[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips September 9, 2002

Clips September 9, 2002

ARTICLES

U.S. Considers Cybersecurity Plan
Archaic computer systems hamper war on terror
Year After 9/11, Cyberspace Door Is Still Ajar
Internet Security Not Pressing to All
Navy's Novel Approach to Spy Tech
FEMA launches Web site on Sept. 11 response
Union rallies against pending trademark layoffs
Pop-ups strike out with Internet advertisers
Homeland debate heats up
Report: DOD weak on joint forces follow-up
Digital signatures come into focus
Homeland security: A magnet for talent
Air Force revises net modernization tactics
Where we stand [Homeland Security]
OMB releases Part 2 of federal architecture model
U.S. Marshals and VA finish testing automated travel systems
White House cybersecurity chief defines cyberthreat
With 9/11 in mind, port operators testing security technology
Cops watching for terrorists say IT support lacking
Britain lags behind in broadband take-up
Open-source stalwart leaves HP
Chinese Internet Users Find Search Engine Blocked [Internet Sensorship]
Online School's Military Focus Nets $10 Million

***************************
Associated Press
U.S. Considers Cybersecurity Plan
Sat Sep 7,11:22 AM ET
By TED BRIDIS, Associated Press Writer

WASHINGTON - The Bush administration is considering creation of a fund that would combine tax dollars and money from the technology industry to pay for Internet security enhancements, according to internal documents from the government's effort to develop a national cyber protection plan.

Federal officials writing the plan, set to be disclosed this month, also are discussing sweeping new obligations on companies, universities, federal agencies and home users designed to enhance security of the Internet, according to more than 30 pages of working papers obtained by The Associated Press.

The goal is to "empower all Americans to secure their portions of cyberspace," according to one document identified as an executive summary for the National Strategy to Secure Cyberspace.

Other ideas under consideration include:

_Improving security of wireless technologies, and prohibiting their use in some cases by federal workers;

_Spending more to protect computer systems that help operate major utilities like water and power;

_Studying ways to respond to cyberattacks when the source of the attacks cannot be distinguished immediately between a hostile government or teenage hacker;

_Creating an industry testing center that would make sure software updates don't cause security problems;

_Studying the creation of a new government network to handle communications and computing in case of Internet outages.

A White House official cautioned Friday the ideas cited in the working papers are subject to change until President Bush ( news - web sites) approves them. Even then, recommendations would have to go through traditional policy and budget processes, which could include congressional approval, the official said.

The administration circulated some draft language last week for review among federal agencies with instructions not to distribute it outside government, said one person familiar with effort, speaking on condition of anonymity.

An updated proposal is expected from the White House next week, with the plan's final release set for Sept. 18 at a news conference at Stanford University attended by FBI ( news - web sites) Director Robert Mueller and top administration officials.

The plan is expected to include more than 80 recommendations and is being assembled by a U.S. advisory board headed by Richard Clarke, a top counterterrorism official in the Bush and Clinton administrations, and Howard Schmidt, a former senior executive at Microsoft Corp.

The group's working papers describe creation of a technology fund "to address those discreet technology areas that fall outside the purview of both industry and government and yet are critical to the future secure functioning of the Internet."

The documents reviewed by the AP do not indicate whether the money would come from new taxes, grants or existing revenues, but they note that the fund could be "jointly financed by government and industry."

One example cited in the internal documents that could be paid by the fund is development of highly secure versions of computer operating system software. The most popular operating systems are from Microsoft, Apple Computer Co. and developers of the Linux ( news - web sites) software.

Some proposals in the working documents already have been struck from the final plan, the White House official said. One would urge Internet providers to offer customers security software that would protect them from hackers. Clarke has previously endorsed that proposal in public appearances.

In an unorthodox move drawing early praise among experts, the White House is placing some responsibility on home users for helping to secure the Internet, along with the nation's largest corporations and universities. Hackers increasingly have seized control of powerful, inexpensive home computers and high-speed residential Internet connections to attack others online or to hide illegal activities.

To help home users, the administration is considering a national advertising campaign aimed at schools and other audiences on the importance of safe computing, according to the documents.

The plan's working papers also recommend encouraging Internet providers to adopt a code of good conduct governing cooperation; and encouraging government to collect better information about cyberattacks and study whether harsher penalties for hacking are needed.
***************************
Mercury News
Archaic computer systems hamper war on terror
By Jim Puzzanghera
Mercury News Washington Bureau

WASHINGTON - After Richard Colvin Reid was arrested for allegedly trying to detonate explosives in his shoes on a U.S.-bound airliner in December, federal officials never searched electronic transportation incident reports to determine if this was a new pattern of terrorist activity.

The reason is simple and distressing: The Department of Transportation's computer system doesn't allow those reports to be searched by key words like ``shoe'' and ``bomb,'' a function most computer users take for granted.

And this is far from the worst case of information-technology impotence in the war on terrorism. The Department of Transportation's Web-based ``Activation Information Management'' system is actually state-of-the-art for the federal government -- it uses the Internet, not glacial mainframe computers, and is accessible to employees in all the department's 12 agencies, a rarity among the fiefdoms of Washington.

Despite spending about $370 billion on computers and software over the past decade, Washington's IT infrastructure is ill-equipped for the widespread information sharing and intensive data analysis President Bush has made a priority for homeland security. The federal government has wasted billions of dollars on poorly designed, customized computer systems that are incapable of communicating with each other.

``Virtually every corner you turn, you see problems,'' said Mark Forman, associate director for information technology and e-government in the White House Office of Management and Budget and the top IT official in the Bush administration.

Complicated government contracting requirements have left many small high-tech firms with cutting-edge technologies unable to sell their products to the federal government. A long-held culture of protecting agency turf and funding, combined with the lack of a coordinated governmentwide IT strategy, has created a sea of unconnected islands of information technology throughout Washington that threaten the nation's ability to fight terrorism.

``Information contributes to every aspect of homeland security and is a vital foundation for the homeland security effort,'' according to the Bush administration's National Strategy for Homeland Security, released this summer. ``Every government official performing every homeland security mission depends upon information and information technology.''

Many analysts inside and outside government believe that if federal agencies had a greater ability to share information and access to better technology, they might have foiled the Sept. 11 terrorist attacks. The FBI's antiquated computer system, for example, allows only single-word queries of electronic reports, making it impossible to search for a term like ``flight school'' that could have helped agents identify that suspected Al-Qaida terrorists were training to fly airplanes.

Agencies play catch-up

Now, the federal government is desperately trying to knit together old computer systems and put in place new ones to prevent such failures again.

Important agencies like the FBI and the Immigration and Naturalization Service have pledged to dramatically upgrade their computers and software. Government officials are stressing the use of more commercial, off-the-shelf technology to increase interoperability and are trying to make it easier for small companies to do business with Washington. In addition, the federal government is funding research at Stanford University and other elite institutions to find new ways to link disparate computer systems and mine ancient databases for information.

``We are very actively being driven by a recognition that things need to change,'' said Steven Cooper, who took over in March as the chief information officer for the White House Office of Homeland Security.

IT experts said the new directives and initiatives are putting the federal government on the right track to ultimately share important information between agencies and search databases for the clues to future terrorist activities. But that day is still far off.

``The good news is progress is getting made,'' said Randolph Hite, who reviews agency IT programs for the General Accounting Office, the investigative arm of Congress. ``The bad news is, more progress needs to be made.''

When Robert Mueller prepared to take over as director of the FBI last summer, he took a tour of the FBI's downtown Washington headquarters. He quickly discovered the IT problems plaguing the nation's top crime-fighting agency.

On one side of the agency's computer room he saw machines from several manufacturers, Mueller told senators during a hearing in June.

``There were Sun Microsystems, there were Apples, there were Compaqs, there were Dells. And I said, What's this?'' he recalled. ``And the response was, `Every division had a separate computer system until a year or two ago.' ''

As Mueller described a few of the FBI's numerous computer woes that spring morning -- agents can't send external e-mail from their desktop computers, electronic files cannot be searched by more than a single key word -- some senators were dumbfounded that the agency continued to have such problems after spending $1.7 billion since 1993 on major IT projects.

``I really think it's very much . . . of an Achilles' heel that you can't do the kind of things that all of us are used to doing on our computers if we're looking for the best buy on an airplane ticket,'' said Sen. Patrick Leahy, D-Vt., the committee's chair.

Lack of communication

But that's the case throughout the federal government.

Tens of thousands of computer systems are incapable of doing more than the most rudimentary functions. Different divisions in many agencies have different computer systems, making it nearly impossible to share and analyze data.

``Some piece of one agency might be very sophisticated technically; in the same agency another part of it has never gotten sufficient funding and is suffering from technological obsolescence,'' said Gary Strong, an IT expert at the National Science Foundation. ``Some agencies like the FBI have no capability right now to play in this world from a technology point of view.''

The FBI has been working for years to upgrade its computer systems but has encountered project delays and cost overruns. When systems have finally been put in place, they often have been immediately outdated or so complex they were ineffective. The FBI's $400 million Trilogy project -- an agencywide technology overhaul that will upgrade computers and put case files and other information on easy-to-use Web-based applications -- is being rushed into service ahead of schedule but still will not begin operation until next year.

``You run into a lot of horror stories about systems that weren't available on time, didn't perform as expected, and vendors that over-promised,'' said Philip Zelikow, a former National Security Council staffer who has been studying the problems as executive director of the Task Force on National Security in the Information Age set up by the private Markle Foundation.

``Everybody has made mistakes, and the private sector makes mistakes. Indeed, that's how you learn, '' said Nathaniel Heiner, the Coast Guard's chief information officer. ``I don't think any of our mistakes has been crippling.''

Government is not alone in suffering IT troubles. Some big corporations have had difficulty integrating information technology and adapting to the recent wave of computer networking and interoperability. Hershey Foods, for example, was unable to fill some lucrative Halloween candy orders in 1999 because of problems with a giant new computer system.

But the sheer size of the federal government and its own unique culture has amplified the problems in Washington.

The independent nature of federal agencies, and the unique functions that many of them perform, has led to a penchant for big, customized systems that are difficult to update and cause huge problems when they crash.

The federal government has had difficulty attracting highly skilled IT professionals on civil service pay scales. And the complexity of government purchasing requirements and the annual budget process of congressional oversight committees have combined to put the federal government far behind the technology curve.

``They're chained to certain burdens that private-sector companies don't have,'' said Rishi Sood, a government marketplace analyst for Gartner Inc. in San Jose. ``Amazon.com overnight can suddenly decide to create a new information-technology infrastructure -- government can't.''

Small firms struggle

Government IT guidelines have been strengthened and purchasing rules streamlined after a 1994 report by then-Sen. William Cohen, R-Maine, titled ``Computer Chaos: Billions Wasted Buying Federal Computer Systems'' highlighted the problems of the federal IT system.

But Forman said many agencies still don't follow the new guidelines. And the process is so complicated that many companies, particularly smaller ones, never bother to offer their solutions -- proposals for federal contracts can run as long as 4,000 pages.

``It is a business process unto itself,'' said Steve Perkins, senior vice president of Oracle Public Sector and Oracle Homeland Security Solutions, two divisions of Redwood Shores software giant Oracle. ``If you're a company that has not historically done business with the government . . . to try to come in and provide your solutions, especially if you're a smaller company, is difficult.''

That has led the bulk of federal IT contracts to go to a handful of large companies like Oracle or defense IT specialists such as Northrop Grumman and Lockheed Martin, which have strong political connections and separate divisions just to deal with the federal government. Last month, one of those companies, Unisys, was named the prime contractor for the Transportation Security Administration's $1 billion project to automate security operations at the nation's airports.

That is one of the few new, large IT projects the Bush administration has embarked on in the war on terrorism. Mostly, federal officials are trying whatever they can to connect databases in key agencies to provide some basic interoperability.

``We now have basically Scotch-taped and Band-Aided stuff together,'' said Cooper, the chief information officer of the Office of Homeland Security. ``Could we use data-mining tools or enterprise application software on top of our existing stuff? . . . Would that enable us to immediately begin to do some analysis or have some capability that we otherwise don't have today? That's one evaluation that needs to take place.''

New department's task

Cooper's office is analyzing the IT infrastructure of the agencies slated to be merged into the new Department of Homeland Security -- among them the INS, Coast Guard and Customs Service. The Office of Management and Budget has temporarily frozen all IT projects over $500,000 in those agencies to make sure they all fit together when the department is launched, probably on Jan. 1.

In addition, Cooper said his office is sifting through 3,000 unsolicited proposals from private companies about homeland security information technologies.

Cooper said he believes the new Department of Homeland Security will be able to make a lot of improvements to allow information sharing and data analysis using commercial, off-the-shelf technology. But some customized work will still be needed to allow for the intensive data analysis envisioned by the new department's Information Integration Program Office.

But Stanford computer science Professor Richard Fikes, who is doing research for the federal government on how to knit the disparate databases together, said the real hurdle is not finding the right software program.
***********************************
New York Times
Year After 9/11, Cyberspace Door Is Still Ajar
By JOHN SCHWARTZ

Sounding the alarm is not the same as paying for a deadbolt on the door. Which may explain why, despite the heightened fears of cyberterrorism and online security that followed last September's attacks in New York and Washington, few American businesses or organizations have responded with new measures to safeguard their computing systems from intruders.

Harris Miller had hoped it would be otherwise. He recalls that warning Americans about cyberterrorism and online security before Sept. 11 had been an exercise in futility.

"I felt like Sisyphus," said Mr. Miller, president of the the Information Technology Association of America, a trade group, adding that his pleas for greater awareness and quicker action were consistently ignored. "Just rolling the stone up the mountain, and it kept rolling right back down again." For government, corporations and individuals alike, Mr. Miller said, computer security was always "the 11th item on a 10-item list."

Then came the attacks and with them, a growing sense that terrorism could happen anywhere. And anywhere included the nation's computer networks and all the critical systems that were tied to them.

"It really was a wake-up call," said Mario Correa, director of Internet and network security policy for the Business Software Alliance, an industry lobbying group in Washington.

Security experts predicted that their calls would finally be heeded and that corporations and governments would shore up their cyberdefenses. Some even spoke of a "security dividend" for the industry arising from the attacks. The International Data Group, a publisher of trade magazines, even announced a new magazine, CSO, aimed at the hoped-for legions of deep-pocketed corporate chief security officers.

So what has changed in the year since the attacks?

Not so much, actually.

The fretting, certainly, has been vocal. Companies say in survey after survey that they believe they, and the government, are still vulnerable to cyberattack. Indeed, a poll published this summer by the Business Software Alliance found that 60 percent of those who are directly responsible for their companies' network security believe that United States businesses are at risk for a major cyberattack in the next 12 months.

And a government team led by Richard A. Clarke, the White House cyberspace security adviser, has been busy on a computer security framework that is to be announced next week and is expected to spell out actions that should be taken by government, industry and even individuals to safeguard the Internet.

The fretting and frameworking, however, has not escalated into spending. Money spent on security has been flat the last year, with no turnaround imminent, said Steve Hunt, a vice president of the Giga Information Group, a high-technology analysis company.

"The security market is not going to benefit in 2002," he said. A survey of the customers of Sanctum Inc., a security company in Santa Clara, Calif., which said it had extensively interviewed 10 customers on the topic, showed that only three had made new Internet security moves because of the Sept. 11 attacks.

Other areas of security, like the disaster preparedness of information technology systems, have also come under increased scrutiny since Sept. 11. But, as with cybersecurity, little money has been spent. In a survey conducted for AT&T, 73 percent of those questioned said their companies had reviewed their disaster recovery planning after Sept. 11, but only one in 10 said business disaster planning had become a top priority after the attacks.

That is not particularly surprising in tight economic times, when most information technology spending has focused on incremental improvements to current systems, said Art Coviello, the chief executive of RSA Data Security, a computer network security company in Bedford, Mass. At a conference of chief information officers early this year, Mr. Coviello recalled, executives listed the top three priorities in 2002 as "cut costs, cut costs and cut costs."

"The next priority was to make more out of what they had," he said. "The next priority after that was security."

Part of the reason for the lack of action is a growing sense of frustration with the task of making computer systems secure, said Peter S. Tippett, the chief technology officer of Trusecure, a computer security management firm in Herndon, Va. Trying to keep up with each individual software patch and vulnerability and apply each one to every computer and network has become an all but impossible task for many organizations.

The Computer Emergency Response Team, a federally financed monitoring group and information clearinghouse at Carnegie Mellon University, identified 2,437 software vulnerabilities in 2001, but fewer than 1 percent were used in actual attacks. "Why don't we figure out what the essential security is?" Mr. Tippett said.

He suggested that another reason companies had not acted decisively could be a growing sense among industry experts that the threat of cyberterrorism had been overstated. He noted that although the world's computer networks are increasingly tied to critical systems like power grids and telecommunications networks, a cyberterrorism episode is unlikely to stand alone, or to be devastating in itself. Instead, he said, such an attack would probably come in conjunction with physical attacks and be meant mainly to sow confusion. He compared such a disruption to "a snowstorm on top of an otherwise bad day."

Still, Mr. Tippett and other security experts agree that the nation's computer networks need more effective and extensive shoring up.

Meanwhile, Bush administration officials argue that despite the lack of progress cited by others, great strides have actually been made since last September.

Mr. Clarke, chairman of the president's Critical Infrastructure Protection Board, said the real alarm was sounded not on Sept. 11 but on Sept. 18. That is when a piece of rogue computer software named Nimda spread through Internet-connected computers around the world and caused damage that was estimated in the billions of dollars. The creator of Nimda, which attacked computers and installed "back doors" for subsequent hacker attacks, has never been identified.

"Sept. 11 made everybody in corporate America think about security," Mr. Clarke said. "Sept. 18 made them think about cybersecurity."

Since then, he said, software companies have grown far more serious about plugging the kinds of vulnerabilities that Nimda exploited. Microsoft, for example, shut down its software development efforts for nearly two months in a $100 million effort to analyze Windows software for bugs and to train its engineers in "trustworthy computing" techniques.

Other major software makers have announced similar efforts to make security "not an add-on, but a central thought" in software design, Mr. Clarke said. Industries that did not pay much heed to cybersecurity before Mr. Clarke cited power companies as an example have "really begun taking security seriously," with widespread use of encryption to shield data from prying eyes and authentication systems to ensure that only authorized people have access to critical system controls.

And government is "beginning to walk its talk" by shoring up its own systems, Mr. Clarke said. The administration's proposed budget for the 2003 fiscal year calls for $4.2 billion for securing federal networks, a 56 percent increase over the the current fiscal year. And next week, on Sept. 18, Mr. Clarke's team plans to release its action plan for safeguarding the Internet.

But government can only do so much, since most of the networks and systems that need to be protected are in private hands, Mr. Clarke observed. "The government is not going to secure hospitals and banks and railroads they have to do it for themselves," he said.

Mr. Correa's industry group has spent much of the last year trying to ensure that the government's responses to the Sept. 11 attacks do not do more harm than good. "You're seeing Congress look for what appear to be quick fixes and really are not," he said.

The group opposed, for example, well-intentioned early efforts by lawmakers that would have required federal agencies to upgrade computer security using very specific technologies obtained through strict government procurement guidelines.

Under early drafts of legislation, for example, the National Institute of Standards and Technology was to specify the kinds of antivirus and firewall software and hardware that would be used in government systems. Mr. Correa's group feared that the specifications would quickly become outdated, because antivirus software, for instance, must evolve continually to keep pace with new kinds of threats.

So Mr. Correa's group and others requested successfully that the bills specify only performance goals, like a requirement that any firewall software be able to block a certain number of intrusions a second, without defining how the software accomplish that task.

"You've got to make those security standards performance-based, not technology-based," Mr. Correa said, or "they will be outmoded in a week."

Mr. Correa's group is also fighting an administration plan to put a unit of the Commerce Department that helps set computer security standards, the Computer Security Division, into the new Department of Homeland Security a move that they argue would make that group less effective by blurring purely technical issues with military and law-enforcement agendas that could end up with worse, not better, technology.

His group has also tried to pave the way for greater cooperation among industries and the government on security issues. Those efforts have included legislative proposals for making sure that companies are willing to share information with the government by carving out exemptions in the Freedom of Information Act for such exchanges, so that information given voluntarily to the government about intrusions is not made public.

Mr. Hunt, the Giga Information analyst, sees reasons for optimism. "No security vendors are getting richer, and there are a lot of security problems yet to be solved," he said.

But, he added, companies have begun to shift toward viewing security as an integrated business function and not merely the province of a "little cult in the corner of the I.T. department." In surveys conducted more than a year ago, only 30 percent of all companies said they had a person responsible for connecting security efforts with the actual risks of the business, he said. Now, nearly 90 percent do.

"This is not a 200 percent improvement in spending," Mr. Hunt said. "It is an improvement in quality, meaning the haphazard approach to security management of the past an approach that left many holes is steadily being replaced by robust processes of detection and response."

Even Harris Miller says he is feeling less Sisyphean lately. "While there's been much more attention in the private sector, there's a long way to go," Mr. Miller said. "But I don't feel the exercise is as futile as it was a year ago. Now the need is to get the money spent."
**************************
Washington Post
Internet Security Not Pressing to All
Some Firms Admit Measures Inadequate
By Nicholas Johnston

Companies increasingly identify computer security as one of their top priorities, but a significant minority admit that they are inadequately protected, according to a survey to be released today.

"The positive news is that industry is talking the talk of the need for improved information security," said David McCurdy, executive director of the Internet Security Alliance. "The negative news is that very few are walking the walk."

Nearly 90 percent of 227 companies that responded to a survey said information security was essential to the survival of their business. However, 30 percent said their plans for dealing with technology threats were inadequate.

The reason is that the threat of cyber attack remains relatively new for many businesses, said Doug Goodall, chief executive of the computer security firm RedSiren Technologies of Pittsburgh. And it will take some time for companies to adjust to those new threats and make appropriate responses.

"The challenge for fully a third of organizations interviewed is that they still have a long way to go from awareness to proactive management of the risks," Goodall said.

The Internet Security Alliance, the National Association of Manufacturers and RedSiren conducted the survey last month, receiving responses from information security specialists at 227 companies worldwide. Although the survey is not statistically valid, Goodall called the responses a fair representation of the experience of most businesses.

About half of the respondents reported that the Sept. 11 attacks made them "more concerned" about cyber-terrorism, but almost as many respondents reported no change in their attitude.

And the economic fallout from the terrorist attacks could also be why companies are slow to adopt more rigorous security procedures. "A lot of companies right now are trying to survive," McCurdy said. "This has been a cost item."

According to those who conducted the survey, many companies might still believe that the potential losses from a cyber attack are not yet great enough to warrant increased spending on security.

"A sizable portion [of companies surveyed] believes this is manageable risk or an acceptable risk," McCurdy said. "That's a mistake."

What might be necessary to change those perceptions is a computer security event the magnitude of last year's terrorist attacks to focus attention on the problem, just as those attacks changed security procedures at airports, for instance.

"They [corporate executives] have not in most cases had a debilitating attack on their business," said Tom Orlowski, vice president for information systems at the National Association of Manufacturers. "It's kind of like, 'Overall the U.S. has a huge risk, but me and my company? I don't have much of a risk.' "

Almost a third of companies said they were unprepared for possible cyber attacks, but 33 percent also said company executives have not taken enough interest in the issue.

"It's just not high enough on their priority list," Orlowski said.
**************************
Wired News
Navy's Novel Approach to Spy Tech
By Noah Shachtman

2:00 a.m. Sep. 9, 2002 PDT
The Navy needs new ways to analyze its spy images. So it's turning to breast cancer detection to spark new ideas.

After decades of steady development, Automatic Target Recognition (ATR) -- the collection of technologies used to discriminate between, say, a camouflaged tank and the forest it's hiding in -- has "stagnated," according to James Buss, a program manager at the Office of Naval Research.

Picking out Osama bin Laden from a spy satellite image is basically impossible with current technology.

ATR systems "sweep up enormous quantities of data, but their usefulness has been limited by our ability to pull the important information out of that clutter," Buss said.

Locating tiny cells of cancer within the breast presents the same sort of data-culling challenge. And by turning some of these programs toward breast cancer detection -- an arena totally foreign to the military -- the Navy is hoping to "get whole new sets of ideas" about how to look for hidden data on the battlefield, Buss said.

While the Navy certainly receives a nice public relations benefit from such research, there's a legitimate military need as well, said John Pike, director of GlobalSecurity.org.

"If you look at the underlying capabilities of signal and image processing, they are pretty much the same, no matter what's in the image. So the idea that you could have (a system) that's equally capable of detecting breast cancer and camouflaged tanks is plausible," Pike added.

As part of a nearly $5 million, 2-year project, the Office of Naval Research and other military science agencies are teaming up with 11 hospitals and universities to create a database of thousands of breast images created with ATR technologies.

In one experiment, supervised by George Washington University's Dr. Harold Szu, a pair of infrared cameras, operating at different wavelengths, will capture pictures of breasts to look for cancer.

Current digital imaging technology assigns a single camera's perspective to a single pixel.

But Szu has developed an algorithm that blends each camera's view into every pixel. It's like having a pair of eyes trained on the same spot, and it should increase image resolution. The algorithm is currently being tested in LANDSAT satellites and F-18 fighter jets.

It ought to be helpful in finding breast cancer cells as well, because such cells demand a bigger supply of blood in order to feed themselves. That means they get hotter than the surrounding tissue, and so they should show up in Szu's heat-sensitive cameras. So far, however, he's only examined one patient with the system.

Similar, private-sector efforts are much further along. Computerized Thermal Imaging (CTI), a Portland, Oregon, medical device maker, has tested its heat-based system on 2,400 patients. Another 250 women will begin examinations shortly at Harvard's Massachusetts General Hospital.

According to Yuri Parisky, a University of Southern California radiology professor who helped supervise some of the CTI tests, the breast imaging system "has a predictive value of close to 99 percent. If it says it's benign, it's benign."

The thermal imaging could eventually take the place of most biopsies, Parisky asserted. That's potentially huge: nearly 1.2 million American women have this surgical procedure performed on their breasts every year. Eighty percent of these biopsies turn out to be cancer-free. Eliminating even a fraction of the surgeries could save at least $1 billion in health-care costs.

The Food and Drug Administration's Radiological Devices Panel will convene next month to decide whether to recommend CTI's screening device for approval.

Parisky cautioned that CTI's system would not replace traditional X-ray mammograms. But Dr. Leonard Schutz -- an oncologist at Horizon Cancer Center in Spartanburg, South Carolina -- claimed the laser imaging system for spotting breast cancer he's helping to test might eventually prove to be a substitute for the painful procedure.

Tumors absorb and scatter light differently than normal tissue, making them easy to spot with lasers. And malignant tumors show up different than benign ones. Under a recently awarded 5-year, $1.38 million National Institute of Health grant, 250 women will be examined for breast cancer with the laser imaging system.

The U.S. Army Medical Research will also contribute to the effort, as part of its $150 million breast cancer research program.
******************************
Government Executive
Union rallies against pending trademark layoffs
By Tanya N. Ballard
tballard@xxxxxxxxxxx

Union officials want the Federal Labor Relations Authority to ask a judge for a temporary restraining order to prevent a planned layoff of up to 135 trademark examining attorneys later this month.


In May, Trademarks Commissioner Anne Chasser announced that the agency had to lay off some of its attorneys because trademark applications had decreased last year and the agency expects the trend to continue. The agency employs 383 trademark examining attorneys.


In the months following that announcement, National Treasury Employees Union officials have questioned the layoffs and repeatedly asked agency officials to engage in negotiations. The union has filed an unfair labor practice grievance and has petitioned FLRA to ask a federal district judge for a temporary restraining order to delay the reduction-in-force while a decision is still pending.


"We ask that they do the right thing and negotiate with NTEU, what they are required to do by law," NTEU President Colleen Kelley said.


On Friday afternoon, Kelley led more than 100 chanting employees in union T-shirts outside the Patent and Trademark Office's Arlington, Va., headquarters in an effort to draw attention to the issue.


"They were sending a very clear message to the people in the building behind usthat this fight is not over," Kelley said after the rally. "They were very spirited and their message was very loud, so there is not a doubt in my mind that they were heard."


While PTO spokeswoman Brigid Quinn declined to discuss the pending litigation, she said that nothing had changed in regard to the situation that led to the decision to lay off employees.


"We tried many other routes prior to the [reduction-in-force] to avoid it, but unfortunately, the workload has not increased and the [reduction-in-force] remains necessary," Quinn said.


Last year, trademark application filings dropped 21 percent to 296,000, according to PTO officials. Applications are expected to fall again this year to 250,000.


But Kelley said cutting the staff by one-third would reduce the agency's ability to serve its customers. "I'm concerned not just about the jobs and the families and the future of these employees, but we're all worried about the future of the trademark office," Kelley said. "I don't believe that they are going to be efficient and able to serve the American public."
***************************
Government Executive
FEMA launches Web site on Sept. 11 response
By Raya Widenoja
rwidenoja@xxxxxxxxxxx

Federal front-line responders to the Sept. 11 attacks now have their own Web site, telling the stories of their efforts.


The Federal Emergency Management Agency launched the new Web site Thursday to commemorate the tragedy and "share with America how FEMA and the federal government on behalf of all America responded" to help the victims and assist in the recovery effort after the attacks, said Cindy Ramsay, a public affairs specialist at FEMA.


"The work that began on Sept. 11 and continues today could not have been done without your support," FEMA Director Joe Allbaugh wrote in a message to online readers posted at the site. "Others, like those profiled in this report, may have literally picked up the pieces. But it was your prayers that picked them up and kept all of us going during the dark days after the horror."


The site features 14 stories from federal workers and volunteers involved in the response and recovery efforts and 55 photographsall but two taken by FEMA photographersat the World Trade Center site, the Pentagon and the crash site of United Airlines Flight 93 in Pennsylvania.


"The stories are told from an individual perspective," said Ramsay, and range from a disaster assistance employee who counseled families of Pentagon victims, to a Salvation Army volunteer at the World Trade Center to a New York Police Department emergency responder.


"FEMA tends to do...status reports on response efforts following different disasters," Ramsay said. But agency officials decided that using personal stories and pictures was the best way to portray the Sept. 11 response. "I think it's a very compelling publication," Ramsay said.


The stories show how a wide variety of agencies worked together to provide aid in the aftermath of the attacks. For example, at the World Trade Center site, organizations that FEMA worked with included local emergency response agencies, the Environmental Protection Agency, Department of Transportation units, command teams from the Forest Service and New York public school officials.


Ten workers chosen to represent FEMA's urban search and rescue teams are scheduled to travel back to the site of the World Trade Center before Sept. 11. Most team members haven't been back since rescue efforts ended weeks after the attack.


"It will be a solemn tour of the site and [should] give them time to reflect?. They will share their thoughts while they are there, but it is primarily for them to get closure," Ramsay said. FEMA is also exploring the idea of arranging a tour of the Pentagon for search and rescue team members.


Allbaugh and other top FEMA officials will attend the Sept. 11 commemorative ceremonies in New York next week, at which the names of the nearly 2,500 victims of the attack on the World Trade Center will be read.


A printed publication of the online exhibit, A Nation Remembers, A Nation Recovers: Responding to September 11 One Year Later, is also available from FEMA, but since only a limited number are being printed, the agency is encouraging interested individuals to download the publication instead.
***************************
Washington Times
Pop-ups strike out with Internet advertisers

The small number of companies using pop-up ads to win the business of Web surfers are finding that they are annoying potential customers as much as attracting them.

Many major online companies, such as Amazon and BarnesandNoble.com, are cutting down on the use of pop-up ads or even banning them altogether.

The Internet had 11.3 billion impressions or distinct appearances of pop-ups ads between January and July, according to Nielsen/NetRatings data. About 9 billion, or 80 percent, of those impressions came from just 63 of the 2,208 companies advertising on the Web.

"Pop-ups quickly gained notoriety since their introduction in early 2001, with the ads attracting negative feedback from Internet surfers," said Charles Buchwalter, vice president of client analytics for Nielsen/NetRatings. "Consumers may be surprised to find out that pop-up advertising comprises such a small percent of the total ad market."

Pop-up ads are defined as any Internet advertisement that creates a new browser window. They usually appear atop the browser but often appear behind it. Many Internet users find the pop-ups intrusive.

IVillage, a Web portal catering to women, banned pop-ups in July after 95 percent of its users said the ads were "the most frustrating feature on the Web."

Fewer than a half-percent of the ads used by Amazon.com, Barnes and Noble, EBay, Spiegel and FTD were pop-ups, and the companies did not allow other companies to use pop-up ads on their sites. Popular search engine Google recently said it would not accept pop-up ads on its site.

Meanwhile, free software designed to block pop-up ads has become one of the most popular downloads on the Internet. Earthlink, the world's fourth-largest Internet service provider, began including pop-up blocking software as part of its subscriber packages.

About 2 percent of all companies advertising on the Internet used pop-up ads between January and July. But in certain niche areas, usage was much higher, perhaps contributing to pop-up ads' perceived ubiquity.

The hardware and electronics industry, for instance, has created nearly 1.6 billion pop-up ad impressions this year. The entertainment industry has created nearly 1.3 billion impressions.

The biggest user is X10 Wireless, a seller of small Web cameras, which has created more than 1 billion pop-up impressions alone this year.

"Despite consumers' general distaste for the ads, a few advertisers clearly view the benefits of pop-up advertising as greater than the potential harm for brand image," Mr. Buchwalter said.

Pop-up ads are effective, at least in the short-term. Statistics indicate that a pop-up makes a potential customer 10 to 20 times more likely to "click-through" to the advertiser's Web site. In the case of X10, about 30 percent of all Web users go to the company's Web site at least once a month, according to Jupiter Media Metrix, a New York-based Internet analysis firm.

Pop-up ads also provide a method of advertising for companies that have been shut out of other avenues. Online travel site Orbitz, for instance, resorted to using pop-up ads because large portals such as AOL, Yahoo and MSN had signed exclusive advertising agreements with Orbitz's rivals, including Expedia.com and Travelocity.com. Orbitz created 687 million pop-up impressions between January and July, second only to X10.

Difficulty in finding banner space on popular Web sites has led smaller companies to use pop-up ads. Between January and July, 15 percent of the ads created by community-oriented companies were pop-ups. Reference and educational companies used about 10 percent of their ads on pop-ups.

The big question is whether pop-ups work against advertisers in the long term, particularly if Web users associate them with intrusiveness. Analysts say pop-up ads are unlikely to go away but may appear in a less-invasive form.

"While a growing number of Web sites are addressing consumer concern by outlawing them altogether, we anticipate the continuing negativity surrounding pop-ups will lead to new ad designs that are less intrusive and more responsive to consumer expectations," Mr. Buchwalter said.
***************************
Federal Computer Week
Homeland debate heats up
Personnel flexibility at heart of The White House and the Senate ratcheted up the volume last week in the ongoing debate over President Bush's proposal to give leaders of the proposed Homeland Security Department more freedom in the hiring, managing and firing of employees.
The White House issued a "deadly serious" veto warning to the Senate that the Bush administration will not back down on its request for management flexibility, which is not included in the Senate's version of the bill that would establish the department.
The official Statement of Administration Policy, released by the Office of Management and Budget Sept. 3, includes "one of the clearest veto threats the president has ever issued," said Richard Falkenrath, senior director for policy and plans at the Office of Homeland Security. He was speaking Sept. 4 at a Brookings Institution forum on the administration's National Strategy for Homeland Security.
Sen. Joe Lieberman (D-Conn.), chairman of the Senate Governmental Affairs Committee and co-sponsor of the Senate bill, sent a letter Aug. 29 to colleagues highlighting the differences between the president's and the Senate's version of the bill.
In the letter, he said that the Senate is already giving the administration "all the power it needs to create and run an effective, performance-driven department."
But without the flexibilities requested by Bush, the secretary of the proposed department would not be able to pull together the separate structures, cultures and information held by the many agencies that are to be included in the new organization, Falkenrath said. That view has supporters inside and outside government.
"To not give the secretary the management flexibility that the president has called for is asking for failure in this department," Sen. Robert Bennett (R-Utah) said during debate on the Senate bill on Sept. 4.
Bennett, who worked closely with the officials who organized the Transportation Department in the late 1960s, said it took nearly two years before those officials recognized that additional management flexibilities were necessary to consolidate the organizations brought together in the department.
DOT is not the only new organization to have experienced that delay, and the Homeland Security Department cannot afford to waste that time, according to Bennett.
Members of or advisers to government are not the only ones concerned with the direction the Senate is taking in the debate on the proposed department.
The administration has repeatedly stated that the proposed department is not just about reorganizing boxes and agencies, and that is key to their argument, said Philip Zelikow, director of the Miller Center of Public Affairs at the University of Virginia, speaking at the Brookings forum.
The proposed department is being formed to provide a new government service, and management flexibility is essential for that purpose, Zelikow said.
Without the transfer and reorganization authorities, among other flexibilities, the secretary will lack the money and the people to address new homeland security issues, he said.
Bush's request for changes to the civil service system is one of the most divisive issues in this debate.
However, as far as the proposed department is concerned, it must be addressed now, even though the question of how to change the system for the entire government may not be answered until later, Falkenrath said.
In the end, "the case is very compelling for allowing the administration to create new [management] mechanisms," said Michael O'Hanlon, senior fellow of foreign policy studies at Brookings.
***
Points of contention
White House officials say that certain parts of the Senate bill to create the Homeland Security Department must be changed or President Bush will veto it. They include:
* Reorganization authority The bill would not give the secretary of the proposed department the ability to reorganize or consolidate the functions that are to be transferred to the department.
* Transfer authority The administration asks for the ability to transfer up to 5 percent of each organization's budget under conditions already in place for other departments, such as the Agriculture and Energy departments.
* Personnel flexibility The administration believes the bill would restrict the secretary from using flexibilities in the civil service system that would allow leaders to move personnel and use award incentives.
* Analysis of threats and vulnerabilities The bill separates the threat and vulnerability assessment of the nation's critical infrastructures into three organizations.
The White House and the Senate ratcheted up the volume last week in the ongoing debate over President Bush's proposal to give leaders of the proposed Homeland Security Department more freedom in the hiring, managing and firing of employees.

The White House issued a "deadly serious" veto warning to the Senate that the Bush administration will not back down on its request for management flexibility, which is not included in the Senate's version of the bill that would establish the department.

The official Statement of Administration Policy, released by the Office of Management and Budget Sept. 3, includes "one of the clearest veto threats the president has ever issued," said Richard Falkenrath, senior director for policy and plans at the Office of Homeland Security. He was speaking Sept. 4 at a Brookings Institution forum on the administration's National Strategy for Homeland Security.

Sen. Joe Lieberman (D-Conn.), chairman of the Senate Governmental Affairs Committee and co-sponsor of the Senate bill, sent a letter Aug. 29 to colleagues highlighting the differences between the president's and the Senate's version of the bill.

In the letter, he said that the Senate is already giving the administration "all the power it needs to create and run an effective, performance-driven department."

But without the flexibilities requested by Bush, the secretary of the proposed department would not be able to pull together the separate structures, cultures and information held by the many agencies that are to be included in the new organization, Falkenrath said. That view has supporters inside and outside government.

"To not give the secretary the management flexibility that the president has called for is asking for failure in this department," Sen. Robert Bennett (R-Utah) said during debate on the Senate bill on Sept. 4.

Bennett, who worked closely with the officials who organized the Transportation Department in the late 1960s, said it took nearly two years before those officials recognized that additional management flexibilities were necessary to consolidate the organizations brought together in the department.

DOT is not the only new organization to have experienced that delay, and the Homeland Security Department cannot afford to waste that time, according to Bennett.

Members of or advisers to government are not the only ones concerned with the direction the Senate is taking in the debate on the proposed department.

The administration has repeatedly stated that the proposed department is not just about reorganizing boxes and agencies, and that is key to their argument, said Philip Zelikow, director of the Miller Center of Public Affairs at the University of Virginia, speaking at the Brookings forum.

The proposed department is being formed to provide a new government service, and management flexibility is essential for that purpose, Zelikow said.

Without the transfer and reorganization authorities, among other flexibilities, the secretary will lack the money and the people to address new homeland security issues, he said.

Bush's request for changes to the civil service system is one of the most divisive issues in this debate.

However, as far as the proposed department is concerned, it must be addressed now, even though the question of how to change the system for the entire government may not be answered until later, Falkenrath said.

In the end, "the case is very compelling for allowing the administration to create new [management] mechanisms," said Michael O'Hanlon, senior fellow of foreign policy studies at Brookings.

***

Points of contention

White House officials say that certain parts of the Senate bill to create the Homeland Security Department must be changed or President Bush will veto it. They include:

* Reorganization authority The bill would not give the secretary of the proposed department the ability to reorganize or consolidate the functions that are to be transferred to the department.

* Transfer authority The administration asks for the ability to transfer up to 5 percent of each organization's budget under conditions already in place for other departments, such as the Agriculture and Energy departments.

* Personnel flexibility The administration believes the bill would restrict the secretary from using flexibilities in the civil service system that would allow leaders to move personnel and use award incentives.

* Analysis of threats and vulnerabilities The bill separates the threat and vulnerability assessment of the nation's critical infrastructures into three organizations.
***************************
Federal Computer Week
Report: DOD weak on joint forces follow-up
BY Dan Caterinicchia
Sept. 9, 2002

The Defense Department's poor track record with applying recommendations on joint service experimentation from the Joint Forces Command raises questions about that command's role in shaping the military's overall transformation, according to a recently released General Accounting Office report.

The Joint Forces Command, which leads the development of joint service concepts and experimentation, has made progress in increasing joint participation in military exercises and experimentation, according to GAO.

For example, the command recently wrapped up the joint military experiment Millennium Challenge 2002 the largest-ever experiment designed to see how well the critical systems of the individual services link with one another.

However, no recommendations from joint experimentation have ever been approved or implemented, according to the GAO report released Aug. 29, "Military Transformation: Actions Needed to Better Manage DOD's Joint Experimentation Program."

The Joint Forces Command issued three recommendations last year, but they were not approved by the Joint Requirements Oversight Council (JROC) because of confusion among the Joint Staff and the Joint Forces Command about a proposed change in guidance requiring additional cost and timeline data to be included in the submissions.

"As a result, it is not clear when these recommendations will contribute to military transformation," according to the GAO report.

The command plans to resubmit the recommendations this year, but according to the report, several DOD officials said that "the resource allocation process may be too slow to provide rapid and timely funding for the implementation of new concepts merging from joint experimentation."

The GAO report made four recommendations to aid the command:

* Approve and issue guidance that clearly defines the information required to accompany joint experimentation recommendations for JROC's review and approval.

* Require the commander in chief of the Joint Forces Command to develop strategic planning tools to use in managing and periodically assessing the progress of its joint experimentation program.

* Require that the Defense secretary develop quantitative and qualitative performance measures for joint experimentation in DOD's annual performance report to better assess the program's contribution to military transformation.

* Clarify the role of the Office of Force Transformation and its relationship to the chairman of the Joint Chiefs of Staff, the Joint Forces Command and other key stakeholders.

Ray Bjorklund, vice president of consulting services at Federal Sources Inc., pointed out that despite the somewhat "inflammatory" tone of the report, the Joint Forces commanders work well with the Joint Chiefs of Staff.

"These people talk to each other... these guys work it out," Bjorklund said, adding that he thinks many of GAO's recommendations are likely already being addressed, albeit "not in as rigorous, disciplined and systematic a way as the GAO is suggesting it be done."

The report was not entirely critical. It found that the command has increased participation of key military and non-DOD stakeholders, such as civilian agencies, academia, industry and foreign allies in experimentation activities.

The report also noted that the command had embraced videoconferencing, e-mail and the Internet to obtain input and integrated the results of military operations, technology efforts and other DOD organizations' experiments into its activities.

To further improve communications and participation in joint experimentation planning, the Joint Forces Command will soon launch a virtual planning center on its intranet to provide DOD stakeholders with weekly updates on pertinent information.

In June, Defense Secretary Donald Rumsfeld's top military aide, Vice Adm. Edmund Giambastiani Jr., was nominated to head the Joint Forces Command, currently led by Army Gen. William Kernan. Giambastiani, a former submarine commander, is a staunch advocate of DOD transformation, Bjorklund said.

"The premise behind it is that [Giambastiani] could be a change agent to make Joint Forces Command a test bed for transformation concepts," Bjorklund said.

A Joint Forces Command spokeswoman said the agency was "thoroughly involved" with GAO as it prepared the report and concurred with the final version.

"Although it is true that only three 'formal' recommendations have been made to date [by the Joint Forces Command], the contributions made across the services and combatant commands through the 'informal' processes have proven to be invaluable and are a critical element of building our future joint forces," the spokeswoman said.
***************************
Federal Computer Week
Digital signatures come into focus
Agencies find right approach to meet paper reduction goals
BY Larry Stevens
Sept. 9, 2002

Most government workers are aware of the benefits of electronic communications. In many agencies, the Internet, intranets, Web portals and e-mail enable collaborators to send document drafts back and forth in the blink of an eye. But when a document must be legally binding, the workflow slows to a snail's pace because someone has to sign the document. And that requirement engenders a whole series of inefficient manual operations, including printing, mailing, filing and creating a system for retrieving the document.

To cut down on paperwork, the Government Paperwork Elimination Act of 1998 requires agencies to give the public, businesses and other agencies the option of submitting information electronically. It also mandates the use and acceptance of electronic signatures to bind such transactions.

Digital signature technology involves a group of different tools of varying costs and complexity to authenticate that the people signing documents are who they say they are. To choose the right technology, agencies must consider how important authentication and nonrepudiation, which means that a document's validity cannot be denied, are for the particular document or process.

"If you're about to receive a document from a co-worker who just called you and told you to expect the document, the security level for the digital signature can be relatively low," said Sarah Rosenbaum, director of Acrobat product management at Adobe Systems Inc. "But if the document is something you might end up in court about at some point, the security needs are much greater."

Adobe Acrobat 5.0 includes a "self-sign" feature that enables users to sign and lock a document but does not authenticate the sender. For more stringent e-signing requirements, Adobe allows third-party digital signature vendors, such as Entrust Inc. and VeriSign Inc., to plug into Acrobat.

The highest level of authentication is a public-key infrastructure, which uses digital certificate technology. The Labor Department's Office of Labor-Management Standards is using PKI with labor organization annual reports from union officers because of its high level of nonreputability.

"These forms are legal documents and could very well end up as part of a court case," said Sheila Farrell, the office's senior manager for electronic filing.

The Office of Labor-Management Standards created a CD-ROM-based program that enables users to fill out these forms electronically. They have the option of printing, signing and mailing the form, or transmitting it electronically. To sign a form electronically, union officials must first apply for a digital certificate from the government's Access Certificates for Electronic Services (ACES) program.

Digital Signature Trust, a Salt Lake City-based subsidiary of Identrus LLC, acts as a certificate authority within the ACES program. Via the Web, the company collects personal information from an applicant, such as name, address, and driver's license and credit card numbers. The system checks the data's accuracy against a public records database and then sends a digital certificate a public key with an accompanying private encryption key to the user.

Next, the company mails an authorization code to the user. The code enables the user to electronically sign a form, which involves clicking a button and entering an authorization code. Under the hood, however, it involves encrypting the message via a private key and sending it to the recipient with the associated public key, which unencrypts the digital signature.

Keren Cummins, Digital Signature Trust's vice president of government services, said that the ACES authorization process, including mailing the authorization code, is a bit onerous and time-consuming. But users only have to go through the certification process once every two years. "The more agencies that people use it with, the less bothersome it will seem," she said.

The Securities and Exchange Commission also uses a PKI program, with VeriSign of Mountain View, Calif., as the certificate authority and PureEdge Solutions Inc. of Victoria, British Columbia, creating the electronic disclosure forms. In this case, the entire authorization process is accomplished online. "We're very concerned about filer burden," said Rick Heroux, manager of the SEC's Electronic Data Gathering, Analysis and Retrieval system. However, the SEC requires some initial authentication in-house before it allows someone to sign up for a VeriSign digital certificate.

At the other end of the user- convenience spectrum is the personal identification number method. Although a PIN does not authenticate the user at the time the password is assigned or chosen, it has the advantage of being less expensive and more user-friendly. For example, the Education Department enables students to electronically sign their student loan applications using only a PIN. One advantage is that a PIN-based program was already in place at the department to allow students to view loan information such as balances and recent payments.

As a result, the e-signing system, called the Student Authentication Network, developed by NCS Pearson Inc. of Bloomington, Minn., was relatively easy to deploy. "It wasn't a very large step either in terms of technology or user acceptance from [using a PIN for] data access to legal transactions," said Neil Sattler, project director for innovations and e-commerce at Education.

But Sattler acknowledged that the PIN method would not be appropriate for all e-signing applications.

"Built into our system are a lot of levels of authentication apart from the PIN," he said. "The school knows who the student is. If there's a local lender, they know the student. PKI would have been overkill for us."

One way to enhance the authentication level of a PIN is to add a token, such as a smart card, or a biometric identifier, such as a fingerprint. The Air Force recently added a digital signature element to the Standard Asset Tracking System (SATS) developed by Gemplus Corp. of Redwood City, Calif.

Delivery personnel carry a bar code/smart card reader, which is used to scan the smart card of the recipient. The screen displays the cardholder's name, rank and identification number, which the delivery person checks against the recipient's ID card. The deliverer then scans the bar code on the shipment. The screen displays if the person receiving the shipment is authorized to do so. If the delivery is authorized, the recipient enters a PIN, which serves as the digital signature, into the reader.

Pete Ramirez, SATS project manager, said the Air Force opted for a smart card instead of a card with a bar code or magnetic strip because it can hold more data and can be rewritten if, for example, someone's rank or authorization changes. "It gives us a lot of flexibility," he said.

Fortunately, the Government Paperwork Elimination Act's 2003 deadline comes at a point when there are many options for e-signing. To choose the right method, agencies must determine the level of trust they require and balance that against the cost and convenience levels of the various options.
***************************
Federal Computer Week
Homeland security: A magnet for talent
BY Megan Lisagor
Sept. 9, 2002

Steve Cooper, Ronald Miller and Patrick Schambach are just a few names that have become a regular part of the dialogue on information technology and homeland security. Like many of their peers, Cooper, Miller and Schambach have changed roles since last September's terrorist attacks.

The creation of the Office of Homeland Security in October 2001, establishment of the Transportation Security Administration last November and proposal of a new Homeland Security Department in June have plunged Washington, D.C., officials into a long game of musical chairs. A look at where key players were a year ago and where they are today:

Richard Clarke

Then National coordinator for security, infrastructure protection and counterterrorism at the National Security Council.

Now Special adviser to the president for cyberspace security.

Steve Cooper

Then Chief information officer of corporate staffs and executive director of strategic information delivery at Corning Inc.

Now Special assistant to the president, senior director for information integration and CIO at the Office of Homeland Security.

Jim Flyzik

Then CIO at the Treasury Department.

Now On detail to the Office of Homeland Security to advise Director Tom Ridge on IT issues.

Lee Holcomb

Then CIO at NASA.

Now On detail as the director of infostructure at the Office of Homeland Security.

Ronald Miller

Then CIO at the Federal Emergency Management Agency.

Now A member of the Transition Planning Office for the proposed Homeland Security Department.

Patrick Schambach

Then Assistant director and CIO for the Bureau of Alcohol, Tobacco and Firearms' Office of Science and Technology.

Now Associate undersecretary for information and security technology and CIO at the Transportation Security Administration.

Howard Schmidt

Then Chief security officer of Microsoft Corp.

Now Vice chairman of the federal Critical Infrastructure Protection Board, which has focused attention on the national strategy on cybersecurity, to be released this month.
***************************
Federal Computer Week
Air Force revises net modernization tactics
BY Dan Caterinicchia
Sept. 9, 2002

Six years into a $4.7 billion modernization of its data networks, the Air Force is changing management tactics to give more support to local bases that might lack technical expertise.

The Air Force is shifting the burden of support of Combat Information Transport System (CITS) initiatives from bases to regional commands. In the new organization, the commands will assist the bases with selecting and installing new systems, according to Air Force officials speaking late last month at the Air Force Information Technology Conference in Montgomery, Ala.

Also, the CITS program office is strengthening its support for the bases. In the past, the office supported technology installed under the program for about two years and then passed the responsibility to bases. Now the CITS program office will support products for their entire life cycles, said Lt. Col. Michael Horn, CITS program manager.

The program will extend to wireless devices, with the goal of having a solution ready by the "first quarter of the next calendar year that integrates well with the base infrastructures," Horn said at the conference.

CITS is evolving in other ways, as well. Program officials recently finished testing an enterprise tracking and notification system that will enable major commands to communicate with the Air Force Computer Emergency Response Team and other offices on the Defense Department's Secret Internet Protocol Router Network, said Capt. Korwin Miike, CITS' chief of integration and strategic planning, at the conference.

He said that CITS officials also recently awarded a certification and accreditation contract to Northrop Grumman Corp. to help identify and mitigate risks in the program.

The Air Force has also expanded CITS' range of technology, adding enterprise and fault management, remote access terminal services, classified networks and wireless capabilities.

Mike Corrigan, vice president of Suss Consulting Inc., a government consulting firm, said CITS' shift to a more regional approach for management makes sense because, in the past, the bases did not have the technical personnel to manage and learn all the subsystems, which included "stacks of documentation that were 10 feet high."

Corrigan, who helped implement parts of CITS during his previous tenure in EDS' government division, said standardizing equipment would also aid the architecture modernization effort, especially because individual base IT officials used to select equipment piece by piece throughout the deployment process.

In the next couple of months, CITS will focus its resources on standardizing the major commands' Network Operations and Security Center infrastructure and remote access terminal services, Miike said. He added that there also is interest in awarding a systems integration contract for CITS, but based on the size and scope of the program, "that will take some time."

***

Making the connection

The Combat Information Transport System (CITS) program focuses on using commercial products to modernize information technology at bases and has more than 120 locations worldwide.

The CITS mission has four focus areas:

* Upgrading base backbones with high-speed data transport.

* Providing centralized command and control and information assurance tools.

* Upgrading and sustaining base telephone switches and management systems.

* Providing Air Force help-desk services for CITS and related systems users.
***************************
Federal Computer Week
Web standard to ease secure portal sign-on
BY Rutrell Yasin
Sept. 9, 2002

Impetus is growing for an emerging Web standard that will enable agencies to set up portals through which users can conduct transactions via multiple sites or access multiple applications after a single log-in.

Security Assertion Markup Language (SAML) 1.0 enables different applications, computing platforms and security systems to exchange user authentication information, so users do not have to re-enter their user names or passwords as they move from site to site within a Web portal.

If adopted by a broad range of security vendors, the standard could have implications for both businesses and federal agencies, according to industry experts.

"Federal agencies are rapidly getting into Web services, providing services through the Internet and intranets based on Web protocols," said James Kobielus, a senior analyst with the Burton Group, a consulting firm. "SAML enables single sign-on in a secure way."

"SAML is equally important to the federal government as well as the private sector," said Jahan Moreh, chief security architect at Sigaba Corp., a developer of secure messaging products.

Many technology requests for information recently issued by federal agencies involve the need for a way to securely exchange information between agencies and citizens. "This is where a standard like SAML becomes important, because it will allow users to authenticate at one place [an agency or Web site], and get services from another place" that has a trusted relationship with the agency or business, according to Moreh.

A key to the standard's success will be vendor adoption. So far, the standard, which will be ratified in November by the Organization for the Advancement of Structured Information Standards, is supported by all of the major identity and access management vendors, including companies such as Baltimore Technologies PLC, Entrust Technologies Inc., IBM Corp., Novell Inc., Netegrity Inc., Oblix Inc., RSA Security Inc. and Sun Microsystems Inc.

Microsoft Corp. is a major exception, opting instead to support the Kerberos authentication standard and its own Passport technology as core protocols in its .Net framework for Extensible Markup Language Web services.

Of the identity management vendors, Baltimore Technologies and Netegrity have released products that use the SAML 1.0 specifications.

Meanwhile, Sigaba last month received security validations from the U.S. and Canadian governments for its use of SAML and the Advanced Encryption Standard, as well as support for various public-key infrastructure technologies.

The National Institute of Standards and Technology and the Canadian Communications Security Establishment recently awarded Federal Information Processing Standards 140-1 validation to Sigaba's Gateway Version 3.0.20. That is the mandatory security requirement for systems used by all U.S. federal agencies.

Sigaba software resides between an organization's e-mail server and the firewall, encrypting outbound messages and decrypting inbound messages based on organization-defined policies. The software works with any authentication method and uses SAML to build a network of trust between organizations, Moreh said.

But SAML still faces hurdles, according to Kobielus. Currently, it only defines "a Web services protocol to support exchange of authentication and authorization decisions among affiliated security environments," Kobielus said. It doesn't yet define all the details needed for seamless Web single sign-on across vendors' products, he noted.

"There is much work to be done," Moreh agreed. SAML 1.0 emphasizes Web browser profiles, he added.

Few SAML-based products are currently on the market; however, the Burton Group anticipates there will be a "critical mass" of products for enterprises to use to start testing SAML-based interoperability by year's end.

***

A doorway to e-gov

Security Assertion Markup Language (SAML) 1.0 defines a standard way to exchange user authentication information across applications, systems and security infrastructures.

SAML takes advantage of protocols such as Extensible Markup Language and Simple Object Access Protocol. The standard defines request and response messages that security domains exchange when sharing user authentication and authorization information.

Basically, SAML enables a user to log on to a network or Web portal by using a password or Kerberos, a security system that authenticates users. The authentication decision and the context for that decision are sent to an affiliate Web site via SAML.
***************************
Federal Computer Week
Where we stand
How feds have put IT to work for homeland security, and the work that needs to be done
BY William Matthews
Sept. 9, 2002

The Transportation Security Administration has ordered software that will dig deep into databases to conduct background checks and risk assessments on airline passengers before they are allowed to board flights.

At the FBI, meanwhile, computers mine databases for telltale patterns of behavior that suggest terrorist activity. Warning signs are being culled from inconsistencies in the use of Social Security numbers, immigration records and even data related to scuba diving licenses.

Since the terrorist attacks last Sept. 11, officials in government and industry have been searching for ways to protect the United States against future attacks. They have almost exclusively turned to technology.

"I would say we're better off more secure than we were a year ago," said Steve Cooper, senior director for information integration and chief information officer at the Office of Homeland Security.

Early and sometimes outlandish proposals, such as fitting airliners with remote-control systems, have given way to more practical plans, such as creating database and reporting requirements to keep better track of foreign students in the United States.

In the homeland security strategy he issued in July, President Bush declared that "the nation's advantage in science and technology is a key to securing the homeland." He called for creating new technologies to analyze threats, share information and counter attacks.

But the president's zeal for technology is not universally shared. Schemes to tighten security by issuing national identification cards and monitoring public areas with facial- recognition systems, for example, have collided head on with essential American notions about privacy and civil liberties guaranteed by the Constitution.

Such concerns, as well as technology's inherent complexity, have limited the progress in using technology to combat terrorism.

"We're not as far along as I would like us to be," Cooper conceded in an interview in late August. "It's taking more time than we thought."

Missed Connections

A key technological deficiency highlighted by the Sept. 11 attacks was the inability of agencies including the FBI, the CIA, the Immigration and Naturalization Service and the State Department to share information about terrorists and terrorist threats.

In a statement in January, Bush said, "In the wake of Sept. 11, we discovered that information on the hijackers' activities was available through a variety of databases."

Unfortunately, no individual or agency was able to "connect the dots." Thus, the State Department issued a visa to Mohamed Atta, the suspected ringleader of the Sept. 11 attacks, unaware that U.S. intelligence agencies knew that Atta had ties to Osama bin Laden.

At the FBI, officials in Washington, D.C., never saw an internal memo written two months before the terrorist attacks raising concerns about Middle Eastern men attending U.S. flight schools. And at INS, a contractor issued student visas to two of the hijackers six months after they died in the attacks.

"Looking forward, we must build a system that combines threat information and then transmits it as needed to all relevant law enforcement and public safety officials," Bush said in January.

But in his homeland security strategy, Bush indicated that little had changed. He said much of the information needed to combat terrorism still "exists in disparate databases," and "in many cases, these computer systems cannot share information."

Solving the problem has become a top priority for the FBI and the CIA, two central players in the war against terrorism, said Mark Tanner, information resources manager at the FBI. "It's something we all recognize needs to be done, and now there's a new sense of urgency to do it."

Last spring, the FBI created an Integrated Intelligence Information Application database that enables it and other agencies within the Justice Department to share information collected from outside sources, including INS and the State Department.

The agencies are also sharing personnel. "We've got a number of CIA employees detailed to the bureau," including the new chief of the FBI's Office of Intelligence, Tanner said.

In the search for a long-term solution, the FBI, CIA and other intelligence agencies are developing common architecture and metadata standards that will enable them to connect databases and more easily share and analyze data, he said.

But newfound cooperation among agencies solves only part of the problem. "The FBI's [computer] infrastructure needs to be upgraded to take advantage of modern tools that allow collaboration," Tanner said.

Immediately after the terrorist attacks, FBI Director Robert Mueller tried to speed up a massive, three-year project to upgrade the FBI's computer systems. But this summer, he concluded that the Trilogy project can't be done any faster.

So far, Trilogy's accomplishments include deploying more than 17,000 workstations, printers and office software in field offices around the country. But it will take until next spring to complete the network that will connect all FBI offices and until mid-2004 to complete the full Trilogy system.

In a separate information-sharing effort, the FBI has made its terrorist watch list available to TSA, INS, the Border Patrol, and state and local police. The bureau has also linked two online law enforcement information-sharing services and built the prototype for a data-mining system that zeros in on data related to terrorism, Tanner said.

Those are relatively small steps, "but you gotta crawl before you can walk," said Steven Aftergood, a senior research analyst at the Federation of American Scientists.

"We're still in the early phases of a long-term transformation, particularly in the case of the FBI," he said.

Something to Show

Cooper's assessment is more positive. "Overall, the message I want to convey is that we have done real work that has added capability that didn't exist last Sept. 11," he said.

One example is work done by the Customs Service. On Aug. 26, the cargo-inspection agency began screening high-risk cargo containers in foreign ports rather than waiting until it arrives in U.S. ports.

"We don't want to wait for the nuke in the box" to reach the United States, said Customs Commissioner Robert Bonner.

Explosion of a chemical, biological or radiological weapon smuggled into the United States in a cargo container would be devastating not just to the United States, but to global trade, Bonner said. After such an event, "container ships would not be allowed to enter U.S. ports."

Customs inspectors have begun using large-scale X-ray, gamma ray and chemical detectors to screen cargo before it leaves Rotterdam, Netherlands. Similar equipment will likely be placed at 19 other European and Asian ports, where it can screen about 70 percent of the cargo being shipped to the United States. That will free U.S.-based inspectors to concentrate on the 30 percent that is not prescreened, Bonner said.

In July, in another high-tech security achievement, INS officials activated a computerized system for tracking foreign students. And on the anniversary of the terrorist attacks, INS plans to begin fingerprinting and photographing thousands of foreign visitors as they arrive in the United States if they are deemed to pose a threat to national security.

For now, that includes all visitors from Iran, Iraq, Libya, Sudan and Syria, and anyone else identified as a possible threat based on undisclosed criteria.

Fingerprints will be digitized and compared to those in FBI databases of criminals and wanted terrorists. The process is expected to take about 10 minutes, INS officials say.

While computers search for fingerprint matches, visitors will be required to provide information about their planned activities in the United States.

If admitted, visitors will be required to report back to INS within 30 days, providing additional information on their whereabouts and activities. Finally, they will also be required to register when they leave the United States.

Data on those who fail to comply will be added to the FBI's National Crime Information Center database, where it could trigger alerts to local, state and federal police.

The heart of Bush's security plan is the proposed Homeland Security Department.

After months of resisting the creation of a new Cabinet-level agency, Bush changed his mind and in June unveiled his blueprint for a department pieced together by shifting 22 offices and 170,000 employees from other agencies.

Bureaus and branches including Customs, the Secret Service, INS, the Border Patrol, the Coast Guard and TSA would move to the new department. So would lesser-known entities such as the FBI's National Infrastructure Protection Center.

The plan has been approved by the House, but awaits action by the Senate, where a battle over employee job security threatens to stall approval of the plan.

Elsewhere, the president's plan gets mixed reactions.

"The previous organization or lack of organization was clearly not adequate," said Dave McIntyre, deputy director of the Anser Institute for Homeland Security. "Whether the Department of Homeland Security will get it right the first time, history suggests not."

Robert Levine, a senior economic consultant at the think tank Rand, said the conglomeration of agencies that would constitute the new department will pull it in "irrelevant directions like rescue at sea and salmonella inspection."

However, he said Bush's plan does contain the key to homeland security intelligence analysis. "The government had a lot of information before Sept. 11. It has much more now, but nobody knows what to do with it. It must be sorted out to find the real threats."

It remains far from certain that the Homeland Security Department will be given the analytical horsepower it needs.

Government specialists at the Brookings Institution fear that the new department's ability to analyze intelligence information will be "inadequate to that task." The department information unit "will not have regular or routine access to raw intelligence and law enforcement information necessary to make an informed analysis of possible threats," they wrote in a report this summer.

The Brookings scholars suggest transferring the FBI's Office of Intelligence, which was created in May in response to the terrorist attacks, to the Homeland Security Department.

Debate about the government's shortcomings in collecting, sharing and analyzing intelligence information and how to solve them has touched off a more fundamental debate about the effects proposed enhancements will have on citizens' privacy and civil liberties.

"Fears are often expressed that massive data sharing would move the United States closer to Big Brother practices having nothing to do with preventing terrorism," said Michael O'Hanlon, one of the Brookings analysts.

Proposals for adopting "smart" driver's licenses and using facial-recognition systems in public places, for example, sounded alarms about whether the collected data might be used to monitor the activities of ordinary citizens.

Passage of the USA Patriot Act just six weeks after the terrorist attacks evoked cries of alarm from civil liberties organizations. Among other things, the act grants federal law enforcement officials greater authority to trace and intercept mobile phone and e-mail communications without court supervision.

Civil libertarians were further alarmed last spring when Attorney General John Ashcroft changed the FBI's investigative guidelines, freeing agents to comb Internet sites and mine commercial databases for personal information.

They are equally suspicious of TSA's plan to use computers and databases to conduct extensive background checks of airline passengers.

TSA is designing a computer system that can screen airline passengers by instantaneously retrieving and analyzing information about them from commercial and government databases. The system would scrutinize data such as previous travel habits, past criminal convictions, visa status, financial condition, employment circumstances and more.

The system, called Computer Assisted Passenger Prescreening System (CAPPS) II, is intended to identify airline passengers who warrant closer examination by security personnel. In a report to Congress in May, TSA officials said they hoped to begin installing the system at airports this fall.

Officials at organizations such as the Electronic Privacy Information Center (EPIC) worry that the system will be overly intrusive. In a lawsuit to get more information about the system from TSA, center officials questioned whether the CAPPS II system might conduct unconstitutional searches. But computer industry officials say similar systems are already in use in the private sector for marketing and other forms of "customer resource management."

In another plan built around detailed background checks, TSA is designing a "trusted traveler" program in which air travelers would be thoroughly prescreened and, if approved, would be issued a secure ID card that would allow them to bypass the long lines at airport security checkpoints.

The ID is expected to be a smart card containing one or more biometric identifiers, such as a fingerprint, and other digital information about the holder.

Plans for a similar but more widely used card appear to have stalled: The American Association of Motor Vehicle Administrators' call to create standardized driver's licenses that include biometric identifiers met with both acclaim and enmity when it was issued in January. Legislation supporting the plan has sputtered in the House and was never introduced in the Senate.

Supporters said the ease with which the Sept. 11 hijackers fraudulently obtained driver's licenses in Virginia, Florida and other states clearly illustrates the need for more stringent standards. But opponents of the plan, including EPIC and the American Civil Liberties Union, denounced it as creating a de facto national ID card.

Privacy advocates worry that machine-readable information on the cards would be tucked into databases whenever the cards are shown for identification, whether at an airline ticket counter or a video rental store, creating an extensive and traceable electronic trail.

Although Bush administration officials have repeatedly said that they do not support the idea of a national ID card, the Office of Homeland Security offered to draft model legislation for standardized driver's licenses for states to adopt.

Brookings' O'Hanlon contends that the technologies that seem to threaten privacy can also be used to enhance it. "It is easier to monitor how officials access and use electronic records than to track how they use paper records," he said. And computer systems can be set to limit the access that people such as sales clerks have to personal information, he added.

Mihir Kshirsagar, a policy analyst at EPIC, is not reassured. "It's hard to project how all this will change things," he said. Although he does not predict the rise of a Big Brother police state, he does foresee a time when the quality of your ID documents might make a difference.

"You could start seeing different tiers emerging in society," he said. For example, those with good credit and spotless records might find it easy to obtain private and government services, while those with less-than-perfect dossiers might find themselves excluded.

And there are other perils, Kshirsagar said. "One of the grave dangers is that information can be used maliciously by someone." And what if some of the electronic data is incorrect? Will it be possible to correct errors? Will innocent people become victims of technology? "People may stop trusting so much," and everyday life may take on "the feeling that you're being watched," he said.

Indeed, greater use of information technology probably will "make us think differently about privacy," agreed the Office of Homeland Security's Cooper. But video cameras in convenience stores had the same effect, he pointed out.

Cooper is not dismissive of the concerns expressed by Kshirsagar and other privacy advocates.

"All of us should think about what the government is doing and for what purpose," he said. And as the government moves forward, it must keep the public informed. "It is essential that we have an open dialogue. We must explain how it will foster security and not invade civil liberties."

Like his boss, the president, Cooper says he is confident that technology will provide solutions to homeland security problems. "Over the next four or five years, the impact of technology on security will be significant," he said.

Initially, Americans may be apprehensive. "Because it's new and different, many will view it as intrusive or above and beyond what we should do," he said. "But some will say, 'Gee, it's about time.'"

Ultimately, the public will adjust, Cooper predicted.

***

Refurbishing the infrastructure

The Bush administration's homeland security strategy relies heavily on technology, which is putting pressure on agencies to develop new applications and upgrade their information technology infrastructures. Here are some of the major programs planned or under way at homeland security-related agencies. (Dollars are in millions.)

System ... Fiscal 2002 (budgeted) ... Fiscal 2003 (requested or given by Congress)

INS' ATLAS program to modernize its core IT infrastructure ... $0 ... $157.5*

INS' Chimera a data-sharing system to support anti-terrorism initiatives ... $6.7 ... $83.4**

Coast Guard's National Distress and Response System Modernization Project to update communications and data systems ... $42 ... $91.4*

TSA's IT Managed Services program to provide core IT infrastructure and services ... $0 ... $201*

INS' entry/exit visa system for tracking foreigners entering and leaving the United States ... $17 ... $380*

FEMA's IT infrastructure to upgrade basic information systems ... $55 ... $60*

Customs Service's Automated Commercial Environment to modernize the import-processing system ... $26 ... $60*

FBI's Trilogy a program to upgrade the agency's network and improve information sharing ... $330 ... $35.8***

* Source: Office of Management and Budget

** Source: Congressional documents

*** Source: Justice Department
*******************************
Government Computer News
OMB releases Part 2 of federal architecture model
By Jason Miller

The Office of Management and Budget will release the second section of the federal enterprise architectural model in the next two months. Bob Haycock, OMB's chief architect, said the performance reference model will include outcomes and metrics agencies will use to measure performance against business practices.

Haycock yesterday discussed the progress of the federal blueprint at the Interagency Resources Management Council conference in Hershey, Pa.

This section of the federal architecture follows the business reference model, which OMB released in July, and outlines the lines of business and the subfunctions agencies perform.

"You can't have a business reference model without the performance piece," Haycock said. "That really is the business layer of the enterprise architecturethose two pieces together. Once you know your common outcomes then you can begin to drive down through the business layer and performance layer to the technology layer. Then you start to see the patterns line up with those performance outcomes. Then you will start to see the technology needed to pull it all together."

Haycock said he expects the first versions of most of the reference modelsdata and information, application and capabilities, and technology and standards layersto be finished by the end of the year and available for agencies to use in their fiscal 2005 budget preparations.

"The architecture has to be embedded in the way the agency does its work," he said. "It has to be staffed, structured and have funding. Today, it has been a tough road because IT still is not out of the back room in many agencies."
**************************
Government Computer News
U.S. Marshals and VA finish testing automated travel systems
By Dipka Bhambhani

The Marshals Service and the Veterans Affairs Department are moving ahead with their own automated travel systems despite little word from the Office of Management and Budget or the General Services Administration about which e-travel system will be used for the governmentwide e-Travel initiative.

The Marshals Service finished its own pilot of an automated travel system in May and VA expects to finish its tests at the end of this month. Both are testing the same automated travel system, developed by Zegato Solutions Inc. of Lanham, Md.

VA was part of the pilot for e-Travel this summer. "We've been part of it since the beginning," said Tammy Watson, director of electronic business solution services and one of 24 agency project managers within the OMB-sponsored e-Travel initiative.

VA last October put out a request for information for a travel system that would comply with OMB Circular A-125, the Joint Financial Management Improvement Program and VA's own requirements. "We decided to do a live test pilot for 90 days," Watson said.

The department installed Zegato e-travel systems at 14 VA offices for 1,000 employees.

After the pilot, a group of consultants hired by the VA will compile a report from testers for VA's chief financial officer, William Campbell.

"From there, we'll review that report and make a decision if we're going forward with it," Watson said. "We haven't bought anything yet."

If the VA does move forward with Zegato's system, 355,000 employees will begin using the system by early next year, she said.

Meanwhile, VA will provide all documentation and results from the pilot to OMB and GSA so the two agencies can see which vendors would work with the e-Travel portal, she said.

GSA was expected to issue a request for proposals last month for an online booking tool before choosing other parts of the e-Travel system [www.gcn.com/21_23/news/19521-1.html] "We haven't heard anything from them about what's going on and the status," Watson said.
******************************
Computerworld
White House cybersecurity chief defines cyberthreat
By DAN VERTON
SEPTEMBER 06, 2002

Richard Clarke, chairman of the president's Critical Infrastructure Protection Board, recently spoke with Computerworld reporter Dan Verton about the nature and potential of the threat to the nation's critical infrastructure and what he sees as his biggest challenges with respect to national cybersecurity.
Excerpts from the interview follow:

Q: Can you briefly explain the cybersecurity threat for those who still may not be sure who or what the enemy is?

A: There's a spectrum of threats out there, some of which we experience every day. That spectrum runs from [individuals] who simply vandalize Web pages to those who conduct nuisance denial-of-service attacks. That's on the low end, which is usually conducted by young hackers -- so-called script kiddies.

In the middle, you have criminals who conduct fraud and industrial espionage online. The middle range of threats is usually carried out by organized crime, companies and also nation-states.

On the high end, however, you face people who potentially could conduct attacks to destroy or stop things from working. At the high end, it's potentially nation-states or terrorist groups. These attacks could be conducted in isolation or in conjunction with a physical attack.

I think we have to anticipate that a smart opponent would use some of these asymmetric tactics against us. In the larger scenarios, the private sector would be the targets for attack, either by terrorist groups or nation-states because those groups would seek to disrupt the national economy.

Q: What are the greatest challenges facing the private sector in terms of cybersecurity, particularly with respect to your mission of building an effective public-private partnership that can provide for a common defense?

A: The first problem we've always had was awareness. However, the awareness problem has diminished greatly for two reasons. People in boardrooms asked themselves after Sept. 11, "How secure is our company?" Also, there have been a lot of cyberattacks, which have doubled in the last year.

The second problem facing companies is determining what is a good product, who's a good service provider and what they should be asking for. Most people think the first thing to do is to run out and buy a firewall or an intrusion detection system. But that doesn't even begin to solve your problems. You need to have a continuous process of looking for vulnerabilities and you need to have a layered defense. We passed the 2,000 mark a few months ago in terms of known vulnerabilities that we have to deal with.

Q: What are the key obstacles that government agencies -- federal, state and local -- have to overcome before a national cybersecurity plan can truly be effective?

A: Part of the problem facing the state and local level is revenue. Almost every state is running a deficit. For them to initiate new programs is difficult right now. The states also have a difficult time retaining trained cybersecurity expertise.

At the federal level, the president has asked Congress for $4.5 billion to secure federal IT systems. That's a 64% increase. In fiscal years 2004 through 2006, the government will spend nearly $20 billion on IT security. That's a major commitment.

Q: Are you satisfied with the level of effort expended to date at the regional infrastructure level by the various levels of government and the private sector?

A: I'm never satisfied. I'm feeling good about the federal government's own activities and that major sectors of the private sector are taking action. For example, the banking and finance sector is doing a great deal; the electric power grid is for the first time thinking about encryption; and the IT sector itself is beginning to talk about quality software development and making security a design criteria. Companies like Oracle [Corp.], Sun [Microsystems Inc.], Microsoft [Corp.] and Cisco [Systems Inc.] are leading that effort. IT security is also a top issue in the private sector.

We also are looking for input from small and medium-size IT companies. A lot of good ideas are found in the garage, as [Hewlett-Packard Co.] discovered. We've proactively sought them out and met with them one-on-one.

Q: You recently said that although the government has no plans to regulate cybersecurity, there is a middle ground between regulation and doing nothing. Can you clarify what that means for the private companies that own and operate the networks and systems that make up our national information infrastructure?

A: There are laws already on the books, such as HIPAA [Health Insurance Portability and Accountability Act] and the Banking Modernization Act, that already have provisions to protect privacy information and generally require IT security measures. We're not going to propose additional regulations. But where there are already regulations pertaining to IT security, we'll be working with the regulators to help them develop regulations that make sense. Industries can also regulate themselves. For example, the banking industry is creating [its] own standards. That's happening in the electric power industry as well. We'd like to see that happen elsewhere in industry.

Q: Does the White House have any important initiatives under way or planned, other than the upcoming release of the national plan?

A: The national plan is the major focus, and that will be released at a ceremony in the Silicon Valley on Sept. 18. We are also seriously considering expanding the Defense Department's IT acquisition policy [which requires all IT acquisitions to be tested for security prior to purchase] to all of government.

A year after the Sept. 11 terrorist attacks, has anything changed? What has your company done to better protect its assets? Should the government get more involved in preventing a cyber 9/11 in the future? Have your say in our Computerworld forum, 9/11 One year later.
***************************
Computerworld
With 9/11 in mind, port operators testing security technology
By Linda Rosencrance and Bob Brewin
SEPTEMBER 06, 2002

Even before last year's terrorist attacks, seaport operators were looking for ways to ensure the security of cargo entering U.S. ports.
But with the events of 9/11 came a greater sense of urgency. After all, more than 17,000 containers, carrying 80% of U.S. imports, arrive at U.S. seaports every day. But very few of them are ever checked for contraband or worse things. Law enforcement officials have already issued at least one terror alert this year involving U.S. ports (see story).

So the world's three largest seaport owners decided to work together on a project to test an automated container tracking and security system patterned after the Total Asset Visibility system pioneered by the U.S. Department of Defense to track military shipments during the Persian Gulf War.

Called Smart and Secure Tradelanes, the security initiative integrates radio-frequency identification (RFID) technologies, satellite tracking systems, gamma-ray image scanning devices and Web-based software.

The system, developed by Savi Technology in Sunnyvale, Calif., will initially be tested at the ports of Hong Kong, Singapore and Seattle/Tacoma.

Savi CEO Vic Verma said the shipping companies and ports will ensure with an electronic lock that contains the RFID tag that the containers haven't been tampered with.

The tag, which Verma said can hold up to 128 megabits of data, will hold "information that is relevant to the container, including who the shipper is, who owns it, the basic contents of the container and the consignee."

Data can be read from this tag by port personnel using an iPaq handheld computer from Hewlett-Packard Corp. equipped with an RFID reader.

Savi is also installing computer servers at the pilot ports in the Far East that will store shipping data, Verma said. Those servers will transmit manifest data for an entire ship over a network used to support the Total Asset Visibility network, which is operated by Savi, to ports in the U.S.

When a ship arrives, the port worker scans the electronic RFID lock and obtains an instant read-out on whether the container has been tampered with, Verma said. At the same time, the tag reader interfaces with the server at the U.S. port, providing another check of manifest data. If everything matches up, the container is then processed through U.S. Customs, he said.

At that point, the container is loaded on a trailer pulled by a cab equipped with the Omnitracs satellite positioning system operated by Qualcomm Inc. in San Diego. The tracking system allows Qualcomm to monitor the shipment in real time from the port to its ultimate destination, Verma said.

The project is being funded by three private port operators: Hong Kong-based Hutchison Whampoa Ltd., PSA Corp. in Singapore, and London-based P&O Ports. The three have put up a total of $8 million.

"We want to make sure we have the ability to intercept weapons of mass destruction so we won't have the problems we had last year," said Gary Gilbert, Hutchison's corporate adviser.

In addition, U.S. Sen. Patty Murray (D-Wash.) said the Senate Appropriations Committee has earmarked $28 million to help U.S. ports test the system.

Adrian Gonzalez, an analyst at ARC Advisory Group Inc. in Dedham, Mass., called this a positive step, albeit on a limited basis, toward securing the nation's ports.
***************************
Computerworld
Cops watching for terrorists say IT support lacking
By DAN VERTON
SEPTEMBER 05, 2002

NEW YORK -- Thousands of bridge and tunnel officers and police in New York are being asked to watch for known or suspected terrorists that may still be living in the Manhattan area, without any IT support to automate the process of checking suspects against terrorism watch lists, Computerworld has learned.
The site of the worst terrorist disaster in history, New York is also home to some of the most tantalizing targets for future terrorist attacks, including the United Nations headquarters and Wall Street. In addition, the Manhattan metropolitan area and its surrounding boroughs are known to be the location of a high concentration of suspected al-Qaeda sleeper agents, so called because they enter the U.S. legally or illegally and lay in wait until they receive orders to carry out attacks.

However, a law enforcement source in Manhattan who requested anonymity said the lack of IT support for cops on the ground and at the bridges, across which millions of travelers enter and leave Manhattan daily, has almost certainly allowed suspected or known terrorists to escape justice.

"Most people that come into Manhattan do so by crossing one of those bridges in a car," the source said, pointing to the Queensboro Bridge, which connects Manhattan to Queens. "And people are stopped all the time who fit the profile of wanted or suspected terrorists. The names and descriptions of the suspects are then called into headquarters using a radio, and the desk officer is often forced to check a name that might have five different aliases against a bulletin board of printed 'be-on-the-lookout' sheets," the source said. "It's a joke."

The joke gets worse, the law enforcement source said, when it comes to dealing with individuals who present international driver's licenses. According to state law, foreign nationals who enter the country with international licenses have 30 days before they must apply for a New York state driver's license. However, international driver's licenses are paper-based and can easily be forged, the law enforcement source said.

"So if and when a terrorist is pulled over for speeding, he just shows the officer his international driver's license, and the officer has no way to check who he is through the Department of Motor Vehicles," said the source. "We usually write them a summons for driving without a license and tell them to have a nice day. Then they change their name on their international license using a computer, rent a new car and start the process all over again."

The source also confirmed what other law enforcement officers around the country are saying: that the FBI and various terrorism task forces aren't sharing information with bridge and tunnel officers, housing officers or other cops on the beat in a timely manner.

"The FBI is the central repository of all counterterrorism intelligence, [contained] in the most archaic database," said Steven Jackson, a counterterrorism investigator with the Houston Police Department. "However, they're not disseminating anything.

"The bureau's philosophy is that if there's a problem, we'll come into your office and tell you what it is," Jackson said at a recent government-sponsored conference on homeland security. "The bureau doesn't have the Internet -- they have their own intranet, and they're not in touch."

Jackson's division within the Houston Police Department, which is responsible for the only area of the country that has all nine critical infrastructure sectors in one place, as well as the second-largest oil refinery in the world, was forced on Sept. 16 to build its own database to log and track hundreds of suspicious-event reports that began coming in after Sept. 11. Critical industries include banking, chemicals, energy, transportation, telecommunications, shipping and public health.

"Before that database, it took millions of dollars in man-hours" to find the "very few" reports that actually pertained to terrorist cells in the U.S., said Jackson. The FBI "doesn't disseminate analytical and predictive intelligence reports. That level of information-sharing is no longer acceptable."

Meanwhile, in May the Boston Police Department completed the deployment of a new integrated criminal identification system called the Criminal Alien Identification System (CAIS). It integrates existing databases and electronic fingerprinting technology and transmits identification information to a judge prior to a suspect's appearance in court, said William Casey, Boston's deputy chief of police.

"Prior to electronic fingerprinting, it could take months before the FBI would get back to us with an identification," said Casey. Now it takes between 20 minutes and two hours for most identifications to be made, he said.

As an indication of the success of the CAIS system, Boston made more than 3,500 arrests in one 57-day period, including hundreds of individuals who were subject to deportation or who had overstayed their visas, said Casey.

"There are 87,000 local jurisdictions in the U.S.," said Paul Kurtz, senior director of the Office of Cyberspace Security at the White House. "All cybersecurity is local."

A year after the Sept. 11 terrorist attacks, has anything changed? What has your company done to better protect its assets? Should the government get more involved in preventing a cyber 9/11 in the future? Have your say in our Computerworld forum, 9/11 One year later.
****************************
The Guardian [UK]
Britain lags behind in broadband take-up
Ciar Byrne
Monday September 9, 2002

Fewer British households use a broadband connection to link up to the internet than any other country in Europe.
Despite soaring numbers of internet users in the UK, just 9% of households use a high speed connection, compared with 39% in Germany and 33% in Sweden.

The main advantage of broadband is that unlike narrowband connections it is always on and users pay a flat subscription fee for continuous access.

But there has only been a slight increase this year in the numbers opting for the high-speed service in Britain, up from 5% last year.

"What we're seeing here is an improvement, but not much of one. Broadband is growing in this country but the government's stated target of being the G7 leader in broadband connectivity by 2005 is absurd if you set it against current rates of growth," said Tom Ewing, internet analyst at Nielsen//NetRatings, the web measurement company that compiled the figures

"This summer we did see a lot of aggressive marketing of broadband, and there are signs that the uptake is rising, but it'll take more than just advertising to catch up with markets like Germany," he added.

Even in France, where fewer people use the internet, a higher number of households use broadband access than in the UK.

Mr Ewing said there were a number of reasons for the UK's poor broadband take-up.

"It's partly that in other European countries there's been more aggressive promotion of mid-speed ISDN connections which broke the lock of the 56k modem, and that never happened in the UK where ISDN was largely promoted as a small business solution rather than aimed at home users," Mr Ewing said.

"I think there's a reluctance amongst UK content providers to provide broadband until there's more users," he added, predicting that this vicious cycle will be broken when UK users come across broadband on US sites and realise its potential, for example in showing movie trailers and live footage on the web.

The slow rollout of broadband in the UK has been blamed by some on the high connection prices charged by BT, which is launching its direct broadband service later this autumn.

"International comparisons are notoriously difficult to make but we're taking about 12,000 orders a week and we've placed broadband firmly at the heart of BT strategy and we're confident we can achieve very high growth," said a spokesman for BT.

Over the past year an extra five million people have linked up to the internet in the UK, bringing the total number of home web users to 16.5m, according to figures released by Nielsen in June.

Almost half the population, around 30m, have access to the internet, with users spending an average six hours and 45 minutes on the web each month.
*******************************
News.com
Open-source stalwart leaves HP
By Margaret Kane
Staff Writer, CNET News.com
September 9, 2002, 5:11 AM PT


Open-source advocate Bruce Perens has left Hewlett-Packard, after spending two years at the computer giant.
Perens announced his departure on his Web site. He did not state on the site why he was leaving or what his future plans were. Neither Perens nor HP executives could immediately be reached for comment.

HP hired Perens in December 2000, saying he would help give the company a deeper understanding of the Linux operating system and other open-source software.

Perens, a Linux developer, co-founded the Open Source Initiative, founded the group Software in the Public Interest and helped develop the Debian version of Linux.

He has worked with HP to broaden its Linux and open-source efforts, but has also occasionally come into conflict with the company. Perens had planned to show attendees at a midsummer open-source convention how to circumvent controls on DVD players, but backed off under pressure from HP.
****************
Reuters Internet Reports
Chinese Internet Users Find Search Engine Blocked
Mon Sep 9,10:39 AM ET
By Jonathan Ansfield

BEIJING (Reuters) - Chinese Internet users trying to access the blocked search engine Google ( news - external web site) are being routed to an array of similar sites in China, the latest sign of an escalating media clampdown ahead of November's Communist Party congress.



Hijacked attempts to log on to the immensely popular web tool, already blocked more than a week long, triggered a flurry of criticism in Chinese chatrooms and biting disclaimers from beneficiary sites.

Some analysts called the move unprecedented and wondered what the next step in Beijing's Internet crackdown might be.

"This is a serious escalation," said Michael Robinson, Chief Technical Officer of Beijing-based Clarity Data Systems.

"They're not acting as administrators. They're acting as hackers," he said. "They're impersonating authority that they don't in fact actually have."

The routings -- to at least half a dozen different search sites, many virtual no-names and none of them major market players -- began over the weekend, analysts said.

The move appeared ordered by public security authorities and implemented locally via Internet servers run by the country's fixed line phone giant China Telecom, they said.

They said users of the smaller China Netcom's services were unaffected in Beijing and Shanghai. Those users' attempts to access Google confronted the same blocked page as before.

Some users in Beijing and Shanghai were redirected to Peking University's no-frills search site Tianwang, the little known cj888.com and the German-invested Baidu.com, among others. Users in Guangzhou were rerouted to the local portal 21cn.com.

"It's like going to buy Coca-Cola and they say 'Well, you can't have Coke but here's grapefruit juice'," said another Beijing-based analyst.

DENIALS

Information Industry and Internet officials had no comment on the move. Sites gaining exposure from it denied any role in the reroutings. "It is definitely not done by us," said a Baidu official. "We have no idea where it comes from.

The Tianwang home page carried a more sour disclaimer. "This is not what the Tianwang search would hope to see," it said.

China's media censors have matched broad proclamations with targeted action in the run-up to the Party congress, which is expected to see sweeping leadership changes and important new policy directives.

Analysts said Beijing might be trying to placate its Internet users amid condemnations from right groups abroad and users at home over the blocks on Google and a second search engine, Altavista.

"Rather than the absolute block that they had, it's trying to be helpful," said Duncan Clark, head of Beijing-based tech consultancy BDA China Ltd. "But actually it could be worse."

The routings backfired with customers. "So damned shameless," said one Web chatroom member.

Clark warned of legal risks. "Ultimately it's messing with the fundamentals of URLS," he said, referring to Web address codes. "I guess some URLs are created more equally than others."

Analysts said the government could be preparing for a prolonged blackout on Google through the November congress, which holds a cache of content from Web sites already blocked in China.

Commercial interests were but a fringe benefit, they said.

"The local telecom officials are implementing it and those guys do have local interests in content sites," said Clark. "But they would only profit in terms of traffic."

Clark said the move would drive more Web users to look for proxy sites in China, which has already blocked proxies anonymizer.com and safeweb.com.

But the government might catch on, he said.

"To make this rerouting thing more effective, it would also need to block proxies."
**************************
Washington Post
Online School's Military Focus Nets $10 Million


By Ellen McCarthy
Washington Post Staff Writer
Monday, September 9, 2002; Page E05



The American Public University System, an online university based in Manassas that offers military and general education courses, landed a $10 million round of funding from Baltimore-based ABS Capital Partners.

The system was founded as a private, for-profit corporation in 1991 and serves more than 5,000 military and civilian students. The funding, its first institutional investment, is to be used to expand its course offerings and pay for accreditation initiatives. The system includes the American Public University, the American Military University and the American Community College.

ABS Capital Partners invests in a range of industries, including computer software, media and health care, but this marks the firm's first investment in an educational organization.

"We had been looking at the space for a very long time," said Stephanie Manuel, a marketing and communications partner with ABS. "We're seeing continuing growing enrollment in secondary education and particularly seeing growing enrollment in online education."

Internet-based learning fits well with the mobile nature of military life, she added.

APUS has more than 300 full- and part-time faculty members, many of whom are current and former military professionals. The schools offer associate's, bachelor's and master's degrees. The company also designs specialized e-learning programs for corporate clients.

Manuel said one factor that attracted ABS to the deal was the school's national security curriculum. APUS students can study a range of related subjects, including corrections and military management, intelligence studies, and homeland security.

"The demand for people who have education in areas such as homeland security and intelligence is surging. It is now starting [to be offered] by brick-and-mortar schools, but we had this prior to September 11th," said Mark Sauter, vice president of marketing and business development with APUS. "No other school has this range of courses in national security."

The university system also offers courses in subjects like history and literature and does not restrict admission to military personnel.

APUS added two ABS partners, Phil Clough and Tim Weglicki, to its board of directors.

****************************

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx