used across different industries, their cost is born across them as well. This lets the military use security technology that commercial industries have already used and paid for.
Take Java use, for example. "There is a sense of the military catching up to the commercial space," Nilsen says.
In terms of security, different vendors cite different areas on which they're focusing.
For instance, Wind River Systems is building a version of VxWorks AE653 for the C130 program that requires a separation kernel to comply with Common Criteria EAL 7 requirements (see the related article on p. 28). Another military RTOS vendor, Weber Shandwick, is developing a separation kernel for which the operating system will have multiple partitions or virtual machines, where applications of different security levels can coexist on the same hardware and operating system.
But they all agree on the importance of partitioning with respect to developing RTOS security measures.
According to Roger Villareal, group manager at Weber Shandwick, "Hacking has not yet been a real problem, but with the battlefield becoming net-centric, there would be more opportunities for the red forces [hackers] to make an electronic attack. The military is making sure that does not happen through the use of partitioning to ensure separation."
Benjamin Alfonsi is a freelance writer based in New York.
The European Network and Information Security Agency began operations in October 2004. ENISA will collect and analyze security information, advise and assist the European Commission and the European Union (EU) member states on information security, and raise information-security awareness and cooperation among European industry and government. The agency has a budget of €34.3 million over five years and will be based in Heraklion, Crete.
About 80 percent of the world's hackers live in Brazil, according to the country's federal police force. Brazil is currently reviewing proposed cybercrime laws, but none have been enacted, forcing the federal police to pursue hackers under theft and fraud laws. Cybercrimes now account for more financial losses in Brazil than bank robberies.
The US Department of Homeland Security (DHS) is planning several pilot projects to address the lack of real-world attack data available for cybersecurity research. In February 2004, the DHS started the Protected Repository for Defense of Infrastructure Against Cyber Threats (Predict) program, which encourages large private-sector infrastructure companies to volunteer real-world incident data that researchers can use to test prototype security products. DHS is also developing a new vendor-neutral cybersecurity test bed, known as Deter (for Cyber Defense Technology Experimental Research), a homogeneous emulation cluster based on the University of Utah's Emulab facility. The project will receive US$14 million, and the DHS should award pilot project contracts in January 2005. DHS has also formed an ad hoc government and industry committee to study and develop security projects for the Domain Name System, a critical part of Internet infrastructure.
A poll of 493 people conducted by the National Cyber Security Alliance (NCSA) at the Digital Edge Expo in Washington, D.C., in September 2004 showed that 30 percent of respondents thought that they were more likely to win the lottery, get hit by lightning, or be audited by the IRS than become the victims of a cyberattack. The poll results show a general lack of awareness of cybersecurity threats. Ken Watson, NCSA chairman, declared October 2004 National Cyber Security Awareness Month. "Cybersecurity should become second nature, just like brushing our teeth," Watson says. "Industry projections note that by year's end, Internet users will have been confronted by an estimated 100,000 forms of malicious code. About 91 percent of PCs today are infected with spyware programs that send information from your PC to an unauthorized third party."
The US House of Representatives passed the Spy Act and the I-Spy Act to combat spyware. The Spy Act requires companies that distribute software capable of electronic monitoring to obtain explicit permission from users to install the software and gather data. It establishes civil penalties for those who don't. The bill permits federal intelligence agencies to use spyware with a court order. The Spy Act goes into effect one year after it's signed into law and expires in 2009. The I-Spy Act increases jail sentences by up to five years for people who use spyware to steal credit-card numbers or commit other crimes. I-Spy also authorizes US$10 million to help the Justice Department enforce the act.
European Union interior ministers have approved regulations that would make fingerprint biometrics mandatory for European passports. This overturns an earlier policy that made only facial images mandatory with fingerprints as a secondary option. The move aims to address the biometric requirements set by the International Civil Aviation Organization and the US. The United Kingdom appears to be supporting a German proposal to add iris scans as a third, optional form of ID. The ministers considered requiring that individual nations hold biometric data in central databases and establish a European Register accessible to law enforcement agencies, but opted to store biometric data on the actual passport.
US Election Assistance Commission officials have announced that five electronic voting machine vendors have agreed to submit their software to the National Software Reference Library. EAC chair DeForest Soaries requested that the largest voting companies—representing 90 percent of voting-machine software—submit code to the library so that election officials could verify the software on their machines. California has already faced such verification issues: the registrar of voters in San Bernardino County couldn't confirm that software on county voting machines was the same as state-certified software. California also discovered that Diebold Election Systems installed uncertified software on 17 machines without informing the state. Soaries acknowledges that the library alone cannot protect elections, but must be joined with other measures, such as voting-machine standards, patch procedures, and election best practices. EAC is also planning a clearinghouse for reports of problems that states encounter with voting machines.
The US Chief Information Officers Council has released the Federal Enterprise Architecture Security and Privacy Profile, guidelines that help federal decision-makers protect sensitive data when sharing it with other agencies. The council developed the guidelines with input from the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and several industry groups. Federal managers should consider data security and privacy from the beginning and at the highest levels when developing new information systems. Information assurance specialists can no longer protect data on their own. Security concerns must affect all development and operation processes. The guidelines address all layers of the Federal Enterprise Architecture: business, service components, performance, technical, and data reference models.
The Electronic Frontier Foundation, the Australian Computers Association, and the New South Wales Council for Civil Liberties (NSWCCL), have submitted affidavits to a court in Sydney, Australia, to sit as "friends of the court" during the proceedings of a recording industry suit against Sharman Networks, maker of the Kazaa peer-to-peer file-sharing software. Cameron Murphy, president of the NSWCCL, argues that the groups can help the court evaluate matters of public interest that otherwise might not be presented at the hearings. Murphy concedes that P2P software can be used to illegally download content, but public interests overrule banning such software. For example, a number of nonprofit organizations, such as Amnesty International and the Free East Timor Association, distribute content over P2P networks.
The US First Circuit Court of Appeals in Boston has agreed to hear an appeal of a federal ruling that would let Internet service providers store and copy customers' emails. The First Circuit Court had ruled that bookseller Bradford Councilman did not violate the Wiretap Act when he read messages customers sent to other booksellers through his email service. The Wiretap Act only prohibits intercepting messages in transit, while Councilman read messages in storage on his mail server. In its ruling, the court acknowledged that the Wiretap Act might be out-of-date for the Internet. The Justice Department appealed the decision, arguing that it overturned years of guidance on wiretap prosecutions. The Electronic Frontier Foundation has filed a brief arguing that Councilman's actions are clearly prohibited by the Electronic Communications Privacy Act's amendments to the Wiretap Act. The court will hear the appeal beginning in early December.