[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips August 27, 2002

Clips August 27, 2002

ARTICLES

Head back to drawing board [National Archives and Records Adm.]
Supporting Objective Force [Warfighter Info. Network-Tactical (WIN-T) Program]
Pentagon facility tests tech viability, employee acceptance of iris scanning [Biometric]
Air Force lab tests e-watermarks
A patchwork approach to info sharing
Four components of Homeland Defense Command and Control Info Mgt
Insecurity slows wireless jump
Feds seek networked nation [Homeland Security]
Justice pools online resources
Intell agencies ready to deal
Air Force's chief of staff urges integration
Suit calls PTO systems flawed [Patent Office]
Web Ad Firm to Limit Use of Profiles [Privacy]
WorldCom Staff Told Not to Talk to Auditor, E-Mails Show
Net-savvy teens want teachers to keep up
RIAA: Feeling Burn of Ripped CDs [Piracy]
Should you insure against ID theft?
What are the real risks of cyberterrorism?
Open source software favoured for the public sector

*********************
Federal Computer Week
Editorial
Head back to drawing board

The National Archives and Records Administration has run smack dab into electronic reality: It simply does not have the resources to collect, store and manage the 36 billion e-mail messages and documents the government generates every year.

NARA's solution, as set out in a draft report released last month, is to ask individual agencies to focus on storing the most important records first those that establish agency accountability, protect citizens' rights and document the national experience. NARA's role, according to the plan, is to act more as a facilitator by advising agencies on what to preserve but not how to preserve it; offering records management guidance and training; and conducting inspections and evaluations.

Whether this approach will work is debatable. In the past, government guidance issued without any authority to back it up with penalties or rewards typically fell by the wayside. Agencies simply ignore those requirements that have little consequences. That's only natural.

But the problem here is what is at stake. As NARA points out in its report, the most important electronic documents those that outline decision-making processes for program policies and those that can hold agencies accountable for their actions as recorded in the electronic documents have disappeared and continue to do so. Many agencies now post reports in electronic form only. Once those reports are deleted from the agency's Web site or intranet, they are gone forever.

NARA officials have struggled for years to develop a workable policy for electronic document storage and have settled on a solution that, at best, allows for inconsistency. That's not good enough. Records will continue to be lost, including electronic information embedded in the documents that could prove to be valuable to historians, researchers and journalists.

No doubt, solving the problem presents a monumental challenge for NARA. But officials may need to go back to the drawing board.
***************************
Federal Computer Week
Supporting Objective Force

The Army's Warfighter Information Network-Tactical (WIN-T) program, a tactical intranet for wired and wireless voice, data and video communications, will support the warfighting capabilities of Objective Force, said Col. Tom Cole, WIN-T project manager at the Army Communications-Electronics Command in Fort Monmouth, N.J.

Fielding Objective Force, which will transform the Army's forces to make them better able to survive an all-out fight, by the end of the decade will require not only WIN-T, but its integration with other transformational systems, including:

* Future Combat System The Army's vision for FCS is to create an integrated battlespace, in which networked information and communications systems provide a competitive edge to soldiers in the field and commanders in the control room. The lead systems integrator team, Boeing Co.'s Space and Communications Group and Science Applications International Corp., was awarded a $154 million contract in March and in June added eight more companies to the mix.

* Joint Tactical Radio System The Army in June awarded Boeing Co. an $856 million contract to lead the development and initial production of the first generation of JTRS, which uses software-centric radios that can be programmed to patch users into various radio frequencies, unlike today's radios, which are not interoperable.
*************************
Federal Computer Week
Pentagon facility tests tech viability, employee acceptance of iris scanning

Members of the Pentagon Athletic Club are trying out a new piece of equipment an iris scan system.

The Defense Department Biometrics Management Office is in the middle of a three-phase "quick look" project using iris scan technology to access the athletic club. Members are voluntarily signing up to test the Pentagon system, which involves capturing data from a member's identification card and iris, said Maj. Steve Ferrell, executive officer for the Biometrics Fusion Center, the testing and evaluation facility for the Biometrics Management Office.

"It takes no more than two minutes to enroll and verify a new user, which includes downloading the new template to the server," Ferrell said. The enrollee can then gain access to the athletic club with the iris scan and a member ID card. Ultimately, the goal of the project is to eliminate the member ID-based system and move secure access procedures to biometric technology.

After the Oklahoma City and Sept. 11 terrorist attacks, federal workers seem more open to new technologies that will improve security, said Rich D'Adamo, president of Workforce Solutions LLC, a consulting company based in Hunt Valley, Md.

"There definitely seems to be a general acknowledgment among federal employees that the ID card and metal detector systems being used to gain access to most federal buildings are vulnerable," he said. "I don't sense there is widespread acceptance of smart card technology at this point primarily because of the perception that the cards will require uploading personal information that could be used in a Big Brother-type scenario." However, fingerprint and iris scanning seem to be more widely viewed as less intrusive, D'Adamo said. Iridian Technologies Inc.'s IrisAccess 2200 system detects an individual approaching the imager. Once the person's eye is 3 inches to 10 inches from the mirror in the unit, a camera captures an iris image, which is digitally processed into a 512-byte IrisCode template, according to company officials.

A search function performs real-time database matching at the remote unit. When an iris matches a valid IrisCode template in the database, access is granted almost instantly.

Moving from member IDs to the iris scan system will enable not only secure access to the facility for members but also "promote convenience for them since they will not have to carry anything on their person," said Linda Dean, director of the Biometrics Management Office, adding that it also helps Pentagon staff members verify the identity of people attempting to gain access.

The project has 100 enrollees and more people enroll daily, which is promising because the Pentagon Athletic Club has about 8,000 members, according to Ferrell. Feedback has been positive. "The members can't wait to not have to use their ID card when they are running," he said.

Richard Norton, executive director of the International Biometric Industry Association, said the key to a project such as this is getting necessary information to the participants, such as how the system works, what it's used for and what the benefits are. "Once people understand how it is used and why, their trust in the system will be significant," he said.

Norton said the iris scan technology has benefits for both users and the athletic center because ID cards and passwords are no longer necessary, expiration dates are obsolete and athletic center employees no longer have to take the time to check people in.

Any privacy concerns should also be allayed because an individual's iris data cannot be used for any other purposes. "Nothing can be done to abuse it," Norton said, adding that if anything, the iris scan system should enhance privacy.

***

Phased approach

The Defense Department's Biometrics Management Office's "quick look" at iris scan technology at the Pentagon Athletic Club involves three phases.

Phase one involved demonstrating iris scan technology to the athletic club's staff. Phase two, which began July 23, involves enrolling members into Iridian Technologies Inc.'s IrisAccess 2200, said Maj. Steve Ferrell, executive officer for the Biometrics Fusion Center. Phase three, scheduled to begin Aug. 30, will involve using IrisAccess 2200 as the sole tool for access into the athletic club. Ferrell declined to comment on the project's cost.

DOD's quick-look projects involve testing and evaluating commercial off-the-shelf biometric products for a specific DOD security access requirement. If testing determines that the product satisfies the requirement and if resources are available, the tool can undergo more aggressive testing as a Biometrics Fusion Center pilot project, which would determine whether the product should be deployed at a service, agency or command.
************************
Federal Computer Week
Air Force lab tests e-watermarks

The Air Force Research Laboratory (AFRL) Information Directorate announced last week that it has selected Digimarc Corp. to collaborate on a research and development project using digital watermarking to combat fraud and enhance security.

Digital watermarking ensures the security and authenticity of digital photographs by embedding an encrypted image in the photograph, similar to the watermarks used on the redesigned $20, $50 and $100 bills.

The project will explore the use of digital watermarking as a security feature for identifying fraudulent or altered identity documents, said Bruce Davis, chairman and chief executive officer of Digimarc. The contract was awarded earlier this month and is supported by the Air Force's R&D funding, but the Tualatin, Ore.-based company would not provide further financial details.

In cooperation with AFRL, Digimarc will produce sample identification cards and deploy them as part of a security access system at a law enforcement assessment facility in Rome, N.Y., where the AFRL Information Directorate is located. Military, federal government and law enforcement representatives from across the nation visit the facility. Digital watermarking will be used on the cards to combat fraud and enhance security, according to a spokesperson for the company.

Raymond Urtz, director of the AFRL Information Directorate, said there are "broad implications for addressing the problem of document counterfeiting and forgery through digital watermarking technology," and AFRL is looking forward to collaborating with Digimarc on the research project.
**************************
Federal Computer Week
A patchwork approach to info sharing
Army officer garners interest with Web app

Imagine that a terrorist group has released a chemical agent in northern New Jersey that could, based on wind conditions, affect the entire region and even spread into neighboring New York City.

Responding to such an event would take extraordinary coordination among federal, state and local officials, who would need to analyze maps and wind conditions, determine exactly what chemical has been released and quickly inform citizens what to do before it spreads to their homes.

Maj. Shawn Hollingsworth, chief of the integration and evaluation division at the Fort Gordon, Ga., Army Battle Laboratory, realized a while ago that, in such a scenario, lives would be saved or lost depending on how quickly government officials could find the information they need.

Ideally, a single information network would be available through which everyone from state and local first responders to officials in the Defense and Homeland Security departments could receive snapshots of data tailored to their particular work and their geographical location.

The basic systems that would feed such a network already exist, but they were not designed to work together, which is just the problem Hollingsworth has attempted to fix with the Homeland Defense Command and Control Information Management System.

HLDC2IMS can be used for everything from force protection to homeland security, and is already generating interest from the upper echelons of the DOD and homeland security communities, Hollingsworth said.

The system, which he began working on last December in response to the Sept. 11 terrorist attacks, ties three existing commercial systems and one military system into one Web-based application.

The Defense Information Systems Agency's (DISA) Information Dissemination Management tactical system, which is used for sharing information on battlefields is the basis of the system.

Without the foundation that DISA provides, Hollingsworth's system couldn't have happened. The system backbone "provides priority-driven, assured transport of information and manages the flow between sources and users, across multiple communications platforms," Hollingsworth said. "Different people see a different picture."

HLDC2IMS updates information every 30 seconds. The system also sorts information based on profiles and clearances, so users only get the information they need and are authorized to receive. "That's something other systems don't do," Hollingsworth said. "It's not just for security, but also keeps your picture uncomplicated."

HLDC2IMS also includes "assured delivery" features, so if servers crash, the system finds the shortest available route to the area requesting data and sends it through, with high-priority information requests bypassing others when necessary, he said.

Favorable Notice

Several civilian and DOD officials who have seen demonstrations say they are impressed with the system.

Jim Flyzik, former chief information officer at the Treasury Department and now on detail to the Office of Homeland Security, said the Bush administration seeks just those kinds of systems.

"One of the things we're trying to do in homeland security is identify best practices and identify key applications out there already that we can leverage and use across the country," Flyzik said. "We're hearing literally about hundreds of systems across the country, and we're trying to look at all of them."

Still, Flyzik said that Hollingsworth's system shows promise for use in the evolving department.

"We want quick hits for applicability to [aid] the homeland security mission, and [HLDC2IMS] certainly has many interesting features worth looking at," he said. "There's potential for something that may have applicability to port to other areas for the homeland security mission."

The system could also have a place in the Enhanced C4ISR for Homeland Security Operations (ECHO) program, said John Mitchell, technical director of the Joint Forces Command's Joint C4ISR (command, control, communications, computers, intelligence, surveillance and reconnaissance) Battle Center.

ECHO will be responsible for the initial command and control architecture and infrastructure supporting DOD's new homeland defense command, Northern Command, when it is formally established Oct. 1.

HLDC2IMS "looked pretty good, and I think it had much broader application than just the Army," Mitchell said. "Everybody is trying to do the right thing, so you have got to be careful about what you give to the user." Mitchell said HLCD2IMS deployment could get a jump-start through the Advanced Concept Technology Demonstration (ACTD), a DOD program designed to fund the rapid fielding of new technology. DISA is the technical manager for ACTD, and Joint Forces Command is the operational manager.

Mitchell said those parties, along with the Joint Task Force Civil Support Team, will observe HLDC2IMS in action at the Consequence Management 2002 conference at Fort Gordon in late September.

The system stands a chance of being adopted, although it's not a done deal, he said.

"I think what they've done is great so far, [but] there are a lot of competing technologies for what they have, and we'll look at those and pull in the best," Mitchell said. "It's got to be mature technology that can integrate with the baseline we're establishing, but some of its components are already in the baseline so it ought to fit fairly well."

Not Easy Getting Green

The HLDC2IMS has received only $179,000 in funding so far and money or a lack thereof is the greatest obstacle to the system's continued development and national use, Hollingsworth said.

Representatives from numerous defense and civilian agencies, including the Federal Emergency Management Agency and the Navy's e-business office, have seen demonstrations of the system, and Hollingsworth said he hopes someone will fund the system.

"No one presented with the live system has had a negative comment about it," Hollingsworth said. "They are all amazed at what we're able to do with so little, when other systems cost millions."

At the demonstration next month, the system will use simulated sensor data from ENSCO Inc.'s Sentry system because Hollingsworth doesn't have the budget for a live feed, said Tom Cirillo, director of business development at ENSCO.

"Simulated sensor responses will create incident reports" at the demonstration next month, Cirillo said. "But Sentry creates those reports automatically, including the chemical release, time of day, where it's going and metro conditions." He added that Sentry is deployed at a "high-level DOD facility" in the Washington, D.C., area.

Once the proposed Homeland Security Department is established and handling massive amounts of information internally, as well as from the intelligence agencies, state and local governments and others, program managers will "determine how to push information into" HLDC2IMS, Hollingsworth said.

"Some customization will take place," he said. "But the foundational technologies are all scalable, and based on that, we can go forward."

If the system was brought into the homeland security ACTD, more funding would be made available, Mitchell said.
**************************
Federal Computer Week
Four components of Homeland Defense Command and Control Info Mgt

1. The backbone of the Homeland Defense Command and Control Information Management System is based on the Information Dissemination Management Tactical system, a Web-based technology run by the Defense Information Systems Agency (DISA) used for sharing information on battlefields. HLDC2IMS includes access policies so that only authorized users can send and receive information, and bandwidth throttling, which can assign bandwidth based on priorities.

2. ESRI's ArcIMS provides distributed mapping services on the Web and captures not only geographical map features, but also incidents and events against the map pertaining to ongoing terrorism. The layers of the map enable incidents to be presented geographically for analysis; for example, a biological attack involving poison gas on a layered map can tell what the affected geographical region is.

3. ENSCO Inc.'s Sentry is Web-based software that interprets multisensor data and enables users to protect facilities and borders from chemical, biological, radiological and nuclear (CBRN) attacks. Sentry can also monitor internal heating, ventilating and air conditioning (HVAC) systems, including the flow of air through ducts. If the sensors detect a chemical or biological agent, the tool can tell exactly where the agent is going and who needs to get out, and can also shut down the HVAC system.

Sensors can also be set up in strategic locations to take meteorological and CBRN readings nationwide. If anything is detected, the data can be placed on a map, along with the direction the dangerous element is heading, indicating both potential and actual affected areas. The system's cost is based on the number of sensors and the size of the area being protected, but can range from $50,000 to millions of dollars, officials said.

4. CallingPost Communications Inc.'s Message911 uses the same map as Sentry and provides names and phone numbers that are automatically called in the affected areas. Managers can type a message into a text box with directions about what happened and how to leave the affected area safely, and then choose emergency response groups to send it to.
***********************
Federal Computer Week
Insecurity slows wireless jump
Emerging security solutions yet to unlock government wireless potential

Handheld computers and personal digital assistants have shed their early geek status and are increasingly seen as valuable tools that can help government workers do their jobs better. As wireless capabilities are added to the devices, enabling such tools as "e-mail on the run," their usefulness only increases.

However, wireless handhelds and smart, data-enabled mobile phones pose particular problems for security managers, problems that will expand as high-speed, next-generation wireless services are introduced in the next few years. With the new services, the portable devices will be able to download and store increasing amounts of sensitive data, but this "always-on" connectivity also opens them up to the same cyberthreats that now plague their desktop cousins.

The good news is that the security industry has recognized current and future threats and is working on solutions. But there are still gaping holes, and many government agencies remain unconvinced that the security gaps can be plugged.

For example, the military's U.S. Transportation Command (Transcom), with its global reach and highly mobile workforce, should be a prime candidate for the use of wireless handheld devices. But those tools are not even on the command's radar.

That's because security concerns far outweigh the potential benefits of these devices, according to Martin Mullican, chief of Transcom's C4 Operations and Security Division. Encryption must comply with Federal Information Processing Standard 140, for example, and such technology is hard to come by.

But that's the easy part, he said. A lot more work needs to be done on authentication solutions to ensure that users on the handheld end of wireless communications are actually who they say they are.

And there is always the fear that handheld devices, which are lost or misplaced far more frequently than any other kind of computing device, could be used to gain access to an agency's network.

"We look at these devices very skeptically, and we don't allow them to be used on an enterprise basis yet," Mullican said. "This soup is a long way from being served."

Standards Needed

A major problem is that the government is stressing the need for standards as a central theme for all of its information technology, and although standards organizations have begun work on defining security profiles for handheld wireless devices, they are still a long way from being ready to publish them.

In the meantime, manufacturers are coming up with their own solutions. For example, the popular Research in Motion Ltd. BlackBerry scored a FIPS 140-1 validation for its embedded technology based on the Triple Data Encryption Standard, but it uses a proprietary security system to do so.

If other handheld device manufacturers also develop proprietary technology, it could prove a management nightmare for security administrators.

Desktop computers, whose locations are fixed and known, have been around for a long time, and security managers feel they have a decent handle on threats to their wired networks and how to account for them, said Robert Manchise, chief technology officer at Anteon Corp., which provides IT solutions and advanced engineering services to the federal government.

Agencies have policies to check for network intrusions, keep firewalls properly configured and ensure that messages are encrypted.

"Their approach has been to keep their network security intact with frequent patches," Manchise said. "But that paradigm doesn't work as well for handhelds. You still have several different operating systems that can be compromised, but how do you get [timely] patches to them?"

Wireless security for handheld devices may be getting a bad rap because of the perceived flaws in early attempts to install de facto standards, such as the over-hyped Wireless Application Protocol. WAP is a carrier-independent, transaction-oriented protocol first released in 1999 that was pushed as a standard for all wireless data networks.

One of the biggest problems with WAP was that it used a set of protocols customized for wireless networks called Wireless Transport Level Security (WTLS), according to Mike Vergara, director of product marketing for RSA Security Inc., which provides the encryption algorithms at the core of most modern security solutions. Carriers had to translate communications that used WTLS to ones that used fixed network encryption methods, such as Secure Sockets Layer, for Internet-based transmissions.

However, that translation took time to execute, and while it was happening, transmissions were not secure. This "WAP gap" stalled the use of the protocol for secure communications, and although WAP is still widely used, it's nowhere near as prevalent as people had expected it to be.

The truth is, Vergara said, successful wireless services such as iMode in Japan show that as Internet-style security standards are adopted for wireless transmissions, "security for wireless can be at least the equal of that in the wired world."

Many security vendors have already developed solutions, in particular for virtual private networks (VPNs) and for mobile systems such as laptops, and are beginning to turn their attention to the handheld wireless universe.

Check Point Software Technologies Ltd., for example, has produced a version of its VPN-1 secure client for use with the Microsoft Corp. Windows-powered Pocket PC and is planning versions for other handheld devices, eventually including next-generation smart phones.

Certicom Corp. has developed an encryption solution called movianCrypt for the Palm Inc. OS and Pocket PC that works with its movianVPN client or third-party applications. V-One Corp. offers a mobile solution as part of its SmartGate VPN software, and Microsoft includes its own VPN software in the Pocket PC 2002 operating system.

This kind of security is becoming the focus for what will likely be the major enterprise uses of handheld devices in government.

The Defense Department "is using VPN technology, for example, and it has made it clear that it certainly would like PDAs to be interoperable with that," said Tony Rosati, Certicom's vice president of products and marketing.

Educating Users

However, developing handheld-specific security solutions may be putting the cart before the horse, because many users don't understand the need for good security practices. Gartner Inc., for example, has calculated that some 75 percent of all PDAs are carried around with even their minimal security features disabled.

And agency managers, who are more aware of the need for security, want a solid understanding of the overall requirements before they will entertain the use of handheld wireless devices. Transcom's Mullican, for one, believes this is an area where technology developments have outpaced policies and practices.

Help may be on the way. The National Institute of Standards and Technology published draft guidelines in July for deploying wireless technologies in agencies, one section of which focuses on handheld devices. The intention is for agencies to use the guidelines to help them incorporate wireless devices into their enterprise plans.

"People have a very inchoate sense of what security is needed with these devices," said Tom Karygiannis, a principal researcher at NIST and one of the authors of the draft guidelines.

"They are operated in a very insecure way currently, and even that security brought to the table by the device vendors is not used adequately," he said. "And these are not very complicated things."

Comments on the draft are due by Sept. 1. If no extensive revisions result from that input, Karygiannis said, the final version of the guidelines could be published by mid-October.

Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite@xxxxxxxxxxxxxxx
******************************
Federal Computer Week
Feds seek networked nation
Office of Homeland Security looks to state, local agencies to build nationwide info net

The Office of Homeland Security plans to launch within the next month one of several initiatives designed to develop a nationwide information technology enterprise architecture to improve information sharing and communications among federal, state and local agencies.

Officials aim to unveil a Web site that public leaders and business executives can access to share information on existing homeland security-related projects, best practices and centers of excellence, said Steve Cooper, senior director for information integration and chief information officer for the Office of Homeland Security. Cooper spoke last week at the Government Symposium on Information Sharing and Homeland Security in Philadelphia.

The Office of Homeland Security wants state and local agencies to provide the Web site with information about homeland security projects that other jurisdictions could emulate or join in on. Texas, for example, created an Emergency Response Network, which gives police, fire and medical emergency responders a way to discuss how to prepare and respond to emergencies and send out alerts on events.

Homeland Security officials hope that if information about the Texas network is on the Web site, other states or local governments with similar systems could find ways to link the systems, or those without systems could join the Texas network. Many local and regional information sharing programs are under way. For example, the Chicago Police Department has created a Citizen and Law Enforcement Analysis and Reporting System, which gives police officers access to information such as arrest records and neighborhood crime statistics to help target resources on the worst crime areas.

The system, which began in the mid-1990s as a local management and incident response system, has expanded since the Sept. 11 terrorist attacks to include local law enforcement agencies nationwide, said Karen Rowan, general counsel to the superintendent of the Chicago Police Department.

Rowan said that this program could be passed on to the federal level, but that the department would move forward with the program regardless of federal government policies.

The more projects and practices that the federal government can find and build on, the more likely a nationwide enterprise architecture will develop, Cooper said. "This Web site will enable us to begin to share and communicate what's going on," he said.

A collection of best practices, ideas and systems is desperately needed at the state and local levels because of the vast differences in expertise, resources and existing infrastructures, said Jose Cordero, chief of the Newton, Mass., Police Department.

Although incidents may occur locally, responses will almost always involve multiple jurisdictions because the impact often reaches beyond the location that was attacked. Therefore, interoperability and regional response mechanisms must be officials' primary concern, he said.

In another effort to reach out to state and local government, Office of Homeland Security officials met with the National Association of State Chief Information Officers earlier this month to start working on state requirements for the enterprise architecture. In that first meeting, officials dealt with the basic questions of definitions and the approach that should be taken, Cooper said.

Because local-level officials are dispersed, Homeland Security officials are still trying to determine the best way to contact them and keep in touch, he said. Officials are already working with organizations such as the National Governors Association and the National Association of Counties, but it is hard to find a central point for information technology leaders at the city and regional levels, he said.

Officials may find that the best way to reach everyone is to rely on the relationships already in place among federal agencies, their state counterparts and local officials, Cooper said.

"It is imperative that we all participate and that we get this enterprise architecture right," he said. "We have got to hear from everybody."
**************************
Federal Computer Week
Justice pools online resources
Web site integration may be starting point for nationwide connection

As the Office of Homeland Security seeks to create networks of networks to share information among federal, state and local government agencies, the law enforcement community is close to completing its own network connection.

The FBI's Law Enforcement Online (LEO) intranet and the Bureau of Justice Assistance's Regional Information Sharing Systems (RISS) program serve the law enforcement community's collaborative needs.

But bringing those networks together through a single Web interface will give users access to computing resources and experts across the entire spectrum of government, said George March, director of the RISS Office of Information Technology, speaking last week at the Government Symposium on Information Sharing and Homeland Security in Philadelphia.

One of LEO's biggest advantages is the ability to offer a secure online space for special interest groups to share information. And RISS excels in providing Web access to databases maintained by jurisdictions across the country, March said.

After the Sept. 11 terrorist attacks, officials at the Justice Department and the Office of Homeland Security started looking for ways to connect the entire law enforcement community. In the end, they decided to link the existing networks, March said.

Members of the law enforcement working group that serves as the point of contact between the intelligence and law enforcement communities are viewing the LEO/RISS integration as a potential starting point for connecting law enforcement agencies across the country.

Jeff Baxter, a member of the board of regents at the Potomac Institute for Policy Studies and a consultant to the working group, advises local police departments seeking access to other jurisdictions' resources to look first to existing network connections, such as RISS, before attempting to create their own.

The hardware and software for the new network connections are already in place. Justice officials have tested the interface, which has also undergone full federal certification and accreditation, March said. He anticipates that final approval will come soon, and then the networks will be available for community use.

Both LEO and RISS will continue to exist as separate entities, because each has different users. In fact, March said, several enhancements to LEO are planned over the coming months (see box).

The Web interface that the LEO and RISS teams have been developing, however, will provide a seamless bridge between the two networks, he said.

Office of Homeland Security officials are considering using the same approach to create information sharing systems across government. However, that task is much more complex.

Agency officials work with a multitude of systems and must address complex questions of redundancy and interoperability, said Steve Cooper, senior director of information integration and chief information officer at the Office of Homeland Security.

It is not an easy solution, but until the many agencies and organizations involved in homeland security have the money to invest in single systems, the network-of-networks approach is the only one that makes sense, said Ken Piernick, senior director of the office's Intelligence and Detection Directorate.

"We can't wreck anything until that occurs," he said.

Officials at the LEO and RISS management offices are establishing an advisory committee to oversee the integration of the two networks. Part of the plan is to capitalize on the strengths of each network by making LEO the lead on advancing Web-based applications and RISS the lead on handling database applications, March said.

The combined system will also have a directory and an e-mail system, which will enable members of either network to contact the person or group with the appropriate expertise. To ensure full security, the directory will give access according to the individual's security clearance.

March sees many potential uses for the networks. For example, LEO could become the central point through which local law enforcement agencies receive homeland security alerts from federal officials.

***

Upgrading LEO

The FBI has several enhancements planned for the Law Enforcement Online intranet over the coming months, including:

* Identifying new collaboration tools.

* Creating a special interest group for crisis management officials.

* Connecting other law enforcement networks, in addition to the Regional Information Sharing Systems program.

* Developing a national alert system that can track whether recipients receive the alerts.
*********************
Federal Computer Week
Intell agencies ready to deal
Homeland security spurs more info sharing

After a long tradition of keeping its information and systems in the shadows, the federal intelligence community is ready to work with civilian agencies to improve the flow of homeland security-related information.

The Office of the Chief Information Officer for the U.S. intelligence community (www.cia.gov/ic) has taken an information architecture created for the intelligence community and adapted it to support communications with other agencies gathering homeland security intelligence, officials said at the Government Symposium on Information Sharing and Homeland Security, held in Philadelphia.

This architecture, developed across several years to support data sharing and collaboration among the many agencies working with top-secret or secret information, defines the system interfaces and policies needed for agencies to exchange information.

"The sharing demands have completely changed," said Dolly Greenwood, director of architecture and implementation in the CIO's office. With the architecture plans, "we can start to build things so they can be totally accessible."

Since Sept. 11, the intelligence community has become much more open to sharing information with nontraditional government users, particularly the federal, state and local law enforcement communities, said Winston Wiley, the CIA's associate director for homeland security.

In addition to work with classified intelligence, the intelligence community is doing what it can to produce sensitive but unclassified information that can be passed on to the larger homeland security community, he said.

The intelligence and law enforcement communities were already informally linked through a law enforcement working group, officials said. The 3-year-old organization, now in the final stages of becoming formally chartered, was established to enable the intelligence community to learn what kind of intelligence information law enforcement officials could use.

But now all of the communities are opening up to one another, which means that law enforcement, first responders and diplomatic officers on the front line are beginning to understand what resources are available from the intelligence community, said Kathleen Kiernan, chairwoman of the working group.

At the same time, the intelligence community now can contact hundreds of thousands of new intelligence gatherers, said Ken Piernick, senior director of the Office of Homeland Security's Intelligence and Detection Directorate.

The final architecture calls for three domains that, while remaining separate, are connected by trusted, controlled interfaces that will allow authorized information to pass back and forth, said William Dawson, deputy CIO for the intelligence community.

Intelink supports much of this homeland security architecture, said John Brantley, director of the Intelink Management Office. Intelink effectively serves as the intelligence community's intranet and provides collaboration applications, Web portals and directories for analysts around the world.

The Intelink Management Office is already working with the Defense Information Systems Agency to provide a secret version, Intelink-S, based on the Defense Department's Secret Internet Protocol Router Network, Brantley said.

The new network will be based on the old Open Source Information System, a secure virtual private network. It will connect DOD's NonClassified Internet Protocol Router Network, the FBI's Law Enforcement Online network, and the State Department's OpenNet, which will allow wider access to State's many visa information databases, he said.

"You keep your network, but you create a protected interface between your network and mine," said Dave McKee, deputy director of State's Intelligence Resources and Planning Office.

***

The power of three

The intelligence community's homeland security information architecture outlines three domains of information, each with its own rules and authorization levels:

* The top secret/secret compartmentalized information domain is for information and users at the highest classification level, primarily traditional intelligence agencies and organizations.

* The collateral information domain is for information and users at the secret level, which extends the community to portions of the Defense Department, the law enforcement community and other agencies.

* The sensitive but unclassified domain brings in nontraditional intelligence agencies and users identified under homeland security, such as the first responder community.
****************************
Government Computer News
Air Force's chief of staff urges integration
By Thomas R. Temin

MONTGOMERY, Ala.The Air Force's chief today told his systems underlings to stop acting like members of a tribe and more like members of an integrated team.

The trouble with tribal thinking is it leads to "jealousy over programs and platforms. Too few of us are about integration," chief of staff Gen. John Jumper told assembled Air Force IT employees at the annual Air Force IT Conference.

Jumper said the service's various programs spend too much time distinguishing the difference between an intelligence platform and weapons or firepower delivery systems, when in may cases they should be one and the same thing. That would save time and confusion between becoming aware of a target and killing it, he said.

For airborne crews, "there can be no Web searches. There are no hourglasses up there," he said, referring to the screen icon that indicates a computer is processing data.

The Air Force needs more programs like one in which laser homing data is delivered to an A-10 attack aircraft, Jumper said. That, he said, "is like cats and dogs living together."

Similarly, sensor and other command and control data needs to be integrated on aerial tankers because, despite their narrow specific function, they are always present in battle.

The focus of data integration, Jumper said, should be to give all platforms a "find, fix, track, target, assign, exchange and assess" capability.
***************************
Government Computer News
Suit calls PTO systems flawed
By Wilson P. Dizard III

Charging that the Patent and Trademark Office's databases are riddled with errors, the National Intellectual Property Researchers Association yesterday filed suit in the U.S. District Court for the Eastern District of Virginia to stop the phasing out of paper patent and trademark records.

PTO declined to comment on the pending litigation, NIPRA v. James E. Rogan.

Rogan, Commerce undersecretary for intellectual property, earlier this year unveiled a plan to automate virtually all of PTO's activities to improve service and reduce costs.

PTO last year fielded the Examiners Automated Search Tool (EAST) and the Web Enabled Search Tool (WEST) as steps toward a paperless system. The office has long planned to phase out paper records, partly because it issues them in such volumeabout 3,500 patents weekly, each patent ranging from 20 or 30 pages in length. It has maintained that the databases are more reliable than paper records because they can be searched more quickly and thoroughly.

NIPRA said in a statement that it is not opposed in principle to patent automation. But the association asserted that maintenance of paper collections, particularly for foreign records and trademark files, is essential until the automated searching tools can provide results equivalent to a combined search of paper and electronic records.

Association spokesperson Robert Weir said one of the suit's purposes is to direct PTO's attention to problems with EAST and WEST, including missing records and flawed search engines. NIPRA president James Cottone said that eliminating paper records "makes no sense at this time, given the many bugs remaining" in the databases.
*************************
Washington Post
Web Ad Firm to Limit Use of Profiles
By Robert O'Harrow Jr.

NEW YORK, Aug. 26 -- A leading online advertising company agreed today to pay $450,000 and limit its use of personal information to bring an end to an investigation by 10 states into claims the firm inappropriately profiled computer users.

The settlement follows a 30-month probe of DoubleClick Inc.'s use of millions of electronic tags called "cookies" to track, on behalf of clients, what Web sites individual computer users visited and whether they clicked on online banner ads.

Under the agreement announced today by New York Attorney General Eliot Spitzer, DoubleClick still will be able to track consumers online. But it will have to better disclose how it does so and give individuals access to the profiles created about them. The company also agreed to allow an outside company to audit its privacy promises for several years.

Other states involved in the agreement include California, Connecticut, Massachusetts, Michigan, New Jersey and Washington.

"It's hard for consumers to trust e-commerce when they can't see the practices behind the promises," Spitzer said in a statement. "When an online contractor can invisibly track nearly every online consumer, consumers deserve to know the privacy cost of surfing the Web."

"It basically sends a message there are real penalties for companies who don't play fair with customers' information," said Mary J. Culnan, a business professor and privacy specialist at Bentley College in Waltham, Mass.

DoubleClick attracted intense scrutiny from state attorneys general -- as well as from the Federal Trade Commission and privacy activists -- when it announced that it intended to merge its online files with data collected about individuals' off-line purchases to better target promotions.

At the time, the FTC began its own investigation after complaints from consumer activists. Congress discussed the possibility of legislation that would prohibit some of the practices the company was implementing or had proposed.

To quell the furor, DoubleClick dropped its plans to merge online and off-line information about people. It also helped create the Network Advertising Initiative, a group pledging not to use personally identifiable information about sexual orientation, Social Security numbers, or medical or financial data for marketing.

DoubleClick and the other members also agreed to alert computer users to the placement of cookies and give those users a chance to opt out of data collection.

Earlier this year, the company said it would pay $1.8 million to settle a private class-action lawsuit. Today, DoubleClick officials said their agreement with the state attorneys general demonstrates their commitment to privacy.

Among other things, the company said it will disclose how it collects and uses personal information; it will minimize the amount of information it collects and restrict how it shares that information with other companies; and it will alert interested computer users to changes in its privacy policy.

"In order to maintain its position as a leader in online privacy, DoubleClick has worked closely with the attorneys general to build upon the robust privacy practices it has already implemented," said DoubleClick's general counsel, Elizabeth Wang.

At least one critic remains skeptical. Chris Hoofnagle, legislative counsel for the Electronic Privacy Information Center, a nonprofit advocacy group in the District, said the agreement is a good step. But it still allows the company to create profiles, as long as it provides notice of the activity.

"We can't go forward saying notice solves all privacy problems," he said.
********************************
Washington Post
WorldCom Staff Told Not to Talk to Auditor, E-Mails Show
By Jonathan Krim

WorldCom Inc.'s former controller warned employees who questioned the company's accounting practices not to discuss their concerns with the firm's outside auditors, according to a new batch of corporate e-mails released by congressional investigators yesterday.

David F. Myers, one of two top finance executives who were fired as a result of the company's accounting scandal, was furious that finance officials in the company's European operations had met with Arthur Andersen LLP auditors to discuss how to properly depreciate some of the company's assets.

"Do not have any more meetings with AA for any reason," Myers wrote in an e-mail on Jan. 22 of this year to Steven Brabbs, a top international finance official based in Britain. "I do not want to hear an excuse," he continued, "just stop. . . . Don't make me ask you again."

The e-mails provide further insight into an atmosphere of tight-fisted control over WorldCom's finances by Myers at a time when the company was improperly booking expenses in the United States, said Peggy Peterson, a spokeswoman for the House Financial Services Committee, which released the messages.

The e-mails do not relate directly to the improper booking of $3.9 billion in operating expenses as capital expenses, which ultimately led the Securities and Exchange Commission to charge WorldCom with defrauding investors. That bookkeeping allowed the company to report a profit instead of a loss because capital expenses are spread out over long periods.

The e-mail discussion was about how much the company could write off the "impairment" of assets in the European division. It is not clear from the e-mails how the issue was resolved.

Earlier the same January day, Brabbs was warned not to pursue the issue with Arthur Andersen auditors by Mark Willson, who worked for the deputy of WorldCom's chief financial officer, Scott D. Sullivan. Sullivan was fired along with Myers.

"Issues such as . . . asset writedown will not be concluded on by UK AA," Willson wrote to Brabbs.

Willson also sent a copy of the note to Myers to show what action he had taken. Myers shot back: "Not that I was looking for another reason to have him executed."

Brabbs, in fact, had challenged financial practices at WorldCom's Mississippi headquarters before.

One day after WorldCom announced the scandal and fired Myers and Sullivan, Brabbs sent a lengthy letter to its auditors decribing another instance in which he resisted making adjustments to the international division's books in 2000, despite pressure from Myers.

Brabbs said that journal entries made at Sullivan's direction were improper and amounted to a $33.6 million understatement of costs, and that he had raised the issue with Arthur Andersen. Myers was angry then that Brabbs had gone to the auditing firm, Brabbs wrote.

Brad Burns, a spokesman for WorldCom, said, "We're cooperating with all investigations and will continue to do so until we gain full resolution."
***************************
USA Today
Net-savvy teens want teachers to keep up

By Jinny Gudmundsen, Gannett News Service

Katie Lauerman, 13, researches man-eating sharks online for a school assignment as she simultaneously has "IM" conversations with four friends, reserves books at the public library site and participates in an online quiz.


Katie and other teens across America don't think twice about using the Internet to multitask it is something they have grown up doing.

In fact, researchers say today's teens are so Net-savvy that they are reporting a "substantial disconnect" between how they use the Internet outside of school and how they use it in the classroom. According to a new study by the Pew Internet & American Life Project, teens are frustrated that teachers don't incorporate more Web learning into the curriculum or know how to use the Web more effectively.

"They are not saying, 'We don't want teachers,' and they are not saying, 'This is better than teachers,' " said Lee Raine, director of the Pew project. "They are saying, 'We know there is cool stuff on the Internet that helps us learn the things teachers want us to learn, and it would be great if more teachers would integrate these online experiences.' "

The "digital disconnect" has become more pronounced as teens have flooded the Internet. A July 2002 Pew survey estimates that 78% of teens 12 to 17 go online. They have experienced the interactivity of learning on the Web through their exploration of sites and have come to expect the same sophistication when using the Internet at school.

"Instead of just reading textbooks, teachers should use Web sites that are hands-on so kids can learn as they do things," said Lauerman.

The disconnect has not gone unnoticed by teachers. Even teachers at Thomas Jefferson High School for Science and Technology, a Virginia magnet school specializing in technology, acknowledge the disparity in Internet knowledge.

"We [teachers] are catching up, whereas these kids have grown up on it. They are far ahead of us," said Cathy Colglazier, an English teacher.

Colglazier says the new generation of techno-teens is creating a paradigm shift similar to the one that occurred when the first generation of Sesame Street-watching kids hit elementary school.

"We found more multimedia ways to present things," Colglazier said. Now, she incorporates the use of the Internet. "There are always kids who know a whole lot more about technology, and we have to be careful not to fear them but rather to embrace them."

Students participating in the Pew study acknowledge that there are many factors contributing to the "digital disconnect." While most schools are now wired for the Internet, that access may be so limited that it is impossible to get online. Many teachers lack training in how to effectively incorporate the benefits of the Internet into teaching. Students also cited short class times and filtering software as hindrances to online teaching.

Teens in the study acknowledge that some teachers are using the Internet in ways that excite them. They cited examples of chemistry sites that had interactive movies and online scavenger hunts.
*****************************
Wired News
RIAA: Feeling Burn of Ripped CDs

The recording industry blames the rapid decline of album sales on a new technology that allows people to easily copy and transport music. It's expected to cripple the major record labels.

The year was 1979. Audio cassettes and the Sony Walkman were the feared technologies. Twenty-two years later, the industry is making similar claims, but today's culprit is MP3 files and file-trading services.

The hit-driven recording industry has long been at the mercy of popular tastes, but executives still view emerging technology as dangerous.

Shipments of CDs dropped 7 percent in the first six months of this year, a fact attributed to an increase in music downloads through file-trading services, according to a report issued Monday by the Recording Industry Association of America (RIAA).

It's the same argument the organization made two years ago during its legal scrape with Napster. Back then, however, record sales were still climbing.

Today, the decline in sales appears to bolster the RIAA's case.

"There are numerous red flags and warning bells that illustrate conclusively the harmful impact of illegal downloading on today's music industry," said RIAA President Cary Sherman.

But the industry weathered similar downturns when the disco era came to an end -- portable music devices like the Sony Walkman were introduced, and video arcades were competing for teenagers' limited cash reserves.

Three year of tumbling sales hit bottom when CBS Records, then one of the largest labels, was forced to fire 300 employees and close nine distribution centers on one bloody Friday in 1982, an event chronicled in the book Hit Men, which follows the ups and downs of the music industry.

By the mid-1980s, the labels' economic fortunes had turned around. MTV had re-created the rock star. The video game market had disintegrated, and compact discs had supplanted tapes, forcing consumers to replace their antiquated tapes and LPs with digital music.

Congress, too, has repeatedly stepped in to ensure that new technologies wouldn't swallow old business models. In 1992, it created a tax that added a few dollars to the price of digital audio tapes and digital recorders. That money was then distributed among labels.

"Each of these gradations of change can be shocking at first, in the sense that you can digitally send a perfect duplication of a sound recording," said Jim Griffin, CEO of Cherry Lane Digital. "We respond with a fair, but not perfect, way of splitting it up. It's how we responded to webcasting and the audio tape."

While the RIAA works hard to protect its business model, consumers continue to adopt new forms of music media.

The RIAA's most recent study bears this out. People are downloading more files and burning more CDs, according to "Music and the Internet," a study by the Peter D. Hart Research Firm.

Internet users also say they are more likely to download a song -- not buy the album -- after they first hear it.

However, the study is delivered in broad terms and doesn't probe the reasons for consumers' actions. For example, it found that consumers have acquired more burned CDs -- 11.3 this year compared to 5.8 last year -- but there was no indication whether those CDs were personal compilations, which is considered fair use, or mixed CDs made by friends, which isn't.

The study also ignores the effects that online subscription services Pressplay and MusicNet, initiatives backed by the five major music labels, may have had on retail CD sales.

Some analysts believe this is because the labels have not made any effort to provide consumers with choices online, leaving them to fend for themselves.

"Consumers are beginning to understand what digital means," said P.J. McNealy, an analyst with technology research firm GartnerG2. "That goes hand and hand with the PC manufacturers and the ISPs wanting to become entertainment providers. Music is the first introduction of that (thinking), but it takes time to change consumer behaviors.

"The music industry is going through another disruptive technology period like it did 30 years ago, and it will take some time to reverse revenues back in the right direction."
****************************
MSNBC
Should you insure against ID theft?
New policies offer to cover expenses of reclaiming your name
ASSOCIATED PRESS

COLUMBUS, Ohio, Aug. 26 The thieves who stole Amy Jo Sutterluety's identity spent $70,000 in her name. They also took her time: a month to close 15 fraudulent accounts. Insurance policies to cover her out-of-pocket expenses for phone calls and legal battles didn't exist back in 1998 when she was victimized though she wish they had.
"HAVING BEEN THROUGH IT, I would say it's well worth the $25 rider," said Sutterluety, an associate professor at Baldwin-Wallace College.
Still, experts have mixed feelings about the growing number of companies that offer such coverage.
Travelers Insurance of Hartford, Conn., first offered an identity theft policy in 1999. Cincinnati Insurance Cos. and Columbus-based Grange Insurance are among those that since have added the coverage, usually as a rider to a homeowner's policy.
The product has been slow to take off, being added to 1 percent or less of policies, and few if any claims have been filed, representatives of the companies said.
The insurance covers expenses to restore credit copies, mail, calls, time lost from work, even attorney fees. Premiums range from $10 to $40 for up to $25,000 in coverage; most policies have a $100 or more deductible.
"It's not one phone call to these companies, it's a dozen phone calls, it's a dozen letters," said Linda Foley, a victim and director of the San Diego-based Identity Theft Resource Center.
The Department of Justice estimates there are 500,000 to 700,000 identity theft victims a year. The Federal Trade Commission told Congress this year that the frequency and cost of the crime is growing.
"Given the occurrence and risk of identity theft, and given the real inexpensive nature of this coverage, consumers would be well served to carefully consider getting this kind of coverage," said Todd Boyer, spokesman for the Ohio Department of Insurance.
Victims have testified before Congress that they must cancel a fraudulent account several times because collection agencies keep reopening the cases. Some have lost jobs because of criminal charges filed against the person using their identity, the FTC reported.
INSURERS COULD PURSUE BANKS
Foley said insurers might go after banks that issue instant credit without checking the birth date or address associated with a Social Security number, or collection agencies that reopen cleared cases.
"They're going to force these corporations to adopt these better business practices," she said.
Sutterluety, 37, said she spent about 200 hours calling creditors, police and other agencies. Expenses were about $800, she said, but that could have swelled to $7,500 if an attorney friend hadn't provided free help.
"I am certain that if I did not have the summer off, I would have had to take at least 10 days vacation," Sutterluety said.
Insurers and advocates often quote a May 2000 study saying victims spend an average 175 hours and $808 on legal problems. The study was based on 66 victims who called the California Public Interest Research Group.
About 94,100 victims called the FTC's identity theft hotline from November 1999 through September 2001. More than 80 percent gave no financial information.
About a thousand, or 1 percent, reported spending $1,000 or more trying to restore their credit.
Because of such uncertainty, not everyone is a fan of the insurance.
"You should save your insurance dollars for things that are catastrophic in nature and not just pesky," said Bob Hunter, insurance director for the Consumer Federation of America.
Insurance may cover the costs but doesn't end the "nightmare" of restoring credit, said Mari Frank, a California attorney and victim advocate.
"You still have to do all the work yourself," she said.
*******************************
MSNBC
What are the real risks of cyberterrorism?
By Robert Lemos
ZDNET

Aug. 26 In 1998, a 12-year-old hacker broke into the computer system that controlled the floodgates of the Theodore Roosevelt Dam in Arizona, according to a June Washington Post report. If the gates had been opened, the article added, walls of water could have flooded the cities of Tempe and Mesa, whose populations total nearly 1 million. There was just one problem with the account: It wasn't true.
A HACKER DID break into the computers of an Arizona water facility, the Salt River Project in the Phoenix area. But he was 27, not 12, and the incident occurred in 1994, not 1998. And while clearly trespassing in critical areas, the hacker never could have had control of any damsleading investigators to conclude that no lives or property were ever threatened.
"It's like the children's game of 'telephone,'" said Gail Thackery, assistant attorney general for Arizona and the prosecutor on the Salt River hacking case. "You get the reality at one end and, at the other end, something completely different."
The misreported incident serves as a metaphor for today's pressing debate over the Internet's vulnerability to attack. While warnings pervade government and the media, doomsday scenarios of cyberterrorism that result in massive deaths or injury remain largely the stuff of Hollywood scripts or conspiracy theory.
Although it is possible for electronic intrusions to damage infrastructure and threaten physical danger, taking control of those systems from the outside is extremely difficult, requires a great deal of specialized knowledge and must overcome non-computerized fail-safe measures. As a result, government and corporate security expertswhile careful not to dismiss the gravity of the issuepoint to this indisputable fact: It is still easier to bomb a target than to hack a computer.
"If we had so many dollars to spend on a water system, most of it would go to physical security," said Diane VanDe Hei, executive director of the Association of Metropolitan Water Agencies and point person for the Information Sharing and Analysis Center (ISAC) for the water utilities.
In a so-called "digital Pearl Harbor" exercise sponsored by the U.S. Naval War College and Gartner last month, analysts posing as terrorists were able to simulate a large-scale cyberattack on the nation's infrastructure. But to do so they needed $200 million, high-level intelligence and five years of preparation time. The college concluded that such an offense could cripple communications in a heavily populated area but would not result in deaths or other catastrophic consequences.
Yet the hyperbole about an Internet attack frequently overshadows common sense. On Sept. 11, it took less than 24 hours after four passenger jets were used as weapons of mass destruction for cries of cyberterrorism to emerge as the next great threat, triggering calls for new legislation to broaden the authority of law enforcement agencies.
"Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives," said Rep. Lamar Smith, R-Texas, in a statement heralding the House's passage of the Cyber Security Enhancement Act last month. His favorite tag line: "A mouse can be just as dangerous as a bullet or a bomb."
That sort of rhetoric is why many dislike the term "cyberterrorism." Ambiguity over its definitionand, therefore, which threats are real and which are nothas confused the public and given rise to countless myths. The phrase has become a catchall buzzword that evokes nightmare images that can be exploited to support political agendas ranging from stronger surveillance authority to tighter immigration controls.
"If you say cyberterrorism, you confuse people," said Richard Clarke, President Bush's special adviser for cybersecurity. "Osama bin Laden is not going to come for you on the Internet."
Cyberattacks come in two forms: one against data, the other on control systems. The first type attempts to steal or corrupt data and deny services. The vast majority of Internet and other computer attacks have fallen into this category, such as credit-card number theft, Web site vandalism and the occasional major denial-of-service assault.
Control-system attacks attempt to disable or take power over operations used to maintain physical infrastructure, such as "distributed control systems" that regulate water supplies, electrical transmission networks and railroads. While remote access to many control systems have previously required an attacker to dial in with a modem, these operations are increasingly using the Internet to transmit data or are connected to a company's local networka system protected with firewalls that, in some cases, could be penetrated.
Still, Clarke and other security officials say any damage resulting from electronic intrusion would be measured in loss of data, not life.
"It would be relatively easy to conduct a cost-free or risk-free attack given the endemic vulnerabilities in our system," said Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth University and a former director of the National Infrastructure Protection Center, the cybersecurity arm of the FBI. "It would be harder to kill people or have a lasting effect using cyberattacks."
It is true, however, that data attacks could have severe consequences without causing deaths. Many power companies and water utilities are operated with networks of computer-controlled devices, known as supervisory control and data acquisition (SCADA) systems, which could be hacked.
SCADA systems could be attacked by overloading a system that, upon failure, causes other operations to malfunction as well, said John Dubiel, a Gartner consultant who worked on the electrical power attack in last month's war games. Such domino effects have been seen in incidents resulting from natural events.
In 1996, the power along much of the West Coast corridor went out for nine hours after a tree branch fell on some power lines and, in combination with several other problems, caused a cascading failure. In 1990, a similar event with an AT&T switch touched off a chain reaction that shut down long-distance communications across the United States.
"The system attacks itself in these cases," Dubiel said.
Making matters worse, more than 80 percent of such critical infrastructure is privately owned, and in many cases the companies have not been sufficiently educated about information security until recently. Security consultants have attested that many utilities have an indirect path to the Internet from their SCADA master terminals.
In November 2001, 49-year-old Vitek Boden was sentenced to two years in prison for using the Internet, a wireless radio and stolen control software to release up to 1 million liters of sewage into the river and coastal waters of Maroochydore in Queensland, Australia.
Boden, who had been a consultant on the water project, conducted the attack in March 2000 after he was refused a full-time job with the Maroochy Shire government. He had attempted to gain access to the system 45 times, and his last attempt proved successful, allowing allowed him to release raw sewage into the waterways.
"Marine life died, the creek water turned black and the stench was unbearable for residents," said Janelle Bryant, investigations manager for the Australian Environmental Protection Agency.
That the facility failed to notice the first 44 attempts speaks volumes about the state of security at public utilities. In a 1997 survey of 50 utilities, then-graduate student Barry C. Ezell, a captain in the U.S. Army, found that 40 percent of water facilities allow their operators direct access to the Internet, and 60 percent of the SCADA systems could be connected by modem.
Ellen Vancko, a representative for the North American Electric Reliability Council, said such access should not always be considered unsafe. "All the electric companies are connected to the Web in one way or another," she said. "But that doesn't mean our control systems are hooked up to the public Net."
Granted, but an Internet connection does provide one more way for an electronic intruder to get into a system. Chris Wysopal, director of research and development for digital security firm @Stake, said he first looks for connections to the Net when called in to analyze the security of an infrastructure network.
"Whenever we see a control system connected to the Internet, that is scary. There is no need for it, except for productivity, and when you are talking about public safety, you should err on the side of security," said Wysopal, whose company has been hired for such audits only since Sept. 11. "We found a power plant where all the control systems had their administrative systems set to the same password."
Because firewalls and other internal protections are not always adequate, risk levels are increased exponentially if networks are connected to the Internet.
"Are we vulnerable? Absolutely. We have the massive bowl of spaghetti between the Internet, phone lines, and extranets, and no one can map it," said Assistant Attorney General Thackery. "We have miles and miles and miles of wire and none of it is secure. And we have all these windows and doors that are open, and they are still open."
She noted that the Net played a major role in a well-publicized incident in 1989, when the Legion of Doom hacker group seized control of much of the infrastructure of Southern Bell's telephone network. During the attack, the hackers could have tapped phone lines and even shut down the 911 system.
BellSouth "had 42 people that I knew of on 24-hour emergency alert to keep control of their network," said Thackery, who was forced to use an encrypted phone in the Secret Service's office in Phoenix because her line had been tapped. "To me, that's one of the scariest scenarios, and these were all college kids. Just pranksters."
Yet even the most notorious incidents have fallen well short of the type of massive destruction envisioned in some of the more imaginative warnings about cyberterrorism. The Queensland incident, for instance, claimed no lives and cost just $13,000 to clean up, and it was accomplished only with extensive inside knowledge.
Wysopal and many other security experts readily acknowledge that wide-scale infrastructure disruption is no easy feat. Even if an intruder manages to break in, he said, commandeering a system "still requires a fairly sophisticated skill set."
In last month's "Pearl Harbor" exercise, Gartner analysts playing the role of attackers reinforced that observation. "It is very hard to attack something that you don't have a specific knowledge of," said David Fraley, an analyst who simulated an attack on telecommunications networks.
Even in a successful attack on a metropolitan power grid, many critical systemssuch as hospitals and prison operationswould continue running because they have independent generators. In addition, utilities and infrastructure operators have elaborate backup measures to protect the public even if a system is breached.
For example, if a hacker were to dramatically raise the chlorine levels of a reservoir, the contaminated water would probably never make it to the public because such supplies are typically tested up to five times before entering public pipelines. The Environment Protection Agency requires utilities to look for more than 90 regulated contaminants in these tests. An easier attack, and one that such agencies spend more to prevent, is a terrorist dumping chemicals into a reservoir directly.
Federal authorities are also concerned about computer systems that control the nation's transportation systems, including trains, trucks, buses and barges. The railroad industry's networks alone are massive, with more than 500 small railroads to supervise.
"The railroad industry today is one of the biggest users of computer systems in the country," said Nancy Wilson, senior vice president of the Association of American Railroads and point person on the Surface Transportation ISAC. "We were early users of technology and we are big users of technology. If we lose computer capabilities, we would kind of grind to a halt."
For that reason, most rail companies have extensive safety measures and backup systems. Sensors tell when the track has been tampered with, and security mechanisms provide early warning alerts for possible intrusions.
"We have had our share of little hacker problems, but they have never been serious," Wilson said. "I'm not saying we are perfect, but I am saying that we have come a long, long way toward identifying our vulnerabilities."
Redundant safety measures are also taken in manufacturing companies, many of which use SCADA systems. But that hasn't stopped the proliferation of popular urban legends.
In one such myth, a hacker breaks into a food company's network through a Web connection and manipulates a breakfast cereal recipe to add vastly higher levels of iron, threatening children who have a low tolerance for the mineral. Another rumor had a hacker gaining entry to a tank-manufacturing company and changing the temperature specifications for armor used in the vehicles, making the metal more brittle and vulnerable. Neither story is true.
Security experts generally agree that the infrastructure most susceptible to hacking alone is the Internet itself. They often point to the Nimda worm, which caused as much as $3 billion in estimated damages and lost productivity by some estimates.
Some Internet vulnerabilities have been exposed without any attacks. At least one serious weakness was discovered in 1997 when a technician changed two lines of code and nearly brought down the global network for three hours.
The change occurred to one of the hundreds of thousands of routers that form a key part of the Internet infrastructure. Because of the two-line mistake by the technician at the McLean, Va.-based MAI Network Services, one of its routers indicated that it provided the best path to the entire Internet. Other routers then began sending all their data to the ISP's small leased line, crashing MAI's network and clogging systems around the world.
"Within minutes you had most of the routers throughout the Internet going down," said Craig Labovitz, director of network architecture and lead border gateway protocol researcher for security firm Arbor Networks. "It was absolutely the most massive Internet outage we've seen."
Here again, however, the consequences were neither disastrous and nor interminable.
"This wasn't a catastrophe. It was a brownout that sporadically hit providers at various strengths," said one network technician to the North American Network Operator's Group following the outage. He noted that at least one network service provider saw a drop of only 15 percent in traffic.
To law enforcement agencies, the Internet's largest threat is simply the ease of international communication and the ability to hide among the seemingly infinite volume of traffic it carries. In an effort to track down terrorists electronically, the FBI has waived several requirements for new recruits who have technical training.
"The worry right now is not so much a cyberterrorism event," said Don Cavender, a special agent and instructor with the FBI's Computer Training Unit at Quantico, Va., "but when the terrorists use the Internet to facilitate the planning of these attacks."


Copyright © 2002 CNET Networks, Inc. All rights reserved. ZDNet is a registered service mark of CNET Networks, Inc. ZDNet Logo is service mark of CNET Networks, Inc.
********************************
Euromedia.net
Open source software favoured for the public sector
27/08/2002
Editor: Joe Figueiredo

Public sector institutions should move to open source software (including free software) because it is cheaper and easier to manage, and also accelerates competition in the software market, according to researchers at University of Maastricht's International Institute of Infonomics.

This EU-sponsored 'Free/Libre and Open Source Software' (FLOSS) study, which involved surveying 1452 companies and public institutions in Germany, Sweden and the UK, provides information on the use of open source software, and identifies business models and the impact of changes in government policy.

The report also finds that open source software is especially suited for government institutions because it supports the right of access to public information, and provides good control over the security of stored information.

These findings may boost the Dutch open source lobby's arguments for governmental organisations opting for such open source products as the Linux operating system and related applications.

In the Netherlands, the municipality of The Hague has already signed a controversial software contract with Microsoft, and Amsterdam has chosen open source MMBase for its counter services.

Elsewhere, Germany's central government is using Linux in all its workstations, and the French Ministry of Defence, Culture and Economics is migrating to open source software.
*******************************

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx