[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips January 16, 2003

Clips January 16, 2003

ARTICLES

Pentagon database plan hits snag on Hill
Daniels: '04 IT budget about $60 billion
Open-Source Windows? Uh, Kinda
Feds: Power Lines Promising for Internet
FTC Claims Rambus Lost Right to Trial
Discarded hard drives found full of personal data
Customs writing cargo data rules
Groups call for halt to TIA
Registration reopening for eArmyU
System links defense, local agencies
Intell info sharing makes strides
Homeland emphasis added at IAC
Retired exec tapped for Homeland post
Personnel system set for NMCI
Plugging security holes

****************************
CNET.com
Pentagon database plan hits snag on Hill
By Declan McCullagh
January 15, 2003, 6:14 PM PT

WASHINGTON--A Pentagon antiterrorism plan to link databases of credit card companies, health insurers and others--creating what critics call a "domestic surveillance apparatus"--is encountering growing opposition on Capitol Hill.
Sen. Russ Feingold, D-Wisc., is planning to introduce a bill on Thursday to halt the Pentagon's Total Information Awareness program. A representative said on Wednesday that if passed, the legislation would suspend the TIA program until Congress can "review the data-mining issues."

Even if Congress never acts on Feingold's proposal, the unusual step of trying to suspend a military program may prompt the Defense Department to review the TIA program in a way few other tactics could. The bill will also provide TIA critics with a focal point for activism.



If fully implemented, TIA would link databases from sources such as credit card companies, medical insurers and motor vehicle departments for police convenience in hopes of snaring terrorists. It's funded by the Defense Advanced Research Projects Agency (DARPA).

Over the last two months, scrutiny of TIA has been growing, with newspaper editorials claiming that one of the project's leaders, Adm. John Poindexter, is unfit for the job because of his participation in the Iran-Contra scandal in the 1980s. As a protest gesture, activists and critics of TIA have posted Poindexter's personal information online, which may lie behind the removal of information from the TIA Web site on at least three occasions.

On Tuesday, a coalition of civil liberties groups sent a letter to Congress asking that hearings be convened to investigate TIA.

"Why is the Department of Defense developing a domestic surveillance apparatus?" the letter asked. "What databases of personal information would TIA envision having access to?"

In a statement posted last month on the TIA Web site, the Defense Department defended the project as privacy neutral.

"The DoD recognizes American citizens' concerns about privacy invasions," the statement said. "To ensure the TIA project will not violate the privacy of American citizens, the Department has safeguards in place. In addition, (we) will research and develop technologies to protect the system from internal abuses and external threats. The goal is to achieve a quantum leap in privacy technology to ensure data is protected and used only for lawful purposes."

Last week, Feingold and two fellow Democrats--Patrick Leahy of Vermont and Maria Cantwell of Washington state--sent a letter to Attorney General John Ashcroft asking him to disclose how the Justice Department and the Defense Department were using TIA or similar programs.

One person with knowledge of the situation said Republican senator Chuck Grassley of Iowa has been approached as a cosponsor of the TIA moratorium. The endorsement of a Republican would lend the moratorium measure additional heft.

"There are many questions surrounding data-mining initiatives of the government," said Jim Dempsey, executive director of the nonprofit Center for Democracy and Technology. "Sen. Feingold's bill would impose a moratorium on data-mining activities by the Department of Defense or the Department of Homeland Security until the program is justified, assuming it can be justified, and assuming the privacy concerns are satisfied, assuming they can be satisfied."

David Sobel, general counsel of the Electronic Privacy Information Center, suggests an inquiry into whether the TIA program would violate federal privacy laws or the U.S. Constitution. Sobel said the Feingold bill is "a way to begin a legislative debate on the legality of TIA and other data-mining initiatives."

Sobel pointed to executive order 12333 <http://www.cia.gov/cia/information/eo12333.html> , which regulates the operation of U.S. spy agencies. It says that those agencies may collect information on Americans "only in accordance" with specific procedures.

A DARPA representative could not immediately be reached for comment.
**************************************
Government Computer News
01/15/03
Daniels: '04 IT budget about $60 billion
By Jason Miller

Mitchell E. Daniels Jr., director of the Office of Management and Budget, today said the Bush administration's request for federal IT funding for fiscal 2004 could increase by more than 15 percent over the 2003 request.

Daniels, who addressed the outlook for 2004 and the president's stimulus package at an U.S. Chamber of Commerce event in Washington, said the agency IT budget request would be "about $60 billion" next year. The administration requested about $52 billion in 2003 and Congress has passed only two of 13 appropriations bills.

"There are tons of overlap and redundancies and we are going to continue to work at it," he said. "There are far too many plans for which we do not have good business cases. Many plans really are counterproductive in the sense that they built systems that cannot talk to systems we have now." IT spending could be one of the few areas where agencies will see a significant increase. Daniels said most programs would see only a modest increase over the 2003 request.

"The president is recommending a deceleration of spending," he said. "There will be moderate growth in nondefense discretionary spending."

The administration is scheduled to release its budget request Feb. 3. Payton Smith, manager for market analysis for Input of Chantilly, Va., said Daniels' estimate is a generous increase over Input's projection of $54 billion for 2004.

"I'm wondering if it is the same type situation that happened this year with the budget request," he said. "We saw a relatively significant increase in the request because the estimate for 2002 increased by about $4 billion."

Smith said most of the increase would likely be seen in three main areas: homeland defense, e-government and security.
********************************
Wired News
Open-Source Windows? Uh, Kinda

Microsoft has no intention of allowing government geeks to freely paw the company's beloved source code.

The company's new Government Security Program will be far more akin to a peep show guarded by aggressive bouncers than a full-blown open-source orgy.

Tuesday's GSP announcement wasn't even much of a surprise to security experts -- Microsoft announced a similar program last April that also gives government clients access to the source code of some Microsoft programs.

"This doesn't seem to be much of a new development," said Robert Ferrell, a systems security specialist for the U.S. government. "It might be a step in the right direction, but it's only one step on a journey of 1,000 miles."

GSP broadens the number of companies eligible to participate in Microsoft's shared source program from 30 to almost 60, and puts the emphasis on securing Microsoft programs rather than simply sharing code.

Sharing in this case doesn't mean that no strings are attached. While anyone can review and change code in open-source programs, Microsoft's shared-source scheme comes with constraints.

Salah Dandan, worldwide manager of GSP, says source-licensing rights under the GSP come in two flavors: reference grants and validation grants.

Reference grants permit the viewing of source code in read-only format for the purposes of conducting security reviews. Validation grants permit agency personnel to work jointly with Microsoft to validate the code and add new features to it.

Modification is restricted to adding customized cryptography applications to the code.

Open-source programmers say the biggest benefit to open-source development is shared knowledge. Thousands of experts pore over program codes and post their problems and fixes on websites and newsgroups.

Participants in Microsoft's GSP program won't be openly sharing the details of whatever they find in MS code.

Dandan said the "source-access rights" will be exclusive to the agency to which they are granted, along with its approved contractors and consultants.

Security experts said conditions such as these would make it difficult for the GSP to provide broad benefits.

"The only beneficiaries in this case are possibly the governments using the GSP'd products that they've fixed or altered under GSP licensing," said Richard Forno, a government security consultant. "The private sector is still stuck using Microsoft products on a lick and a prayer."

Microsoft has separate shared source programs for enterprise and education clients.

GSP access to source code is provided via the Microsoft Developer Network. Authorized government employees can view source code from approved locations through a smart-card-based, Secure Sockets Layer connection.

"This sounds as though you never actually get to hold the code in your hot little hands, as it were, but just view it through an SSL-connected browser," Ferrell said. "An OS like XP is several million lines of code. In order to conduct a thorough audit of something that size, you need to have the whole kit and caboodle available at once.

"Code audit programs have to trace function calls, pull data out of libraries, and perform a lot of similar cross-component analyses that would be exceedingly difficult using a piecemeal approach like the one MS seems to be offering here."

Ferrell stressed that his comments were not based on a complete analysis of GSP and were not made in any official capacity as an agent of the government, and do not represent the views of his employers. "They're just the comments of a crusty old hacker," he said.

Most developers thought that the GSP was simply a way for Microsoft to divert growing government attention from Linux and other open-source products.

"China won't touch Windows, and is leaning heavily toward Linux," Forno said. "That's a huge market for MS to allow slip away. So they're trying to appear semi-conciliatory to open-source-type licensing."
********************************
Associated Press
Feds: Power Lines Promising for Internet
January 16, 2003
By DAVID HO, Associated Press Writer

WASHINGTON - The same power lines that bring electricity to televisions and toasters may become the next pathway into homes for high-speed Internet access, federal officials said Wednesday.


They said the technology offers an alternative to cable and telephone lines as a way to get broadband service, with its ability to quickly deliver large amounts of data and high-quality video signals.


"Every power plug in your home becomes a broadband connection," said Edmond Thomas, chief of the Federal Communications Commission (news - web sites)'s Office of Engineering and Technology. He said companies developing the technology have overcome many hurdles in the past year.


"It's starting to look like a very viable technology," said Thomas, who described the technology in a presentation to the agency's five commissioners. "We're very excited."


But it is uncertain whether most consumers will get to use it anytime soon, said Mark Uncapher, senior vice president with the Information Technology Association of America, a Washington-based trade group.


"It is still very much an open question just how commercially feasible it is," he said. "It's going to need a company or companies that are really going to champion it."


Internet access over electric lines would be similar in capability to connections over cable modems and telephone DSL, Thomas said.


Such an alternative could lead to more competition and lower prices, Uncapher said.


The FCC (news - web sites) has been studying the technology for several months and will pay more attention to it this year, Thomas said. He said no regulations prohibit the technology, but the agency is concerned that Internet transmissions carried over power lines could emit signals inside and outside the home that could cause interference.


"We want to make darn sure this isn't going to cause problems to your TV," he said.

Utility companies PPL Corp. in Allentown, Pa., and Ameren Corp. in St. Louis are conducting trial programs with consumers to test the technology, representatives of the companies said.


"It is working," said Alan Shark, president of the Power Line Communications Association, which is promoting the technology. The trade group includes Internet companies including Earthlink and 11 utility companies that provide power to about 30 million homes.


Earthlink, the No. 3 Internet service provider, has been in talks with utility companies, exploring partnerships to develop and market the technology, said Dave Baker, the company's vice president for law and public policy.


"The engineering challenges are largely being overcome," Baker said. "The biggest challenges now are getting the product to market."


Shark said the technology works by sending information over existing electric power lines. Cables carrying high-speed Internet information would likely be linked to electric lines after they have left power stations. Internet connections could then flow directly into the power outlets in homes and offices or to an outdoor pole that broadcasts a wireless broadband signal to a neighborhood.


The current technology can not send signals over high-voltage lines that carry greater amounts of electricity to isolated areas, Shark said.


Shark said the technology has other potential benefits, including helping utilities monitor the condition of power lines and providing a back up communications system for communities worried about terrorism, natural disasters or other emergencies.
*******************************
Los Angeles Times
FTC Claims Rambus Lost Right to Trial
From Bloomberg News
January 16 2003
Rambus Inc. has forfeited its right to trial and should be declared at fault in a patent-related civil fraud case because the computer-chip designer destroyed documents, the Federal Trade Commission said.

The FTC asked an administrative law judge to move directly to the punishment phase of the case. The agency charged in June that Rambus used information obtained at industry standard-setting meetings to amend patent applications so its designs would meet the standard. Rambus destroyed company papers related to those meetings, the FTC said.

At stake is as much as $100 million in annual royalties the FTC said it may try to force Rambus to give up, as well as Rambus' right to pursue other royalty agreements.

Shares of Rambus fell 53 cents to $7.99 on Nasdaq.
*********************************
Boston Globe
Discarded hard drives found full of personal data
By Hiawatha Bray, Globe Staff, 1/16/2003

Millions of American families and businesses store sensitive information on their computers. But what happens to that data when the aging computers are resold or given away? According to a pair of MIT graduate students, much of it is still on the hard drives, waiting to be discovered by the machine's new owner.

In a new article in the engineering journal IEEE Security and Privacy, Simson Garfinkel and Abhi Shelat describe how they went on a used hard drive buying spree, and collected vast amounts of private information in the process.

Garfinkel, author of several books on computer security, is working on a doctorate in computer science at MIT. He and fellow graduate student Shelat wondered whether people erased their hard drives before reselling their PCs. ''I wanted to find out if this was a big problem or not,'' said Garfinkel.

So Garfinkel and Shelat purchased 158 hard drives at swap meets and used computer shops throughout the United States, and on the Internet auction site eBay. They wound up with 129 drives that actually worked. Then they used commonplace software tools to look for data on the drives. They found everything from love letters to pornography and, in one case, over 3,700 credit card numbers.

Sometimes, the previous owners had taken the trouble to delete important files, not realizing that a PC's delete function doesn't really remove the data, but conceals it from the computer's operating system. It's easy to recover such deleted files. In other cases, the users went further and ''reformatted'' the hard drive. This process appears to wipe out all data on the disk, but again, the information is still there and can be read using common recovery tools.

Garfinkel said nobody had even tried to eliminate the files in some cases. For instance, he and Shelat acquired a drive that had been used in an automatic teller machine. There they found account numbers and balances for the bank's customers - all in perfect condition.

''Before you sell a hard drive, you ought to at least format it,'' said Garfinkel. ''They didn't.''

Frances O'Brien, a Gartner Inc. research director who specializes in the used computer equipment market, says many companies have had their data security compromised by improperly disposing of an old PC. ''The number of clients that I have spoken with who have reported incidents like this have been increasing exponentially,'' O'Brien said.

There are companies that offer safe computer disposal services, but these firms may pose security risks of their own. ''You pick up 100 PCs from me,'' said O'Brien. ''Who makes sure that 100 PCs arrive at the other end?''

She said low-paid disposal workers occasionally supplement their incomes by reselling a few PCs instead of recycling them. In such cases, the data is still on the hard drives, waiting to be discovered and possibly misused.

Out of 129 usable drives purchased by Garfinkel and Shelat, only 12 had been properly purged of all data. This is done with a program that dumps meaningless clumps of randomly chosen digits onto the drive. Such programs are available for free on the Net, but running them can take several hours for each drive. The quicker method is to smash the drive into bits with a sledgehammer, but that prevents resale, and companies like to get the last few dollars out of their technology investment.

Hiawatha Bray can be reached at bray@xxxxxxxxxx

This story ran on page C1 of the Boston Globe on 1/16/2003.
*********************************
Federal Computer Week
Customs writing cargo data rules
BY Judi Hasson
Jan. 15, 2003

The Customs Service has begun the arduous task of writing regulations requiring that the electronic manifest for each air cargo shipment be sent to a government database before the shipment leaves a foreign port for the United States.

New rules are expected to go into effect Oct. 1 for air, rail, sea and truck cargo in a move to tighten border security, but first Customs faces the problem of figuring out how to handle the data electronically without stalling the flow of commerce.

"We can't wait until the planes take off, and if we do, you'll have to face the reality that some of these planes will be turned back," Charles Bartoldus, director of Border Targeting and Analysis, said Jan. 14 at a public meeting on developing regulations to collect the data.

Customs, which officially becomes part of the Homeland Security Department Jan. 24, is holding four days of hearings to get feedback from industry on how to comply with the Maritime Transportation Security Act of 2002. But at the first hearing Jan. 14, industry participants made it clear that requiring a 24-hour notice before liftoff and risking delivery delays could hurt airline shipping.

The advance requirement would "cause more damage to the economy and airlines," Mike White of the Air Transport Association said at the hearing. "The data needs to be sent in a 'wheels-up' mode, not prior to departure."

Other industry executives complained that the requirement could wipe out the air courier industry.

Holding up cargo will have a "big impact on a lot of manufacturers who rely on air service," said David O'Connor, regional director of the International Air Transport Association in Washington, D.C. "They have to have a reliable and regular schedule to receive goods."

But Andrew Maner, chief of staff for Customs Commissioner Robert Bonner, said the threat is as intense today as it was 16 months ago.

"The risk is as high as it has ever been," Maner said. "How do we separate high risk from low risk? Better information."

Customs officials readily acknowledged it is a tough problem for them. They are in the process of building a Web-based data system called the Automated Commercial Environment (ACE).

The system is intended to provide electronic information about cargo inspections and clearance into the United States, but it will not be fully operational until 2007. In the meantime, Customs must still rely on the aging Automated Commercial System to handle the manifest data.

"I'm not sure we have a choice. We don't have the time to wait for ACE," said John Considine, director of the Cargo Verification Division in Customs' Office of Field Operations.
***************************
Federal Computer Week
Groups call for halt to TIA
BY Dan Caterinicchia
Jan. 15, 2003

The Defense Advanced Research Projects Agency's Total Information Awareness (TIA) system is continuing to make headlines that the Defense Department would rather avoid.

The latest development is in the form of a Jan. 14 letter signed by a nonpartisan coalition of watchdog organizations urging Congress to stop further development of the system.

In theory, TIA would enable national security analysts to detect, classify, track, understand and pre-empt terrorist attacks against the United States by spotting patterns using public and private transaction and surveillance methods.

The system, parts of which are already operational, incorporates transactional data systems, including private credit card and travel records, biometric authentication technologies, intelligence data and automated virtual data repositories. The goal is to create an "end-to-end, closed-loop system" that will help military and intelligence analysts make decisions related to national security, said Robert Popp, deputy director of DARPA's Information Awareness Office (IAO), which is heading up the effort.

But the American Civil Liberties Union, Americans for Tax Reform, the Center for Democracy and Technology and other groups disagree.

"TIA would put the details of Americans' daily lives under the scrutiny of government agents, opening the door to a massive domestic surveillance system. Congress should prohibit the development of TIA," the letter states. "Congress should not allow the Defense Department to develop unilaterally a surveillance tool that would invade the privacy of innocent people inside the United States."

The letter was sent to myriad congressional leaders and also signed by representatives of the Center for National Security Studies, the Eagle Forum, the Electronic Frontier Foundation, the Electronic Privacy Information Center (EPIC) and the Free Congress Foundation.

The watchdog groups are not alone in questioning TIA. Many lawmakers, including Sens. Charles Schumer (D-N.Y.), Charles Grassley (R-Iowa) and Susan Collins (R-Maine), incoming chairwoman of the Governmental Affairs Committee, have also publicly questioned aspects of the system. In addition to privacy concerns, they have expressed reservations about the appointment of John Poindexter as IAO director. Poindexter was national security adviser to President Reagan and may be best known for his part in the infamous Iran-Contra scandal.

{Bold} Call to Stop Funding

In the fiscal 2003 budget, the TIA project is funded at $10 million, and DOD officials are developing future funding requirements, said Pete Aldridge, undersecretary of Defense for acquisition, logistics and technology, at a Nov. 20 press briefing.

However, EPIC obtained DARPA budget documents and found that although the TIA budget is $10 million, related programs that may become part of the system are funded at $240 million for fiscal 2001 through fiscal 2003.

Popp said IAO's budget for fiscal 2003 is about $150 million, up from about $96 million last year. He added that DARPA received more than 170 proposals after issuing a broad agency announcement for the TIA system in March 2002 and is in the process of funding the most relevant ones.

In its letter, the coalition recommended that Congress at least stop TIA's development and funding "while it takes a closer look at the program through oversight hearings, investigations and reporting."

The letter included numerous questions that the groups want answered before any more money is spent on the system, including:

* Why is DOD developing a domestic surveillance apparatus?

* What databases of personal information would officials envision giving TIA access to?

* What "nontraditional data sources" have already been used in testing and deploying TIA?

"Similar questions need to be asked about other initiatives that will vastly expand government collection and use of personal information, such as the CAPPS II (Computer Assisted Passenger Prescreening System) program of the Transportation Security Administration," the letter stated.

DARPA officials were not available for comment, and a spokeswoman for the agency previously said that questions related to the TIA system would not be answered until March.
*******************************
Federal Computer Week
Registration reopening for eArmyU
BY Dan Caterinicchia
Jan. 15, 2003

After taking the past three months off to design evaluation materials, the Army's largest e-learning virtual university program, eArmyU, re-opened new-student registration at five sites this week and will do the same at the nine remaining sites later this month.

Diane Stoskopf, director of the Army Continuing Education System, said the registration of new students into the eArmyU program was halted for the past quarter because it was time to assess the program's value.

"It was very healthy to take a hiatus ... because we've been on a dead run for two years and never looked back, or even ahead," Stoskopf said.

EArmyU has delivered educational opportunities online to more than 30,500 enlisted personnel since its inception in January 2001, and will enroll about 80,000 soldiers by 2005 worldwide, said Jill Kidwell, a partner at IBM Corp.'s Business Consulting Services, the program's prime contractor. The five-year, $453 million contract for eArmyU was awarded in December 2000.

"We'll be conducting an evaluation to get our arms around ... where we are and where we want to go," Stoskopf said. "People say, 'How do you measure success?' We want to take the time to figure it out."

The evaluation will begin Jan. 27 at the eArmyU's 11 established sites, as well as at three new locations: Fort Sill, Okla.; Fort Bliss, Texas' and Fort Knox, Ky., she said, adding that the process should be complete by the end of March. During that time, the Army is prepared to enroll up to 12,500 more students in the program.

Once enrolled in eArmyU, soldiers receive up to 100 percent funding for tuition, books and course fees, as well as a personal laptop computer, printer, e-mail account and an Internet service provider account. Other features include 24-hour technical support, and assistance in determining a program of study, registering for courses and transferring credits.

Late last year, IBM announced a slew of new academic program offerings and the expansion of participating colleges and universities in eArmyU. The number of colleges and universities will increase from 21 to 32 this year, and those institutions will offer more than 3,000 courses and more than 150 academic degree programs, which is triple the number of degree programs available when the program began, Kidwell said.

The goal is for soldiers to be able to access the information they need via the eArmyU portal in about three clicks, which requires aligning the Army system with the different schools' computer systems, she said.
*****************************
Federal Computer Week
System links defense, local agencies
BY Diane Frank
Jan. 15, 2003


Information sharing between the Defense Department and state and local emergency responders is just as important to homeland security as sharing in law enforcement, and a pilot project under way in New York and California is testing a new Web-based system to foster that partnership.

The Defense Intelligence Agency's Joint Intelligence Task Force-Counterterrorism developed its Regional Information Sharing System Network Information Exchange System to provide an end-to-end system connecting federal, state and local organizations, said Air Force Col. George Narenic, director for the program at DIA. He was speaking Jan. 10 at the Government Convention on Emerging Technologies in Las Vegas.

The system allows participants to share information collection, analysis, collaboration and warning tools. The pilot test with DIA, DOD's Northern Command, the California Anti-Terrorism Information Center and the New York Police Department started Dec. 23, 2002, and will run through Feb. 6, Narenic said.

The system is an entirely commercial off-the-shelf solution, and users can either have a dedicated server, database and tools or a regional or central server. Then users connect via a Web-based client from a desktop or mobile system.

"What we wanted was a system that had no single point of failure and that leveraged all the existing resources and tools that are out there," Narenic said.

DIA and others will evaluate the results of the pilot test during February and examine other capabilities that can be added, including biometrics and the ability to search video and audio files, he said.

The Office of Homeland Security is examining the pilot project, and the system likely will be moved to the new Homeland Security Department. No matter who is in charge, officials are planning to integrate the system into the links of other existing information sharing systems through the intelligence community's Open Source Information System, Narenic said.
******************************
Federal Computer Week
Intell info sharing makes strides
BY Diane Frank
Jan. 15, 2003

The sharing of intelligence information, at least in the unclassified arena, recently has taken several significant steps forward through a newly minted partnership among segments of federal, state and local governments.

From September to December 2002, officials completed at least the initial integration of collaboration networks from the FBI, local law enforcement, the intelligence community and the State Department, allowing functions ranging from secure e-mail exchange to searches of one another's databases.

Work remains be done on those systems, and others are in the pipeline for connection, but analysts and operational employees are already seeing a difference, officials said at the Government Convention on Emerging Technologies in Las Vegas.

"We have the opportunity to make the most significant impact on law enforcement in decades, just by getting us on one network," said Craig Sorum, chief of the Law Enforcement Online (LEO) unit at FBI headquarters.

The intelligence community's Open Source Information System (OSIS) now serves as a central hub connecting State's intranet, called OpenNet, and the FBI's LEO. State and local law enforcement officials can access those federal resources thanks to the recent integration of LEO and the Justice Department's Regional Information Sharing System (RISS) Program, which is composed of six regional centers that share intelligence and coordinate against criminal efforts.

"Why go look at a bunch of boxes when one box will serve your needs," said Miles Matthews, a senior official with the Counterdrug Intelligence Executive Secretariat at Justice.

The new connections allow additional civilian agencies to access the OSIS homeland security portal, where the intelligence community has centralized all the open-source information it has gathered in that area, said John Brantley, director of the Intelink Management Office, which runs OSIS. In addition to providing new information to new partners, the network allows collaboration "that simply didn't exist before," he said.

Information is not coming only from the intelligence community. Within the next two weeks, officials will finalize a memorandum of understanding that will allow State to launch its OSIS Data Mart, providing wider access to the Consular Lookout and Support System visa database, said David McKee, deputy director of State's office of intelligence resources and planning.

At first, the Data Mart will offer a download of updates to the database, but the next step will be to develop a Web-based front end so that officials can run queries against the database from anywhere worldwide, he said.

The connection to the federal intelligence community through LEO could be critical for state and local law enforcement officials who are always looking for more timely information from the federal government, said Steve Hodges, RISS' national issues coordinator.

Local law enforcement soon will have another avenue into the collaboration, according to Sorum. LEO also serves as the backbone for Joint Terrorism Task Force Information Sharing Initiative pilots, an initiative to integrate federal, state and local databases. The FBI is starting to expand the initiative to more than seven cities nationwide.

While this integration of networks is not only for homeland security purposes, officials at the Office of Homeland Security and the new Department of Homeland Security are keeping a close eye on what is being done and are hoping to build on it, said Lee Holcomb, director of infostructure at the office.

"We need to work with [these agencies] and champion the establishment of an effective sensitive but unclassified network," he said.
**************************
Federal Computer Week
Homeland emphasis added at IAC
BY Dan Caterinicchia
Jan. 15, 2003

The Defense Department has added a homeland security focus along with an increased emphasis on space-based technologies in a recent contract extension for the operation of the Survivability/Vulnerability Information Analysis Center (SURVIAC).

The Defense Logistics Agency awarded the contract Jan. 9 to Booz Allen Hamilton, which has operated the center since 1984. It has a potential value of more than $282 million for 10 years, and the three-year base period is for $56 million, said Bruce Patrick, contract specialist at the Defense Supply Center Columbus, Ohio.

"We're concentrated and focused on the current sets of issues [dealing] with combat effectiveness and survivability of operations and platforms," said Booz Allen vice president Don Vincent, adding that the latest contract includes some new areas of focus.

"There is an emphasis on space technology because it's important to the Defense Department that ground and satellite [systems] continue to function properly," he said, adding that there also is a new emphasis on many aspects of homeland security and homeland defense systems, he said.

SURVIAC, located at Wright-Patterson Air Force Base in Ohio, is a DOD Information Analysis Center sponsored by the Joint Technical Coordination Groups on Aircraft Survivability and Munitions Effectiveness.

The center is DOD's focal point for non-nuclear survivability and vulnerability data, information, methodologies, models and analysis relating to U.S. and foreign aeronautical and surface systems.

SURVIAC, one of 13 IACs within DOD, also provides lessons from prior combat incidents, integrates test results and provides analyses, design guidance and problem-solving expertise. The center also provides services for modeling survivability and lethality.

For example, if a DOD employee would like a survivability analysis on a C-17 aircraft involved in a certain type of conflict, a SURVIAC researcher will provide any data references already available. If there are none, the user has the option of asking the center's staff to perform a specific analysis or study, Vincent said.

The new study immediately would become part of the SURVIAC database and could be used to answer similar requests in the future. The center also maintains a list of subject matter experts from industry and academia, who can sometimes be directly connected to the DOD employee seeking information, he said.
**************************
Federal Computer Week
Retired exec tapped for Homeland post
BY Judi Hasson
Jan. 15, 2003

President Bush has tapped the former president of General Dynamics Corp.'s Advanced Technology Systems unit to be the new undersecretary for science and technology at the Homeland Security Department.



Charles McQueary will help the new department establish priorities for funding national research and developing and procuring technology systems to protect national security.

He also will work on preventing the importation of chemical, biological and nuclear weapons as well as transferring homeland security technologies to federal, state and local governments.

McQueary, who must be confirmed by the Senate, holds a Ph.D. in engineering mechanics from the University of Texas. He also has been the president of AT&T/Lucent Technologies.

"[McQueary] is exactly the kind of individual we hoped would fill this critical position. He has a strong technical background, broad management experience, familiarity with both academia and industry, and is highly regarded in the scientific community," said Rep. Sherwood Boehlert (R-N.Y.), chairman of the House Science Committee, in a statement issued Jan. 10.
**************************
Federal Computer Week
Personnel system set for NMCI
BY Matthew French
Jan. 15, 2003

EDS, the contractor with the task of building and managing the Navy Marine Corps Intranet, will announce today that the Navy's personnel system will soon make the transition to NMCI.

The Navy has been deploying the Navy Standard Integrated Personnel System (NSIPS), which eventually will replace four legacy personnel and pay systems and provide one system for active and reserve sailors. The goal of NSIPS is to move the Navy from paper to electronic records, putting personnel and pay documents into a format accessible via a portal on the service's intranet.

"In just a few months, sailors will have quick, secure and user-friendly access to their personnel records," Cmdr. Susan Eaton, system and software engineering manager for the NSIPS Program Office, said in a statement. "It will be the first of many tangible benefits the Navy will realize through the use of NMCI."

To perform a task as simple as changing one's address on a personnel record, sailors must visit a personnel office. When in use via NMCI, NSIPS will allow the same action to be done at a computer workstation.

The current version of NSIPS is based on a client/server model, with field-level servers that connect to Navy and Defense Department servers in several locations. The Web-enabled version is near completion, according to a statement by EDS, but the date for completion remains unclear.

Once approval is received through the DOD Information Technology Security Certification and Accreditation Process, NSIPS will be the first enterprisewide application to fully operate within NMCI.

Eventually, NSIPS will be replaced by the Defense Integrated Military Human Resource System, according to EDS spokesman Kevin Clarke. That system when fully deployed by the end of fiscal 2006 at an estimated cost of $500 million will provide an integrated personnel and payroll system for all military service members. It will be based on commercial software developed by PeopleSoft Inc.

To develop and maintain the client/server and Web-enabled versions of NSIPS, the Navy needed to upgrade its test and development environment. EDS, Dell Computer Corp., EMC Corp., Sun Microsystems Inc. and WorldCom Inc. received contracts to provide the necessary enterprisewide infrastructure and services.

According to the Navy, it has rolled out more than 57,000 NMCI seats to date and has received approval to roll out as many as 160,000. The next major milestone for the project requires EDS to fulfill certain service-level agreements. When that happens, the company expects to receive approval to roll out an additional 150,000 seats.
**************************
Federal Computer Week
Plugging security holes
Special report
BY Rutrell Yasin
Jan. 13, 2003

The technology environment at agencies is always changing, with new threats emerging and new services being developed that must then be secured against internal and external misuse. Fortunately, the security industry is almost lifelike in its ability to adapt to changing requirements.

That's one way to see it. But to systems administrators on the front lines, it's often a matter of plugging holes. Just when it seems that all the pieces are in place, new cracks develop that must be filled.

In this special report, we look at four emerging tools identity management, multifunction security appliances, XML security and wireless security that represent efforts to plug the holes in network and information security. Taken together, the technologies give organizations a multilayered defense to protect critical assets and data.

As organizations extend the boundaries of their networks to customers and business partners, administrators need to know who has access to networks and what applications and systems they are authorized to use. Identity management software can fill this crucial need.

Hardware-based security appliances that perform several tasks, from firewall protection to traffic management, are gaining acceptance for their ability to help lower the cost of security efforts and make them more manageable. At the same time, federal agencies are showing an interest in application security gateways, devices designed to block intrusions and malicious attacks that traditional firewalls might not be able to stop.

Web services based on Extensible Markup Language offer greater opportunities for agencies to share information across disparate applications and systems via the Internet, but they can open up backdoors for intruders to exploit. Therefore, XML firewalls and similar technologies will gain importance this year and next year.

Which brings us to the wireless revolution, whose momentum can't be stopped. Wireless local-area networks have been hailed for their ability to give roaming users access to organizations' networks but criticized for their lack of security. As more heavy hitters such as Microsoft Corp. enter the wireless LAN arena, you can expect to see more big-name security companies offering better authentication and monitoring devices to shore up wireless defenses.

The story, of course, won't end here. These developments, impressive as they seem now, are just the latest solutions and not the final word in security. They are stopgap measures that will be overtaken as information technology continues to evolve.
**************************
Federal Computer Week
Closing the ID loophole
BY Rutrell Yasin
Jan. 13, 2003

In the current atmosphere of heightened security, technologies that give agencies tighter control over who can access computer networks and online information are getting some well-deserved attention.

In the past few months, several systems integrators have partnered with technology companies to provide identity management software to federal agencies.

Identity management software helps organizations consolidate user profile data and use customizable policies to automate the management of employee, contractor, business partner and customer access rights to software applications and network resources.

"Identity management systems have been out for a while the last two-and-a-half years but only recently do you see large enterprise customers understand why they need these solutions," said Brenda Toonder, vice president of marketing at Atreus Systems Inc., a Cupertino, Calif.-based developer of user provisioning software.

But the identity management market can be confusing, encompassing a wide range of products with "slightly different and overlapping value propositions," according to a report by Pete Lindstrom, research director at Spire Security, a Malvern, Pa.-based consulting firm.

Product categories include: consolidated user administration, directory management, password management, single sign-on, strong authentication, user provisioning and Web access control (see box). More integration among the categories will be a theme this year and beyond.

Customers "want an end-to-end solution for identity management, not just Web single sign-on," which lets users log on once and have access to multiple applications, said Kevin Cunningham, vice president of marketing at Waveset Technologies Inc., a provider of secure identity management products.

Waveset's Lighthouse product consists of provisioning software that automates many aspects of managing security controls, including password management.

An important new feature in the software is called Identity Broker. It automatically detects when a change is made to a profile in one application a customer relationship management program, for example then takes that revised information and synchronizes it across other enterprise applications.

Others see the need to go beyond "basic-level" user provisioning, which focuses on setting up user accounts and IDs. There is a need to take it to the next level of advanced provisioning, in which security settings are aware of network performance and configuration factors.

In this scenario, based on bandwidth and security settings, high-priority traffic can take the quickest route to the intended person, Atreus' Toonder said. "That's where we're focused."

Identity management no doubt will be a focus of the new Homeland Security Department as federal officials seek to weave together 22 agencies under one umbrella, noted Lou Casal, director of product marketing at Computer Associates International Inc. The department will need an "integrated comprehensive approach" to deploying identity management, he said. The Islandia, N.Y.-based CA has a suite of software that includes user provisioning, password management and directory management.

The challenges facing managers who want to deploy identity management software across departments or agencies are political, not technical, experts say.

When managers try "to synchronize personal information across agencies, each agency believes it is the data source" and should be the one to approve the exchange of information, Waveset's Cunningham said. It is because of these political barriers to deployment that Waveset is "looking to marry technology with [an organization's] business processes," he added.

***

Gaining control

Identity management solutions span several product areas that may overlap but still have unique roles. Here are the key features:

* Consolidated user administration Provides a single platform to manage user accounts and profiles.

* Directory management Manages user accounts in a central Lightweight Directory Access Protocol directory.

* Password management Allows users to update their own profiles and passwords and synchronizes passwords across multiple applications.

* Single sign-on Authenticates the user for multiple applications so that the user needs to log on only once.

* Strong authentication Validates the owner of a user account with several forms of protection such as a personal identification number, password and digital token.

* User provisioning Creates and deletes user accounts from systems throughout the user life cycle.

* Web access control Provides user account authorization for use by Web applications.
************************
Federal Computer Week
Buying security in a box
BY Rutrell Yasin
Jan. 13, 2003

All-in-one security appliances that perform several security tasks and in some cases general networking chores are the wave of the future.

Hardware-based and hardened for security, these network devices first appeared in the firewall and virtual private networking market several years ago, touting ease of use and effective protection for small- to medium-size operations and large organizations' branch offices.

The early appliances focused on single functions such as firewall protection, but a new class of products is on the rise that combine several tasks, including firewall, VPN, intrusion prevention, encryption, content filtering and virus protection.

Proponents of multifunction appliances say the devices lower security costs while increasing manageability rather than having dozens of products performing different tasks scattered around the enterprise. Moreover, unlike security software running on traditional servers, purpose-built boxes are not susceptible to security vulnerabilities in the commercial operating systems that underlie the traditional solutions.

Longtime security vendor Symantec Corp. entered the fray last year with its Gateway Security appliance, while NetScreen Technologies Inc., an early entrant into the appliance space, acquired OneSecure Inc. to boost its intrusion-prevention capabilities. And newcomers such as NetContinuum Inc. emerged, offering an all-in-one Web security gateway touting security features as well as general networking capabilities such as load balancing and traffic management.

All of this will make for an interesting year as more companies are expected to jump on the appliance bandwagon.

"By late 2003 and into 2004, there will be an emergence of network security platform appliances that will host a variety of functions," said John Pescatore, a vice president at Gartner Inc.

But this doesn't mean there won't be room for single-function appliances.

Application security gateways are also on the rise. Such gateways handle protocols and traffic that traditional firewalls cannot, including voice over IP, Extensible Markup Language, Secure Sockets Layer (SSL) encryption and HTTP.

As cyberattacks increasingly target Web application vulnerabilities, organizations are looking for ways to protect their applications from unauthorized access and malicious intent.

Newcomer Stratum8 Networks Inc.'s APS 100 network appliance protects Web servers and databases by learning what constitutes acceptable application behavior, and then blocking everything else.

The APS 100 sits behind a network-based firewall and inspects traffic coming through Internet server port 80 the port that servers use to connect to the Internet and that experiences the majority of cyberattacks, according to industry studies.

Tightening up security on port 80 will be a major theme among appliance vendors.

NetContinuum's network appliance falls into this category. The Santa Clara, Calif.-based company's NC-1000 Web Security Gateway combines several key security functions into a single box that can perform tasks at wire speed, meaning that it can process information just as fast as the network to which it's connected.

"NetContinuum is an emerging technology," said John Diaz, an analyst with the Computer Incident Advisory Capability (CIAC), which provides the Energy Department and National Nuclear Security Administration with incident response, reporting and tracking.

With many commercial Web sites processing 1,000 to 2,000 connections per second, it's impossible to keep up with the traffic using software-based filtering on a Unix server, he said.

The NC-1000, however, has the ability to handle 1 million simultaneous TCP sessions and 6,000 SSL transactions per second. CIAC will use NetContinuum's gateway to improve security response. Using the gateway's VPN capabilities, CIAC analysts can securely exchange system log files, which may contain information critical to stopping an attack, with DOE technology managers at remote locations.

***

Second line of defense

Each security appliance has its own way of performing tasks. Some are combined with traditional firewalls, while others sit behind firewalls and inspect traffic a firewall might not handle, such as application protocols and encrypted traffic. Here is an example of how one security gateway, NetContinuum Inc.'s NC-1000 Web Security Gateway, works: * Certain Web traffic such as HTTP, voice over IP, Secure Sockets Layer and Extensible Markup Language flows unchecked through the firewall and directly into an organization's network via the port 80 that servers use to connect to the Internet. * The security gateway appliance monitors port 80, blocking traffic that doesn't conform to security policies and passing on acceptable data to Web servers in the data center. The appliance can also decrypt or encrypt data.
************************
Federal Computer Week
Solving the XML enigma
BY Brian Robinson
Jan. 13, 2003

The introduction of Web applications based on Extensible Markup Language creates a new security problem for federal agencies. Solutions, however, are emerging before many people even become aware of problems.

XML, a key component in emerging Web services that link systems via the Internet, eases information exchange by tagging data so disparate applications and systems can easily recognize it. But the link that Web services provide opens another backdoor to otherwise secure systems. As federal XML projects progress from pilot stages to full-scale systems in the next two years, security will be a major requirement.

Agencies need "end-to-end" security that permeates every part of a Web services infrastructure, according to Brand Niemann, a computer scientist at the Environmental Protection Agency and head of the CIO Council's XML Web Services Working Group.

"With XML Web services, you are dealing with potentially highly distributed applications, and that's the antithesis of strong security, which is generally seen as centralized [and defined by] lots of firewalls," he said. "Web services require security at every location [in the enterprise] and with every application, every user and every bit of data," Niemann said.

That requires that different vendors' XML security products work together seamlessly throughout the enterprise, he said.

The good news is that industry standards are well on the way to completion.

Security Assertion Markup Language, which defines a way to exchange security and related data across distributed systems, was ratified in November as an open standard by the Organization for the Advancement of Structured Information Standards (OASIS).

And sometime this year, the first version of the Web Services Security (WS-Security) specification, which will describe the basis for a broad, platform- independent Web services security framework, may be published. It was first proposed by IBM Corp., Microsoft Corp. and VeriSign Inc. and then moved to OASIS in the middle of 2002.

In the meantime, XML security is the domain of a small number of niche vendors who want to carve a market presence ahead of the expected entry of bigger and more established players such as Cisco Systems Inc., 3Com Corp. and Check Point Software Technologies Ltd.

Vordel Ltd., for example, recently published the latest version of its XML security product, VordelSecure 2.0, which provides an enterprisewide XML firewall and access control. It gets around the need for application-level security by intercepting XML traffic in the network.

"Our product provides the ability for a network administrator to set a security policy to run a Web service and only allow certain kinds of data into that service," said Mark O'Neill, Vordel's chief technology officer. "No extra coding is required."

Reactivity Inc. offers the Reactivity Service Firewall as a proxy through which XML traffic is channeled for use by Web services applications.

Sanctum Inc.'s AppScan takes a somewhat different approach by running continuous, dynamic scans of the Web services environment in order to identify where security holes may pop up.

"There are common vulnerabilities that applications have that may not have posed much of a problem in the past because only a few people had access to the applications themselves," said Steve Orrin, Sanctum's chief technology officer. "XML services will now expose those applications to the Web, so AppScan tests for potential security problems and provides detailed vulnerability assessments, and then recommends ways to fix them."

The drawback to deploying security for XML and Web services is that it's a new area and people don't know the nuances right now, said Jeremy Epstein, director of product security for webMethods Inc. However, with standards developing rapidly, he doesn't expect that to hold true for long. n


Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite@xxxxxxxxxxxxxxx

***

XML security

Network security tools that are not based on Extensible Markup Language protect communications by checking the headers on IP packets against constraints set in policies by network administrators and any aberrations that might signal potential vulnerabilities. XML messages, however, contain much of this header information in the body of the message and, because they are text-based, can be easily manipulated. Security that only reads the IP headers would miss any attack embedded in the XML data itself.

At a minimum, any XML security must:

* Authenticate both the identity of the message sender and the integrity of the message.

* Validate that the message content conforms to rules set by network administrators.

* Authorize both single user and group access to XML traffic.

Additionally, because XML Web services are formed by chaining together services, security must be end-to-end and incorporate safeguards at the application level and for each node in the extended Web services infrastructure.

************************
Federal Computer Week
Gearing up for wireless security
BY Brian Robinson
Jan. 13, 2003

If wireless users can endure one more round of debates about security standards, they may soon be able to buy actual products.

It's no secret that built-in security functions lack current wireless local-area network products, a situation due largely to the inadequacy of Wired Equivalent Privacy (WEP), the first wireless security standard, which was introduced several years ago.

But that could change as new standards take hold and the wireless LAN component market estimated by the Aberdeen Group, a Boston-based consulting firm, to have exceeded $1 billion in 2002 continues to attract heavy hitters such as Microsoft Corp., which recently said it would enter the market.

The promise of secure wireless networking is once again being touted with the expected release in the next several months of the Wi-Fi Protected Access (WPA) standard, which is considered more secure than WEP.

WPA is only an interim step toward a standard now dubbed 802.11i, set for release around the end of this year. The 802.11i standard is expected to finally nail wireless LAN security and make the products that use it more palatable to organizations that demand tight security.

"With WPA coming out, we are back to where we should have been [with wireless LANs] two years ago," said Michael Disabato, a senior analyst with the Burton Group. "It hasn't met live-wire tests yet, but everyone is confident it is secure now and will allow for cross-vendor implementations."

Meanwhile, the wireless LAN market is one of the few in the telecom arena that is growing, so vendors need to address security if they want to participate.

Cisco Systems Inc., for example, has a WEP implementation for its Aironet wireless LAN solutions that is probably sufficient for situations in which strong security is not critical. But the company is marketing the Cisco Wireless Security Suite, based on the IEEE 802.1x specification, as a stronger security provider. The specification, a core component of WPA, provides authentication at the user and server levels.

"This is admittedly a prestandard release, but 802.1x is real now, and because it's implemented in software, we feel very comfortable we'll easily be able to move to a post-standard release of this product," said Vince Spina, director of systems engineering for Cisco's federal operations.

Wavelink Corp. last year came out with a workaround for WEP's ills, namely its relatively weak 40-bit encryption, static encryption keys and lack of a key distribution method. The Wavelink solution is a cross-vendor solution that allows for dynamic key rotation. It monitors wireless devices and access points in the network at regular intervals and supplies them with new keys so that hackers do not have enough time to break the key encryption.

For organizations that can handle the extra demands on processing power and network traffic overhead involved, virtual private networks probably offer the most robust security since the wireless side of the network becomes an integral part of the overall enterprise security infrastructure. Products such as Check Point Software Technologies Ltd.'s Secure VPN include features such as integrated certificate authorities, which provide stronger security than what is currently built into wireless LANs.

However, the cost and complexity involved with installing VPNs puts this solution beyond most small and medium-size organizations' reach. That drove Latis Networks Inc. to develop its Border Guard Wireless solution, which gives network administrators the ability to manage rogue wireless access points and limit device access to the network, or deny access completely.

Latis works on the assumption that a wireless LAN has to be handled as a major part of an overall network security plan, said Mitchell Ashley, Latis' vice president of engineering and chief technology officer. However, the company may be ahead of the market, he admitted, since "we are not yet at the point where everyone even agrees on the need for a firewall equivalent for wireless."

Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite@xxxxxxxxxxxxxxx

***

Secure solutions

A glimpse at some wireless local-area network security products:

Vendor: Cisco Systems Inc.

Product: Cisco Wireless Security Suite.

What it does: Provides user and device authentication for Cisco Aironet wireless LAN solutions.

Vendor: Latis Networks Inc.

Product: Border Guard Wireless.

What it does: Enables network administrators to detect rogue wireless access points and control device access to the network.

Vendor: Wavelink Corp.

Product: Wavelink Mobile Manager and Wavelink Avalanche.

What it does: Monitors wireless devices and access points in the network and supplies users with regularly changing encryption keys to thwart hackers.
************************
Lillie Coney
Public Policy Coordinator
Association for Computing Machinery
2120 L Street, NW, Suite 510
Washington, DC 20037
202-478-6124 (phone)
202-478-6313 (fax)
lillie.coney@xxxxxxx