Clips 02/13/02

[Lillie Coney <lillie.coney@xxxxxxx>]

Government Executive
February 11, 2002 
NASA managers not sharing lessons learned, report says 
By Kellie Lunney
klunney@xxxxxxxxxxx 

Inefficient technology and a reluctance to discuss past mistakes are keeping
managers at NASA from sharing important lessons with one another, according to
a new report from the General Accounting Office. 

Although NASA requires managers to regularly share important lessons learned
from past projects through an agency-wide database, only 23 percent of managers
surveyed had ever entered information into the system, according to the report,
?NASA: Better Mechanisms Needed for Sharing Lessons Learned? (GAO-02-195). 

NASA managers surveyed by GAO said the agency?s database, known as the Lessons
Learned Information System (LLIS), was difficult to sift through and failed to
provide them with useful lessons. Managers are also too busy to submit data
into the system and fear openly discussing past mistakes will put their careers
at risk, the report said. 

?For example, one manager noted that, ?People are never rewarded for telling
about how they screwed-up and caused a problem/mistake?. This will continue to
be a problem until a way is found to allow and encourage people to talk about
their mistakes without feeling that they are risking their careers,?? the
report said. 

The cultural barriers ?present a serious challenge for NASA and the agency may
well be missing fundamental opportunities to share and apply knowledge toward
future mission successes,? according to GAO. 

LLIS, which was created in 1995 to help the agency with its mission to complete
projects ?faster, better and cheaper,? does not automatically sort lessons and
includes few positive lessons, the report said. One manager told GAO it took
more than two weeks to search the database, which contains more than 900
lessons on the development and design of aeronautics and space systems. 

Managers do share lessons during project reviews, informal discussions with
colleagues and training programs, but the dissemination of information is not
nearly as broad as it could be, GAO said. ?Respondents reported that they are
unfamiliar with lessons generated by other centers and programs.? 

GAO praised NASA for developing a strategic knowledge management plan last
March that is designed to encourage managers to swap best practices and
potential pitfalls. But it said the agency needs to appoint a leader to better
coordinate efforts to educate managers on lessons learned and use storytelling
and mentoring techniques more often to encourage people to communicate with one
another. 

The report also suggested various upgrades to LLIS, including a better search
engine, more positive lessons and a user feedback function. 
NASA generally agreed with GAO?s findings and recommendations, noting that
several initiatives to improve information sharing are already under way. 
**************************
FYI : Tauzin Dingell Broadband Bill is scheduled for a vote 2/27

**************************
USA Today
Federal officers to police airports 'Trusted-traveler' ID card to be tested By
Blake Morrison

USA TODAY The federal government will hire thousands of armed law enforcement
officers in coming years to patrol the nation's airports, the new
undersecretary of Transportation told USA TODAY this week. In an interview days
before the Transportation Security Administration takes responsibility for
aviation security Sunday, its leader John Magaw also said he was skeptical
about a ''trusted-traveler'' ID card. But the administration will test the
concept, possibly with members of Congress, he said. Magaw said the new federal
agents will work in tandem with police and other federal authorities currently
at airports. He called their role ''hugely different'' than that of Federal
Aviation Administration inspectors, who handle regulatory, not law enforcement,
issues. ''If we open up their locker, I would expect to see undercover clothes .
. . to work undercover and just watch the public and look for things that don't
fit,'' 
Magaw said. ''I would see them in sport coat and shirt and tie working some
investigations. I would see them in different clothing out on the ramp and in
back exits, making sure people aren't subverting some of those checkpoints. And
I would see them in uniform backing up those checkpoints.'' How many agents
will be hired remains uncertain. Magaw said initial projections range from
3,000 to 5,000, but he cautioned that hiring and training will take time. ''We
wouldn't have that by the end of the year,'' Magaw said. 
Meanwhile, the agency might contract with local police or ask other federal law
enforcement agencies to temporarily reassign officers. ''In each airport, what
we're going to do fairly quickly is try to determine with the local law
enforcement . . . what do we need to have there,'' Magaw said. ''The American
public, as they come up to those checkpoints this weekend, they're going to
expect to see federal law enforcement.'' The new Aviation and Transportation
Security Act gives Magaw the power to hire law enforcement personnel even
though his agency is under the supervision of the Department of Transportation.
Magaw said a test program for the special ID card could feature members of
Congress and flight crews as the initial subjects. The card is designed to
speed travelers through security, but Magaw said an ID holder's baggage would
still be screened. Magaw said the agency wants to ''weigh all the pros and
cons'' before moving forward on a card. Cardholders would provide detailed
information to the agency, along with fingerprints, palm prints or retina
scans.  
***********************

New York Times
February 13, 2002
Computer Security Experts Warn of Internet Vulnerability
By MATT RICHTEL

Asserting that companies had not heeded its private warnings, a
government-backed computer security group warned of a security flaw today that
could make computers across the Internet and within company networks vulnerable
to being controlled or shut down by malicious hackers.

The group, the CERT Coordination Center, based at Carnegie Mellon University in
Pittsburgh and backed by the Defense Department, said it decided to publicize
the flaw because word of its existence had begun leaking out to potential
intruders, who security experts feared might soon exploit it.

CERT officials said they had seen only a handful of "suspicious attacks" that
might have taken advantage of the flaw, but feared that if companies did not
react quickly, the impact could be widespread and costly. Shawn Hernan, a
security specialist at CERT, said companies and individuals were at 
"considerable risk" of attack, given that devices that are vulnerable include
computers and modems as well as switches and routers, which are powerful
machines that direct traffic across computer networks. The flaw can also be
found in some operating systems, like Microsoft (news/quote) Windows.

"Virtually every network uses a multitude" of devices that may have the
security flaw, Mr. Hernan said.

The problem was identified last summer by researchers at the University of Oulu
in Finland, who began working with CERT to tell major computer companies about
the flaw and help create patches for it.

The vulnerability involves the Simple Network Management Protocol, which in the
broadest sense is a method for transferring data over computer networks.
Network administrators use the protocol to control computers remotely, meaning
that they can make programming changes to a computer, or obtain information
from it, over the Internet or a company intranet.

The network protocol is not inherently vulnerable. But what the Finnish
researchers discovered, and CERT has since confirmed, is that a given computer
? or other hardware device like a router ? can be programmed in a way that
leaves it open to attack. Indeed, some of the world's largest computer makers
program their hardware and software in a way that makes it possible to be
controlled not only by a friendly administrator but also by an intruder, who
could shut down the system by exploiting this vulnerability.

According to CERT, among the roughly 250 companies with products that are
vulnerable are Microsoft, Cisco (news/quote), 3Com (news/quote) and
Hewlett-Packard (news/quote). Also troubling, CERT officials said, was that they
received little or no response from many of the companies they contacted in the
last six months about the vulnerability.

Mr. Hernan said that in "quite a number of cases," CERT went so far as to send
letters to chief  exectives when other methods of making contact had been
ignored. "I'm somewhat disappointed in our ability to raise the attention of
some of the companies," he said. "It was a very difficult problem in trying to
raise the attention of the right people."

One company that did respond was Cisco. A spokesman, Steve Langdon, said Cisco
was contacted in "late summer or early fall" and has been working on creating
and deploying patches, "many of which are already available." 

Microsoft said its operating systems were not vulnerable if Simple Network 
Management Protocol settings were left in default mode, but it has provided
instructions on how to disable the protocol. 

A complete list of manufacturers with the vulnerability and the solutions they
offer is available at the CERT Web site, www.cert.org.
*****************************
Computerworld
Wireless LANs are focus of testing, security concerns at DOE labs

By Bob Brewin 

(Feb. 12, 2002) Sandia National Laboratories has begun testing wireless LANs to
determine whether they can meet the kind of rigorous security required for any
Department of Energy (DOE) facility. 

Pace VanDevender, CIO at Albuquerque, N.M.-based Sandia, said the lab has begun
limited testing of wireless LANs in an isolated test bed outside secure areas
because, in his view, "wireless is the wave of the future." 

VanDevender said that although Sandia, which also has facilities in California,
currently has a ban on all wireless networks, the utility of wireless LANs --
especially the ability to log on and gain access to data anywhere without the
need for Ethernet cabling -- makes a compelling business-process case. 

That approach contrasts sharply with a temporary ban on wireless LANs
instituted last month by another DOE lab, Lawrence Livermore National 
Laboratory in Livermore, Calif. (see story). Los Alamos National Laboratory in
Los Alamos, N.M., has also started a security review of its wireless LANs,
which could result in their elimination, according to lab spokesman Kevin
O'Rourke. 
He said Los Alamos, where the first atom bomb was developed, currently operates
wireless LANs in three buildings located outside secure areas. Depending on how
secure the LANs are found to be, "they may be eliminated," O'Rourke said. He
didn't know when that decision would be made but said the larger issue of
wireless LANs and security at DOE facilities may be driven by policy at the
national level. 

Despite security concerns, VanDevender said in an interview that wireless LANs
"make it much easier to use and share information in an ad hoc and spontaneous
way." Potential new hires who come from college campuses with a robust wireless
LAN infrastructure want to work in an environment where they can be "online all
the time," he said. 

VanDevender also said he believes the use of campuswide wireless LANs could
eventually lead to changes in business by providing a kind of connectivity that
leads to collaborative work and decision-making. 

Dennis Eaton, chairman of the Wireless Ethernet Compatibility Alliance in
Mountain View, Calif., said VanDevender's experience reflects the early
adoption of wireless LANs by colleges -- a move that means employers are now
seeing job candidates who expect constant connectivity. 

"A younger generation has grown up with this kind of technology always at its
disposal," Eaton said. 

VanDevender said Sandia is running a small-scale test of wireless LANs outside
the labs' secure areas to better understand security issues about a network
technology that has been proved to be inherently insecure. He declined to
identify what security issues Sandia is examining or what kind of add-on
products are being tested. 

Eaton acknowledged the need to balance security concerns with business needs
and claimed that "both can be satisfied." 

Wireless LANs that cover entire corporate campuses, or in the case of the DOE
labs, widely scattered research facilities, can "fundamentally change behavior
patterns in the way people do their business," Eaton said. But those advantages
must be weighed against the sensitivity and security of data sent over the
network, he said. 

Related stories: 
·       ·       Wireless LAN worries mount, Feb. 4, 2002 
·       ·       Wireless LANs: Trouble in the air, Jan. 14, 2002 
·       ·       Start-up advances public access wireless LAN prospects, Jan. 7,
2002

**********************
New York Times
February 12, 2002

U.S. Backing for Guidelines on Fighting Cybercrime
By BARNABY J. FEDER

The first guidelines for responding to attacks on computer systems to be
endorsed by both the F.B.I. and the Secret Service, the main Federal agencies
fighting such crimes, were published yesterday.

The guidelines were drafted by government and private security experts brought
together by CIO magazine, a trade publication for information technology
executives.

The guidance comes at a time when the number of both government and private
organizations trying to track and fight electronic crimes has been expanding,
partly in response to Sept. 11. But experts say many businesses continue to be
reluctant to provide law enforcement officials with enough information to
pursue cybercriminals. Companies often fear that they will lose business if
security breaches become public or that they will become the target of revenge
attacks.

"People are very fearful of all the publicity that surrounds going after
someone and convicting them," said Bruce Schneier, chief technology officer of
Counterpane, a computer security company based in Cupertino, Calif. 

Such fears can be overcome in many cases, said Ronald L. Dick, the F.B.I.
official who heads the government's National Infrastructure Protection Center. 

"They'll share information with us every time if they have an inkling we can
prosecute successfully," Mr. Dick said. Still, he said, the new guidelines
should help fight fears that the government agencies would respond to intrusion
reports "by seizing your server and putting yellow tape around it."

The 12-page CIO guidelines provide complete contact information for businesses
to report intrusions to public authorities and various information-sharing
partnerships like the 65 InfraGard chapters the F.B.I. has helped set up around
the nation. They also outline practices that the F.B.I. and Secret Service
advocate, like developing relationships with electronic crimes experts at the
agencies ahead of time so that managers have a personal contact to take their
call. 

The guidelines advise against reporting minor intrusions, like the efforts of
outsiders to scan corporate systems for ways to penetrate them. Such probes can
occur hundreds or even thousand of times a month at a major company. 
While such information could be useful in theory, the guidelines say, it would
swamp the current data systems of clearinghouses like the National 
Infrastructure Protection Center or the Internet Storm Center, which is
operated by the SANS Institute, an international research organization for
security experts.

Breaches of computer defenses by worms, viruses, hacks and other intrusions
that cause damage are another matter. Law enforcement officials need all the
help they can get in catching up with such activity, said Bruce A. Townsend,
special agent in charge of the Secret Service's financial crimes division.

"This is constantly evolving, unlike something like drug trafficking," Mr.
Townsend said.

Most experts say cybercrimes cost billions of dollars annually. Last year, only
36 percent of those who experienced intrusions reported them to authorities,
according to an annual survey by the Computer Security Institute and the San
Francisco office of the F.B.I. 

Mr. Townsend said the major part of the guidelines was not the standardized
form for reporting intrusions but the emphasis on planning ahead. Some experts
argue though that few companies will do an adequate job in that regard unless
forced to by regulatory authorities.

"We need metrics of how prepared people are for cyberattacks and provisions
like the Securities and Exchange Commission required for Y2K for corporate
disclosure," said Harris N. Miller, president of the Information Technology
Association of America, a trade group that has participated in organizing
information-sharing groups on security matters.
***************************
Government Executive
February 12, 2002 
CIA, FBI developing intelligence supercomputer 
By Greg Seigle, Global Security Newswire 

After months of criticism that they do not work well together, the CIA and FBI
have begun jointly developing a new supercomputer system designed to improve
their ability to both cull and share information, White House and other U.S.
officials told Global Security Newswire yesterday. 

Under a directive issued by President Bush, and overseen by Office of Homeland
Security officials, CIA and FBI officials are ?working like crazy? to create a
comprehensive database that could used by various federal and, in some cases,
state agencies, officials said. 

?They?re trying to push more data and resources to the agencies and people in
the field that otherwise wouldn?t have them,? a U.S. official said, referring
to a data-mining system that could be used by the 32 federal agencies that
collect classified information. 

?There are several communitywide data-mining architectures that are being
looked at to allow information sharing among the intelligence and law
enforcement communities,? the official continued. ?A lot of it is tied to the
homeland security initiatives.? 

The federal government is spending $155 million this year for ?information and
intelligence sharing,? with $722 million more requested in next year?s White
House budget proposal, according to Homeland Security Office spokesman Gordon
Johndroe. 

?The goals are to tear down the information stovepipes,? Johndroe said
yesterday, referring to the long-held practice of various agencies to keep data
to themselves. ?Information stays in one pipe, and now we?re going to tear down
those stovepipe walls.? 

Key Move 

The creation of a new data-mining base, one capable of collecting unprecedented
amounts of information that could be distributed to an array of agencies, has
been viewed as the key move needed to prod the CIA, FBI and other secretive
organizations to truly open up and work more closely and effectively together,
officials and analysts said. 

The sharing of a single database by the various agencies could allow U.S.
authorities to better monitor terrorists and their financial support
structures--and the companies and countries that participate in the spread of
weapons of mass destruction, they said. 

?It?s not going to be easy to do this,? said L. Paul Bremer, a former
ambassador at large for counterterrorism who co-chaired a January Heritage
Foundation report, "Defending the American Homeland," that deemed as ?critical?
more information sharing among intelligence agencies. ?It isn?t going to solve
the problem, but it?s going to make it more difficult for [terrorists] to enter
the country,? he said. 

Prior to the Sept. 11 attacks that killed about 3,100 people, five of the 19
hijackers were on various government watch lists but were never detected prior
to the airline attacks, Bremer said. 

The creation of a database shared by various intelligence and law enforcement
agencies is ?the first step in the right direction,? said Bud DeFlaviis,
spokesman for Rep. Curt Weldon, R-Pa., who has been pushing for such a system. 
?It will only improve the flow of information between the agencies,? the U.S.
official said. ?In the post-Sept. 11 environment there?s greater desire for
more information.? 

Pooling Resources 

The use of massive high-speed computers with cutting-edge software could allow
a wide range of U.S. organizations to pool resources, enabling them to better
monitor and prevent the movements of terrorists and those that participate in
the proliferation of dangerous weapons, officials said. 
Utilizing the types of supercomputers already used by private industry to
conduct marketing research, the CIA, FBI and other investigative agencies
should be able to move beyond Counterintelligence-21--an information-sharing
system now being used but already considered outdated, analysts said. The new
system would take advantage of a faster, more comprehensive database, they
said. 

The new system under development should ?meet the needs of all the consumers,?
the U.S. official said. ?A lot of it is driven by [Homeland Security Director]
Tom Ridge?s office. It?s something [CIA and FBI officials are] working on
continuously. They?re continuously meeting, discussing and designing the new
database.? 

?It?s been the topic of discussion? during meetings between Ridge and President
Bush, Johndroe said. 

Casting a Larger Net 

A new supercomputer ?will only help the information flow between the agencies,
particularly between the federal agencies and the state and local authorities,?
the U.S. official said. ?It?s going to help the people who need it the
most--first responders, the military, whoever.? 

The officials and analysts have said that it could be dangerous for too many
people to get their hands on classified information during the war on
terrorism, a concern balanced by the need to get information to all pertinent
officials, including state and local authorities. 

There are ways to safeguard the information on a single database, so that data
is shared only on a ?need to know? basis, they said. 

Currently when intelligence agencies share information they do not provide raw
data. Instead they offer outside agencies their interpretations of such data, a
slow, cumbersome and often incomplete process, analysts said. 

To make the most of scarce resources, intelligence officials need to make their
raw data available to pertinent agencies or officials, analysts added. 

FBI officials would not comment, but the U.S. official said the major challenge
in devising a new supercomputer is making sure it has all the proper safeguards
needed to protect the vital information it provides. 

?Intelligence agencies are very reluctant to put a lot of information on a
database that can be shared,? Bremer said. ?There are very few home runs in
counterintelligence. You win with a lot of bunts and singles.?
*******************
EPIC Releases major report on problems with Biometrics and National
Identification.  <http://www.epic.org/privacy/id_cards/yourpapersplease.pdf>

*******************
Newsbytes
Bill Would Limit Telecom Providers Sharing Of Customer Data  
By Brian Krebs, Newsbytes
WASHINGTON, D.C., U.S.A.,
12 Feb 2002, 1:14 PM CST

Sen. Paul Wellstone, D-Minn., introduced legislation on Monday that would
require telecommunications providers to obtain written consent from customers
prior to sharing their personal information with other providers or companies. 

The legislation comes in response to a recent scandal involving telecom giant
Qwest Communications International, which recently dropped plans to share
personally identifiable customer data with its corporate divisions as a
marketing tool. 

Wellstone said many of his constituents overlooked a notice Qwest last month
sent to customers, announcing its plans to share customer information. Many of
those who acted on it reported problems getting through to the company?s 1-800
number or navigating the options for opting out of the information-sharing
plan, the senator said. 

The Federal Communications Commission (FCC) is soliciting comment on a final
rule governing the sharing of customer proprietary network information (CPNI). 

Wellstone said he drafted his bill out of concern that the FCC could adopt an
?opt-out? approach to privacy as it relates to CPNI. 

?An opt-out approach presumes consumer consent that such information could be
shared, unless the consumer goes through an unduly burdensome and uncertain
process to request that the provider not share it,? Wellstone said Monday
during a floor speech in support of his bill. 

?I?m not telling anyone whether they should want their CPNI shared and made
available to marketers,? he said. ?I want to leave that choice to consumers.? 

Reported by Newsbytes.com, http://www.newsbytes.com 

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 507
1100 Seventeenth Street, NW
Washington, D.C. 20036-4632
202-659-9711