[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips February 19, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;
- Subject: Clips February 19, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Wed, 19 Feb 2003 16:01:07 -0500
Clips February 19, 2003
Powell Gives Up on Rule Revamp
ACLU Asks High Court to Set Spy Limits
State to share visa info with FBI
8 Million Credit Accounts Exposed
Computers May Not Be Ready for Election
Sheriff's Dept.'s Use of Database Criticized
Bill Would Ban Spam E-Mail in California
Final cyber strategy released
Commerce proposes merger of telecom, technology agencies
Justice CIO has departmentwide vision
Homeland infrastructure protection merging
XML standard set for secure Web services
Pentagon works out iris scans
States take first step toward cyberthreat sharing
Industry will work with government on cyberspace plan
NIPC to hackers: Don?t try this at home
Big D goes for big e-gov
Funding delays stall expansion of online identification
U.S. ?cyber army? stands ready for war
*******************************
Los Angeles Times
Powell Gives Up on Rule Revamp
FCC chairman to take the unusual step of writing a dissent on phone deregulation.
By James S. Granelli and Jube Shiver Jr.
February 19, 2003
Federal Communications Commission Chairman Michael K. Powell has abandoned his push to deregulate the telephone industry quickly as the agency prepares to revise key rules governing competition, sources said Tuesday.
But Powell is taking the unusual, defiant step of writing a dissent in the hope that history -- or the courts -- will vindicate him.
Powell's reluctant surrender clears the way for an FCC vote Thursday on new rules spelling out what parts, if any, of the local phone networks owned by the regional Bell companies must be leased to competitors at regulated rates.
Three of the FCC's five commissioners believe that the leases are necessary to encourage competition in the local phone market, putting them at odds with Powell's position that companies such as AT&T Corp. and WorldCom Inc. should install their own equipment.
On such key rules, the FCC historically has preferred to take a unanimous position.
"It's always possible that people will blink at the last second, that some agreement will be reached, but there's no indication that is going to happen in this case," said Bruce Fein, a former FCC general counsel.
One top commission staff member still held out hope for an eleventh-hour compromise, but another speculated that the two sides are too far apart on rules governing voice communications to reconcile.
Powell, however, probably will agree with the majority's view on removing restrictions on the Bells' plans to use newer and faster cables to offer advanced services.
FCC officials would not comment Tuesday. The commissioners are in a quiet period leading up to Thursday's meeting.
Industry experts said nearly any rule that the FCC adopted would be appealed to the federal courts, which have struck down some key provisions of the agency's regulations three times in the last few years. Powell's dissent probably would provide the Bells with a roadmap for appeal, one industry lobbyist said.
The commissioners had hoped that the yearlong review of competition rules would result in a 5-0 vote.
But philosophical differences arose over whether enough competition exists to warrant yanking regulations this year and whether the states should have a meaningful role in making such decisions.
The Bells -- including the dominant local phone service provider in California, SBC Communications Inc. -- have long complained that they are forced to lease their equipment below their cost. But competitors counter that they need the low rates to build market share before they can justify installing their own gear.
Several weeks ago, Powell proposed a plan that would have sharply limited the role of state regulators in setting lease rates.
Republican Commissioner Kevin J. Martin, though, wants to preserve a continuing role for state oversight of the local phone business and wants to require the Bells to continue sharing their networks with rivals until competition is ensured. He formed a majority with Democrats Michael J. Copps and Jonathan S. Adelstein.
Powell countered Friday with a plan that adopted much of the majority's framework. But this plan also would have presumed that sufficient competition exists in markets where competitors have installed three switches, which make connections and provide features such as call waiting and caller ID.
Under that threshold, 80% to 90% of the residential phone market would have been removed from regulation. It also would have left the states out of the decision-making process.
Powell's expected dissent confounded some staff members of the FCC, who note that in April 1999, before he became chairman, Powell spoke up for states' rights by saying that they should determine what elements of the network should be available to rivals at discount rates.
"We are very optimistic that a role for the states will be preserved and that fledgling competition will be allowed to flourish" in the local phone market, said Stan Wise, a Georgia Public Utility Commission member.
*******************************
Associated Press
ACLU Asks High Court to Set Spy Limits
Wed Feb 19, 9:54 AM ET
By GINA HOLLAND, Associated Press Writer
WASHINGTON - Civil liberties groups are using an unusual legal maneuver to challenge the government's spying authority, filing a Supreme Court appeal on behalf of people who don't even know they're being monitored.
The court, however, could refuse to even consider the appeal, the first post-Sept. 11 anti-terror case to reach the justices.
The American Civil Liberties Union (news - web sites) and other organizations asked the court Tuesday to consider the boundaries of a law that gave the government broader spying authority after the terrorist attacks.
The ACLU argued that a review court misinterpreted the Patriot Act, making it too easy for the government to get permission to listen to telephone conversations, read e-mail or search private property, then use the information in criminal cases.
Critics worry there are not enough checks to ensure the government's snooping doesn't stretch to law-abiding citizens.
The court may not allow the appeal because the ACLU was not one of the parties in the review court case. The ACLU filed arguments opposing the government but was not directly involved.
The ACLU and Arab-American groups argue that they represent people who are being monitored under warrants approved by the super-secret Foreign Intelligence Surveillance Court, or "spy court." The court deals with intelligence requests involving suspected spies, terrorists or foreign agents.
"The irony is no one can know for certain whether they are the subject of these secret surveillance orders because they're secret," said Ann Beeson, ACLU's associate legal director.
She said the ACLU has "taken this somewhat radical step" to protect those people.
Washington lawyer Stewart Baker, former general counsel for the National Security Agency, said the groups can argue that this is the Supreme Court's best, and possibly only, chance to consider the work of the surveillance court.
Still, he said, "I can't imagine why the Supreme Court would take this case. The court doesn't take cases that are unique."
Scott Silliman, director of Duke University's Center on Law, Ethics and National Security, said the Supreme Court would have to make an extraordinary exception. "Clearly it will be dismissed," he said.
The November ruling by the review court was a huge victory for the Bush administration, which argues that the surveillance is an important component of its war on terror.
The administration was the only participant in the case. The Justice Department (news - web sites) had appealed after the spy court turned down a request for a wiretap. The review court overturned that decision. It was the first time the review panel had ever met, or issued a decision, during the spy court's 25-year existence.
A key part of the review panel's ruling removed legal barriers between the surveillance operations of the Justice Department's criminal and intelligence divisions.
The decision "opens the door to surveillance abuses that seriously threatened our democracy in the past," justices were told in the filing by the ACLU, the National Association of Criminal Defense Lawyers, the American-Arab Anti-Discrimination Committee and the Arab Community Center for Economic and Social Services.
*******************************
Federal Computer Week
State to share visa info with FBI
BY Judi Hasson
Feb. 18, 2003
The State Department is working out an agreement with the FBI that would allow the law enforcement agency to tap into State's database of 50 million visa applications.
The agreement, which will be spelled out in a memorandum in the next month or two, will help provide better links among agencies that use different and incompatible technology.
The database is known as State's "name check database." It contains visa applicants' personal information and, in many cases, a photograph, according to Stuart Patt, a spokesman at State's Consular Affairs.
Patt said the visa records are considered confidential "with the exception of being used for law enforcement for an investigation."
"We are in the course of working out an agreement with the FBI and federal law enforcement community of ways to provide information to them," Patt said. "We're not contemplating that every law enforcement officer in the country will tap into the U.S. visa records."
State has used the database to see if a person applying for a visa has been denied one in the past or if there is derogatory visa information in the system.
However, the records do not show when people arrive in the United States or whether they use the visa at all, according to Patt.
The FBI declined comment on the initiative, but in the past, FBI Director Robert Mueller has said he wants to provide better links among agencies that have conflicting technology systems.
Kathleen Walker, a lawyer with the American Immigration Lawyers Association, said the Immigration and Naturalization Service has been using State's database at ports of entry since January 2002.
A problem with it, however, is that it is difficult, if not impossible, to correct misinformation in the database, she said.
"There's no point to go to say, 'You've got the wrong information on me.'" Walker said. "It's really easy to get into the database. It's really hard to get out."
*******************************
Washington Post
8 Million Credit Accounts Exposed
FBI to Investigate Hacking of Database
By Jonathan Krim
Wednesday, February 19, 2003; Page E01
A hacker broke into a computer database containing roughly 8 million Visa, MasterCard and American Express credit card numbers earlier this month, prompting an FBI investigation into one of the largest intrusions of its kind.
All three card companies said that the potentially compromised numbers are being closely monitored, and that so far there is no evidence that any have been used for fraudulent purchases. The big three card issuers said the intruder cracked the computer security of a firm that processes credit card transactions for merchants, but they declined to name the company or provide any other details.
The companies said they had turned the matter over to the FBI.
About 2.2 million of the affected numbers involved MasterCard customers. "MasterCard's rules require that merchants securely encrypt cardholder information, including card numbers, so that [unauthorized purchases] cannot occur," the company said in a statement yesterday.
Visa, which accounted for 3.4 million of the numbers, sought to remind customers that they would be automatically credited for any unauthorized purchases, a policy followed by all three credit card companies.
But consumer fraud experts criticized the firms for not automatically informing all consumers that their accounts might have been compromised. Although credit card issuers generally do a good job of protecting against fraudulent purchases, the experts said, such security breaches can lead to a larger problem of identity theft that might not be apparent until months later.
Although it can be difficult to gather additional personal data from a credit card number alone, hackers bent on fraud are likely to try to use the information to impersonate a cardholder, said James Vaules, a former FBI agent and fraud consultant for the LexisNexis database company.
Dan Clements, who runs CardCops.com, a California consulting group and think tank on credit card fraud, said it is up to the myriad of banks and other vendors that issue credit cards to determine whether to inform their customers.
Clements said issuers generally don't do so unless they decide to give their customers new cards and account numbers, which costs issuers about $25 per account.
"The card holder is the last to know," Clements said, which hurts their ability to protect themselves against identity theft.
Christine Elliott, a spokeswoman for American Express, confirmed that her company has not informed its affected customers of the break-in. She declined to disclose how many accounts were affected but said the number was considerably lower than that of Visa and MasterCard.
"We would encourage our card members to call us if they have questions" concerning their accounts, Elliott said.
Spokesmen for Visa and MasterCard declined to provide the names of the banks that issued the affected cards and to discuss the identity theft question.
A spokeswoman for Citizens Bank in Philadelphia told CNN that her bank had shut down 8,000 accounts as a precaution and was reissuing cards. The bank did not return phone calls seeking comment.
*******************************
Los Angeles Times
Computers May Not Be Ready for Election
From Times Wire Reports
February 18, 2003
San Francisco's computerized instant runoff system may not be ready for the November mayoral election. San Francisco was supposed to be the first major city in the country to use the voter-approved system, which lets voters rank their top three choices in order for every office.
The instant runoff system is so new that companies that design election systems are still developing software to count the ballots, and the city is considering counting the ballots -- more than 200,000 -- by hand if the software is not ready in time. The state still must approve any new voting system, and San Francisco has given itself until June 30 to complete the planning for the November election.
Under the system, if no candidate gets more than 50% of the votes, the candidate with the fewest votes is eliminated. Ballots listing the removed candidate as the No. 1 choice are recounted, with the No. 2 pick moved to the top spot.
*******************************
Los Angeles Times
Sheriff's Dept.'s Use of Database Criticized
By Matt Lait
February 19, 2003
A sophisticated Los Angeles County Sheriff's Department computer database aimed at identifying and tracking problem deputies is becoming unreliable because much of the information logged into the system is incomplete, inaccurate and often too old to be of value, according to a report released Tuesday.
In addition, many department administrators and managers do not use the "early warning" database because they are ignorant of its capabilities, according to Merrick Bobb, a special counsel to the county Board of Supervisors who has monitored the Sheriff's Department for the last 10 years.
The sheriff's computer program has been cited by Sheriff Lee Baca and others as one of the nation's best risk management tools in law enforcement, tracking and analyzing such information as citizen complaints, use-of-force incidents, lawsuits, discipline and commendations. The sheriff's system is similar to the one the federal government has mandated that the Los Angeles Police Department adopt as a result of the Rampart corruption scandal.
In his report, Bobb criticized the department for not putting adequate resources into the maintenance of the system. When information is logged into the database, it is typically six months old. Boxes of reports, Bobb said, sit unreviewed because the staff responsible for entering the information is overworked and the office is understaffed.
The department "currently treats [its early-warning system] like a collectible automobile: It is put on display from time to time to demonstrate to the outside world that the [department] has the Rolls Royce of risk management software and procedure.... But when the odometer is checked, it is apparent that it has hardly ever been taken out of the garage.
"When the maintenance records are reviewed, one learns that it cannot perform to the manufacturer's specifications because of neglect. And even when it has actually been taken out for a spin, few of the people who drive it know how to get it to go more than 35 mph," Bobb wrote.
If the database were more widely used, Bobb said, department officials might have been better prepared to deal with the current upswing in the number of use-of-force encounters, force-related lawsuits, injuries to suspects and other crucial risk management categories. In fiscal 2002, for example, the county paid out $6.4 million as a result of force-related lawsuits, compared with $2.9 million in the previous fiscal year.
Baca countered that Bobb's Rolls Royce analogy was an "oversimplified form of hyperbole." He said the criticism in the report was overstated and did not reflect the importance he places on risk management. The sheriff also said that Bobb interviewed a few internal critics for his report and did not conduct a full survey of the supervisors who, for the most part, work hard on risk management issues.
Nonetheless, Baca said his department "will evaluate what [Bobb] has stated and the things we are able to change we will change."
"I'm not opposed to improving things," he said.
Bobb, as special counsel to county supervisors, issues semiannual reports on many subjects confronting the Sheriff's Department, such as jail conditions and excessive force complaints. The reports are submitted to the county board for its review and consideration.
In addition to the risk management concerns mentioned in the report released Tuesday, Bobb raised several other issues:
* Over the last five years, reckless or imprudent foot pursuits have needlessly put deputies in grave danger and resulted in shootings that might otherwise have been avoided. Department supervisors do not adequately review such incidents and are reluctant to discipline deputies who make those poor decisions, he said. Although one of every five shootings occurred during or at the conclusion of a foot pursuit, Bobb did not quantify just how many he thought were improper.
* Instead of using their batons, deputies are increasingly striking suspects with their flashlights, which cause greater injuries and are not authorized by the department for use as "impact weapons."
* Deputies need more frequent refresher training in the use of firearms if they are to retain the skill and confidence they need to make sound decisions on the street.
Bobb's sharpest criticism, however, dealt with the department's failure to maintain its computer database. Known within the department as the Personnel Performance Index, it is supposed to help department officials track deputies' careers and identify those who present risk management problems.
Although the system has tremendous potential, Bobb said, it is being underutilized.
"There is widespread ignorance about what the [database] can do among those who should be using it the most -- captains and lieutenants," Bobb wrote. "Today, its resources are largely untapped."
Supervisor Gloria Molina said she was disappointed in what the report revealed.
"It's really a shame," she said. "We need to rely on a system like this. The sheriff and his department need to take their responsibilities of public accountability more seriously. If we have deputies that aren't properly performing ... we need to rid our system of them."
Supervisor Zev Yaroslavsky introduced a motion Tuesday requesting that Baca appoint a high-level official to address the findings and recommendations in Bobb's report.
Bobb said the department's early-warning system is only as good as the information that goes into it. And that, he said, is a big problem. Currently, many of the citizen complaint reports that are meant to be entered into the database contain inaccurate or incomplete information.
In any given month, as many as 70% of citizen complaint reports are rejected by the unit responsible for typing the data into the computer because of errors or lack of thoroughness. The rejection rate at other police agencies with similar computer programs is between 10% and 20%, Bobb said.
Bobb also said there was confusion among department supervisors over what information to include in citizen complaint forms and how to categorize them.
For example, if a citizen complains that a deputy cursed at him and pushed him, some supervisors will classify the complaint as a "discourtesy" matter rather than the more serious allegation of "unreasonable force." Some supervisors list deputies as "witnesses," rather than identifying them as the objects of citizen complaints.
Delays in recording information led one law enforcement executive to quip in an interview with Bobb that the sheriff's early-warning system was more of an "eventual" warning system.
"This backlog results in key information regarding officer conduct remaining unrecorded and hence unavailable for analysis," Bobb said.
One long-term Sheriff's Department employee told Bobb that the much-heralded computer database has turned into more of a public relations boon than a helpful tool.
"We have this system to keep you happy and the Board of Supervisors happy, but we really don't use it for ourselves the way we could," the employee said. Another employee agreed: "It's a sad truth. We get all these numbers but we don't do anything with them."
*******************************
Los Angeles Times
Bill Would Ban Spam E-Mail in California
Under proposal, people could sue for $500 per violation. Some doubt law would stem tide.
By Nancy Vogel
Times Staff Writer
February 18, 2003
SACRAMENTO -- The unwanted, sometimes lurid advertisements unleashed on computer users -- e-mail spam -- would be banned under a new bill in the Legislature.
The bill would make it a crime to send unsolicited commercial e-mails from California or to an e-mail address in the state. People who received such spam -- "Miniature Remote Control Car -- Great Gift!" or "Lose 32 Pounds by Easter" -- could sue for at least $500 per violation.
"Spam isn't just annoying," said Sen. Debra Bowen (D-Marina del Rey), the bill's author. "It burns people's time and money by forcing them to wade through millions of messages that cost spammers virtually nothing to package and fire off."
But office workers weary of drumming the computer delete button each morning should not assume that Bowen's bill will halt junk e-mail, experts say.
That's because so much spam is sent from outside the country and includes false return addresses. Sometimes, experts say, spammers will hijack a company's mail-sending capability and use it to route their spam around the world.
"Spam is not going to be stopped through legislation," said Jared Blank, a senior analyst with Jupiter Research in New York. "Somebody sitting in China sending you e-mails about Viagra is not going to care what California's rules are."
Blank conducted a study released in September that found the average amount of spam a computer user gets each day nearly doubled between 2001 and 2002, from 3.7 to 6.2 items. Overall, according to Jupiter, the number of e-mail spam messages received in the U.S. jumped 86% between 2001 and 2002, from 140 billion to 261 billion.
Software Solution
Technology, not lawmakers, will ultimately kill the spam industry, said Marten Nelson, an analyst with Ferris Research, a San Francisco market and technology research firm.
An "arms race" exists between spammers and the companies that sell software to block unsolicited e-mails, said Nelson, who predicted victory for the anti-spam vendors.
In some ways, he said, the unsolicited e-mails are like computer viruses. Just a few years ago, viruses ranked as a top concern of corporate computer managers. But companies have since installed multiple layers of antiviral software that has largely blocked the codes that can disrupt or destroy computer functions.
"You can infect computers with viruses in millions of ways," said Nelson. "Spam can be sent only through e-mail or a messaging application, and those are well-defined."
Eventually, he said, the barrage of unwanted Internet advertisements will slow because the senders will have more and more of their e-mails blocked and stop making money. Within five years, Nelson predicted, the problem will be under control.
Bowen said she is under no illusion that her bill will end a blitz of computer advertising. But waiting for technology to catch up isn't working, she said, and Congress has yet to pass a nationwide ban.
"The spam problem is getting exponentially worse, not better," Bowen said, "despite all the ads for 'foolproof' spam filters."
Her bill "gives people the ability and the incentive to go after spammers on their own," she said, "without having to rely solely on technology or the district attorney to try to solve the problem."
Bowen wrote California's first law to restrict e-mail spam, a 1998 measure that required senders of unsolicited commercial e-mails to include "ADV" or "ADV:ADLT" in the subject heading, for "advertising" or "adult advertising." It also required senders to include a toll-free phone number or valid return e-mail through which people could ask for a halt to the messages. Companies that ignored such requests would face a $1,000 fine. Local and state prosecutors are responsible for enforcing the law.
The law has been widely ignored and counterproductive, said Louis Mastria, director of public affairs for the Direct Marketing Assn., which represents 5,000 firms that advertise through catalogs, mail, telephone marketing, e-mail and other means.
Anti-spam filters often block the ads sent by legitimate companies that follow the law and label their e-mails with "ADV," he said. "What's left in your mailbox," Mastria said, "is 100% filtered, unadulterated spam."
He called Bowen's new bill impractical, because a Californian can receive e-mail anywhere. His organization favors federal legislation that requires the senders of unsolicited e-mails to give consumers a way to "opt out" of getting more such computer mail.
Consumer groups prefer a tougher measure, saying spammers shouldn't be allowed to send even a single e-mail advertisement without prior permission from a consumer.
"The new Bowen legislation is a good approach," said Ray Everett-Church, co-founder of the volunteer organization Coalition Against Unsolicited Commercial E-mail. "It recognizes that the prior approach of 'opt out' really hasn't worked."
Better yet, he said, would be a national version of Bowen's law. Congress has debated such measures since 1997, but has yet to pass a law to restrict unsolicited e-mails.
"At some point in the day," said Everett-Church, "you've got to be able to go to somebody who's hurting you and hold them accountable. Technology won't hold them accountable, but the law will."
Spam Suit Pending
Just once has Atty. Gen. Bill Lockyer moved to enforce California's existing anti-spam law. Last September, he sued PW Marketing of Los Angeles for allegedly sending millions of advertisements promoting books, software and lists of e-mail addresses that can be used to make money through spamming.
The case is pending in Santa Clara County Superior Court.
Lockyer has asked Californians to help him prosecute spammers by forwarding illegal e-mails. A complaint form is available online at www.ag.ca.gov/ consumers/mailform.htm or by writing the Public Inquiry Unit at P.O. Box 944255, Sacramento, CA 94244-2550.*******************************
Federal Computer Week
Final cyber strategy released
BY Diane Frank
Feb. 14, 2003
The White House released the final version of its National Strategy to Secure Cyberspace today, focusing on five priority areas and recommendations -- including the creation of a single national cyberspace security response system.
When the Bush administration released its draft strategy in September 2002, it was widely condemned for being too lenient and lacking in any real recommendations and actions.
In November 2002, Richard Clarke, chairman of the President's Critical Infrastructure Protection Board, outlined for the National Infrastructure Advisory Council the first steps for prioritizing the ideas in the draft.
And those priorities are what the Bush administration built the final strategy around:
* Create a national security response system, including expanding the government's Cyber Warning and Information Network to the private sector.
* Develop a national security threat and vulnerability reduction program, including directing the Homeland Security Department to work with the private sector and conduct assessments of infrastructure and systems.
* Establish a national security awareness and training program, encompassing everything from general awareness campaigns to formal education in primary and secondary schools.
* Secure the government through methods such as the administration's e-Authentication e-government initiative and conduct a comprehensive review of whether to expand Defense Department product evaluation requirements to the civilian agencies.
* Foster cooperation with the international community and identify international threats, including conducting a study to examine how to improve coordination among law enforcement and national security and defense agencies.
Many in industry approved of the final strategy's increased focus.
The Computing Technology Industry Association applauded the recommendations to increase information security training and certification, while the Information Technology Association of America praised the focus on cooperation and information sharing between government and the private sector.
*******************************
Government Executive
Commerce proposes merger of telecom, technology agencies
By Bara Vaida, National Journal's Technology Daily
The convergence of the telecommunications and technology worlds has prompted the Commerce Department to propose merging its three key technology divisions into one agency.
The plan to merge the Technology Administration, the National Telecommunications and Information Administration (NTIA) and the e-commerce functions of the International Trade Administration (ITA) would require legislative approval, but several telecom and technology companies quickly endorsed the idea.
Industry officials currently must go to different locations within Commerce, depending on the issues they want to discuss with the administration. Following the merger, the staff would be located in the same place.
"We applaud the Commerce Department's proposal to merge NTIA with the Technology Administration because it accurately reflects the reality in the market today that telecom and technology are inextricably intertwined," AT&T spokeswoman Claudia Jones said.
"By consolidating these three bureaus into one agency under the Department of Commerce, the administration shows that it understands how important a unified and coherent technology agenda is to our nation's economy," AeA President and CEO William Archey said in a statement. "With the challenges currently facing our industry, this couldn't come at a better time."
When Phil Bond, the head of the Technology Administration, was both chief of staff to Commerce Secretary Donald Evans and the undersecretary, he created an interagency technology council to better coordinate technology policy discussions within the agency. "We've been working closely together and this is a formalization of a good part of what we've been doing already," he said of the merger plan.
Bond said no staff would be cut in the consolidation and Deputy Commerce Secretary Samuel Bodman said Thursday that the merger would have no impact on the department's budget. After the move, the Undersecretary for Technology would oversee the new agency and the position of an assistant secretary for communications and information and NTIA administrator also would remain the same.
"What matters most is performance and results, and we believe these organizational changes will help us accomplish our jobs," said Nancy Victory, NTIA's chief.
When asked to give an example of how the consolidation could improve the department's activities, Bond said that all the work on technology standards done by the Technology Administration's National Institute of Standards and Technology (NIST) would be better coordinated with the standards work at NTIA.
He said the move also would combine separate aspects of the work on high-speed Internet services being performed by the Technology Administration's Office of Technology Policy and NTIA. The Technology Administration has been studying ways to boost demand for such broadband services, while NTIA has been focused on expanding access to those services.
The idea of the merger predates the Bush administration, Bond said, adding that it has been discussed for the past 10 years, as the telecom and the tech industries began merging.
The Information Technology Association of America, Information Technology Industry Council and the Business Software Alliance also praised the reorganization plan.
*******************************
Federal Computer Week
Justice CIO has departmentwide vision
BY Sara Michael
Feb. 13, 2003
With an eye on the mission to combat terrorism, Justice Department chief information officer Vance Hitch is pushing for more information sharing and departmentwide thinking.
Justice is working to improve its technology foundation and shift the culture to more centralized solutions, Hitch said today at a breakfast sponsored by Input, an information and research firm based in Chantilly, Va.
"The culture at Justice has been very decentralized. This is not an easy task, but it's imperative to improve the effectiveness of IT," he said. "[Information sharing] is the only way we are going to be able to combat terrorism."
When Hitch assumed the role of CIO last spring, the department was in desperate need of an IT strategic plan. The Sept. 11, 2001, terrorist attacks had changed the department's overall mission from law enforcement to counterterrorism, and the information systems weren't ready for the change, Hitch said.
The department is facing new changes with the development of the Homeland Security Department, which will take on the Immigration and Naturalization Service while the Bureau of Alcohol, Tobacco, Firearms and Explosives moves to Justice.
Hitch called the move "a gradual transition" but said the change will impact his department's IT spending, which typically is 6 percent to 8 percent of the overall Justice budget.
INS accounted for nearly 38 percent of the department's IT spending in fiscal 2003, but because of the agency's move, Justice's fiscal 2004 budget doesn't include INS.
However, the FBI continues to account for a large portion of the department's IT spending. In fiscal 2004, 75 percent of the department's IT spending request was earmarked for the FBI, with most of it dedicated to the Trilogy modernization program.
Hitch also emphasized the need to view Justice as a whole, funding and managing IT projects and sharing solutions departmentwide.
"You can't just be a group of 30 different organizations," Hitch said. "There's a reason we're together, and we have to act as a department, especially when it comes to IT."
Rather than each organization implementing a solution, Hitch said there's a need to share funding and best practices.
"Everybody wants to do it their own way," he said. "We can't afford to do that anymore, and it's not good business."
One major initiative that illustrates this shift is the implementation of a unified financial management system, an effort the department hasn't seen before. A request for proposals for the system software is expected Feb. 14. The system would include the core financial management system, a federal procurement module, an e-Travel management module and a property management module. The system would affect each organization in the department.
A second initiative, the Joint Automated Booking System (JABS), is in its final phase and demonstrates the promotion of best practices that Hitch supports. JABS, a cross-agency database of arrest information, brought together the remote or manual processes of collecting information. Hitch said the system has speeded up the process, and he seeks to spread the system to other agencies that make arrests.
The department also is creating a single data network to replace the current fragmented and inefficient communications. The current network has a limited capability to share information, lacks a unified security view and duplicates training functions within the department.
A new system would integrate the communications between organizations, with a strong focus on improving security and promoting information sharing.
*******************************
Federal Computer Week
Homeland infrastructure protection merging
BY Diane Frank
Feb. 14, 2003
The Homeland Security Department's infrastructure protection organization is getting under way, formally bringing in officials from all the existing security incident detection, warning and protection agencies that will be merged into the new division.
The department's Information Analysis and Infrastructure Protection Division still has no nominee to lead it, but Secretary Tom Ridge has had a transition team working on how to create the offices within it for some time.
For infrastructure protection, the effort includes merging the Federal Computer Incident Response Center, the National Infrastructure Protection Center, the Critical Infrastructure Assurance Office and the National Communications System.
This week, the top executives from those centers -- including Sallie McDonald, FedCIRC's head and the leader of many of the civilian government's security efforts -- officially moved to the department to participate full time in transition planning.
*******************************
Federal Computer Week
XML standard set for secure Web services
BY Michael Hardy
Feb. 18, 2003
The Organization for the Advancement of Structured Information Standards (OASIS) today announced that its interoperability consortium has approved the Extensible Access Control Markup Language (XACML) as an OASIS open standard.
XACML, a variant of Extensible Markup Language, allows Web developers to enforce policies for information access over the Internet.
Its adoption as an OASIS standard means that agencies can implement it with the confidence that it will become widely used. As an open standard, no single vendor owns it and all developers can use it.
The standard is designed for use in authorizing which individuals should have access to information, said Carlisle Adams of Entrust Inc., co-chairman of the OASIS XACML Technical Committee, in a statement. Authorization procedures developed based on XACML can be applied to all products that support the standard, regardless of which vendor makes them, allowing for organizationwide uniform enforcement.
Agencies are interested in such standards because the needs of homeland security, electronic government and other initiatives are pushing agencies to share information while keeping it secure, said Jim Flyzik, a consultant and the newly appointed chairman of the Information Technology Association of America's Homeland Security Task Group.
"It is something we've talked about for quite some time," he said. "There's always an interest in standardization, and XML is going to be a key technology for making systems interoperate."
OASIS, founded in 1993, has developed other open standards as well, all focused on data security. The organization has more than 2,000 participants, representing more than 600 organizations.
Federal members include the Defense Information Systems Agency, the State Department, and the National Institute of Standards and Technology.
Several companies that are part of the XACML Technical Committee, including IBM Corp., Entrust, OpenNetwork Technologies Inc., Quadrasis Inc., Sterling Commerce Inc. and Sun Microsystems Inc., developed the XACML standard.
*******************************
Federal Computer Week
Pentagon works out iris scans
BY Dan Caterinicchia
Feb. 13, 2003
More than 350 members of the Pentagon Athletic Center no longer need to carry their ID cards to access the facility. All they need are their eyeballs.
The Defense Department's Biometrics Management Office (BMO) this week announced that it had reached the final phase of the biometric access pilot project, which uses an iris-scanning device to verify the identity of Pentagon Athletic Center members.
The office launched the project in June 2002 with a phased approach. At first, the iris-scanning device was used in conjunction with pre-existing ID cards, but now members can enter using the devices that are located at the outside guard post and at the turnstile entrance to the center, said Linda Dean, director of the office.
"This project is a major step toward achieving the BMO's vision of a DOD-wide enterprise solution, which when fully implemented will allow authorized personnel to access DOD facilities and information networks around the globe without the use of PINs and passwords," Dean said in a statement.
The facility is using Iridian Technologies Inc.'s IrisAccess 2200 devices, which can detect an individual approaching the imager. Once the person's eye is 3 inches to 10 inches from the mirror in the unit, a camera captures an iris image, which is digitally processed into a 512-byte IrisCode template, according to company officials.
A search function performs real-time database matching at the remote unit. When an iris matches a valid IrisCode template in the database, access is granted almost instantly.
The iris-scanning pilot at the athletic center served to provide exposure to, and instill confidence in, biometrics technology to senior staff members within the Pentagon, according to BMO officials. It was chosen because of its proximity to the Pentagon and because its members are already accustomed to security checkpoints.
Members can still use their ID cards if they choose to do so, Dean said.
*******************************
Government Computer News
States take first step toward cyberthreat sharing
By William Jackson
Thirteen states, led by New York, last weekend conducted a communications exercise that could lead to a new, multistate information sharing and analysis center.
The ISAC, which would pool cyberthreat data gathered by states, is led by William Pelgrin, director of the New York City Office of Cyber Security and Critical Infrastructure.
No formal center exists yet, however. During the dry run, participating states reported to a central location any suspicious activities they monitored on the Internet over the Presidents Day weekend
?There was no malicious activity,? said Mike Russo, chief information security officer in Florida?s state technology office. ?The exercise was about the communications and working relationships with the other states.?
Russo said Florida was invited to participate ?because of some of the work we?re doing in the cyber area.? Starting in May 2001, the state has been auditing its agencies? networks to establish a security baseline and set policy for disaster recovery and training.
?Since Sept. 11, we have accelerated,? Russo said. ?I think we?ve made progress.?
Because sharing information about security threats and vulnerabilities is seen as essential to protect the nation?s critical infrastructures, the federal government has encouraged the creation of ISACs to share information in commercial sectors such as banking, public utilities and IT. It also encourages information sharing with federal agencies.
The ISACs serve as central collection points where data can be gathered and evaluated. Most such information is sanitized before distribution because of participating organizations? liability concerns.
*******************************
Government Computer News
02/14/03
Industry will work with government on cyberspace plan
By Wilson P. Dizard III and William Jackson
The White House today unveiled its National Strategy to Secure Cyberspace, detailing dozens of steps for industry and government to take to fend off and recover from assaults on the nation?s critical systems.
The plan?s five priorities are:
A national cyberspace security response system
A threat and vulnerability reduction program
A security awareness and training program
A plan to secure governments? cyberspace
An approach to intelligence agency and international cybersecurity.
Seeded throughout were dozens of recommendations to the private sector to raise its awareness of threats, train its systems employees, evaluate the security of applications and form ties with the government for joint action.
The plan also called for specific federal actions, the first of which is to set up a 24-hour, seven-day contact point in the Homeland Security Department for federal interactions with industry and other partners. And it called for exercises to evaluate the impact of cyberattacks and pinpoint weaknesses for correction.
At a DHS briefing today, Howard Schmidt, acting director of the White House?s Critical Infrastructure Protection Board, said, "We have had a number of exercises across the Pentagon and in civilian agencies."
He said agencies have begun to simulate cyberattacks with state and local governments as well.
The plan put the Justice Department and other agencies in charge of improving information sharing, investigative tools and cybercrime research. It said the General Services Administration and DHS will continue to cooperate on a federal software patch clearinghouse and work with the private sector on a similar clearinghouse.
Federal agencies were told to tighten security measures, expand their use of security assessment tools and install applications to check continuously for unauthorized network connections. The plan said the government will also review the National Information Assurance Partnership to assess whether it is properly dealing with security flaws in commercial software.
It further said the government will consider licensing or certifying private security service providers for minimum capabilities, "including the extent to which they are adequately independent." Schmidt said such providers need to be shown as trustworthy.
In the international arena, the plan noted that the U.S. government will not necessarily limit its response to cyberattacks to criminal prosecution and it "reserves the right to respond in an appropriate manner." That mirrors the government?s pursuit of al-Quaida, which has been carried out partly by legal prosecution and partly by warfare.
It called for building North America into a "cyber safe zone" with the cooperation of Canadian and Mexican public and private sectors.
DHS secretary Tom Ridge introduced the plan, together with the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, during a press conference at the department?s heavily guarded headquarters in Washington.
Ridge said the reports on computer and physical infrastructure would "serve as road maps to help government and business" act in harmony.
Mario Correa, director of Internet and network security policy for the Business Software Alliance, called the final version of the plan "more focused and goal-oriented? than earlier draft versions.
"What is critical is for Congress to step up to the plate and provide the resources to implement the strategy,? Correa said.
Dan Burton, vice president of government affairs at Entrust Inc. of Dallas, said, "It's much the same as the previous version," but the fact that it exists is good. "The key is execution, and that is what we have to look to next," Burton said.
Also today, President Bush spoke at the FBI about the Terrorist Threat Integration Center announced in his recent State of the Union address. He said the FBI is expanding the terrorist identification system to give local jurisdictions access to terrorist threat information. Bush also said he has requested $500 million in additional funds for training, preparedness equipment and technical assistance to state and local law enforcement. Link to plan http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf
*******************************
Government Computer News
02/14/03
Davis names Putnam to lead new tech subcommittee
By Jason Miller
GCN Staff
House Government Reform Committee chairman Rep. Tom Davis has decided to fold procurement policy oversight back into the full committee, leaving IT issues under one of four new subcommittees. The Virginia Republican laid out his 108th Congress agenda yesterday.
When Davis became chairman of the full committee, he said he was considering taking back some of the work of the Technology and Procurement Policy subcommittee, which he chaired for two years.
Rep. Adam Putnam (R-Fla.) will chair the new Technology, Information Policy, Intergovernmental Relations and Census subcommittee. Now in the second year of his first term, Putnam served as vice chairman of the National Security, Veterans Affairs and International Relations subcommittee last session.
Rep. William Clay (D-Mo.) is the new ranking minority member, taking over for Jim Turner (D-Texas), who moved on as ranking member of the Select Committee on Homeland Security.
The IT subcommittee will play close attention to implementation of the E-Government Act of 2002, the Federal Information Security Management Act and the Government Paperwork Elimination Act. It will consider developing a grading system for how well agencies follow the E-Government Act and other IT provisions.
Under Putnam, the subcommittee will review federal IT management of cross-agency communication and compatibility with state and local systems. Other priorities will be oversight of data mining in the Defense Department?s Total Information Awareness program as well as overall federal IT security.
The full committee likely will hold hearings on the revision of Office of Management and Budget Circular A-76 and a recent report to improve the federal work force. Davis? oversight plan also includes analysis of contracting management at the Energy Department, NASA, the Transportation Security Administration, plus the Veterans Affairs Department?s buying schedules.
The full committee will oversee the implementation of FISMA, the E-Government Act and the Digital Tech Corps Act, all of which Davis sponsored. For the first time, the committee will delve into the Federal Retirement Thrift Investment Board?s botched Thrift Savings Plan computer system.
Davis also reorganized three other subcommittees and named new leaders:
Dan Burton (R-Ind.) will chair the Human Rights and Wellness subcommittee with Rep. Diane Watson (D-Calif.) as ranking minority member.
Todd Platts (R-Pa.) will lead the Government Efficiency and Financial Management subcommittee, and Edolphus Towns (D-N.Y.) will be ranking member.
Jo Ann Davis (R-Va.) will take over the Civil Service and Agency Organization subcommittee with Danny Davis (D-Ill.) as ranking member.
*******************************
Government Computer News
02/14/03
NIPC to hackers: Don?t try this at home
By William Jackson
While the Bush administration drafts its cyberwar rules, the FBI?s National Infrastructure Protection Center is warning off volunteers who want to lend a hand by launching their own attacks against foreign enemies.
?The U.S. government does not condone so-called ?patriotic hacking? on its behalf,? the NIPC said in an advisory this week. ?Regardless of the motivation, the NIPC reiterates that such activity is illegal and punishable as a felony.?
So far, NIPC doesn?t have to worry about amateurs stealing the wind from U.S. sails. Mi2g Ltd., a London digital risk management company, reports no significant political hacktivism.
?We have not been able to collect much evidence for anti-Islamic or protest attacks against Iraq from U.S. or western hackers at all in the last year,? the company said in a statement. But it noted ?numerous pro-Islamic and anti-war-on-Iraq attacks from hackers based in Morocco, Egypt, Eastern Europe, Jordan, Kuwait, Saudi Arabia, Pakistan, Indonesia and Malaysia. ? The one incident that did surface in a digital attack against an Islamic radical movement online turned out to be a hoax.?
NIPC, an interagency group focused on the safety of the nation?s critical and cyber infrastructures, issued its warning in an advisory urging heightened awareness of cybersecurity. ?Recent experience has shown that during a time of increased international tension, illegal cyberactivity often escalates. Sympathetic individuals and organizations worldwide tend to view hacking activity as somehow contributing to the cause. As tensions rise, it is prudent to be aware of and prepare for this type of illegal activity,? the advisory said.
NIPC recommended:
Raising awareness
Updating antivirus programs
Scanning for malicious code arriving through e-mail servers
Filtering at maximum security levels
Setting policies for responding to and recovering from attacks.
*******************************
Government Computer News
02/14/03
Big D goes for big e-gov
By Trudy Walsh
The city of big hair and big hats is adopting e-government in a characteristically big way. Dallas? new Web portal lets residents pay water bills, renew drivers? licenses, register to vote or report potholes online. The site links directly to the Texas state portal and shares a common infrastructure with it, including servers and network security.
The state outsourced www.texasonline.com to BearingPoint Inc. of McLean, Va., in May 2000, said Gary Miglicco, BearingPoint?s national director for e-government services.
The site has been getting a ?relatively good response,? Dallas CIO Dan McFarland said. About 3 percent of the 300,000 water bills the city issues each month are being paid online, McFarland said. The site has both English and Spanish versions as well as an interactive city map.
Edocs Inc. of Natick, Mass., handles the back-end processing of payments. Residents can sign up for a password and enter a water bill account number on the site, secured by 128-bit Secure Sockets Layer browser encryption. They can pay bills by credit card or e-check.
The site also accepts employment applications online. Dallas eventually wants to put most of its city services on the Web site, McFarland said.
The sites are:
www.dallascityhall.com
www.texasonline.com
*******************************
Government Executive
February 11, 2003
Funding delays stall expansion of online identification
By Maureen Sirhal, National Journal's Technology Daily
A federal initiative designed to verify the identity of citizens doing business with the government over the Internet is facing funding delays, according to Bush administration officials.
The e-authentication project, one of President Bush's 24 initiatives to put more government services online, seeks to allow individuals to garner identification credentials to sign and transmit documents and transact other business online with government agencies. The General Services Administration (GSA) and White House Office of Management and Budget (OMB) are spearheading the project.
But Adrian Fish, GSA's deputy project manager, said at an E-Gov conference on Tuesday that officials might miss a target for launching the gateway because of funding issues. "Our milestone had been September of this year. ... I don't think we're going to make it now," she said.
For now, the e-authentication portal is working on an interim basis under a deal with the technology research firm Mitretek, Fish said, and funding woes have forced the agency to delay its bid to expand the portal. "What we have now is an interim gateway that does work," she said. "It can continue to do business, but it's not really where we want to be."
Still, Fish said GSA is making progress and is working with e-authentication providers to create a "credential consortium" that eventually will certify the firms to offer digital certificates and other third-party credentials for verification at the gateway. GSA also is working with industry communities to see if they can leverage private-sector efforts to issue digital certificates and other Web-based verification credentials, he said.
"We have just joined the Liberty Alliance and are using that body to drive to an open standard" for the software in verification products, Fish said. The alliance is a private-sector group of firms trying to craft a standard for authenticating people's IDs online.
Despite the delays with the government's e-authentication initiative, she said GSA is "getting a lot of interest" from various agencies about becoming part of it.
Officials with other e-government projects, such as the e-grant program, are working with GSA and the e-authentication team to become eligible to issue authentication credentials for citizens applying for federal grants online.
*******************************
Government Executive
February 10, 2003
U.S. ?cyber army? stands ready for war
By Shane Harris
sharris@xxxxxxxxxxx
President Bush has ordered the government to create formal guidelines for fighting a cyber war, The Washington Post reported Friday. In cyber combat, the military would attack its opponents with bytes instead of bombs, using electronic weapons to disrupt or destroy an enemy?s communications, power supplies and other critical infrastructures.
If the president decides to wage this breed of war in Iraq, or any other nation, the mission will fall to the United States? cyber army, a staff of about 150 computer scientists and cyber analysts assigned to the Defense Department?s Joint Task Force-Computer Network Operations.
The JTF-CNO is encamped at a Defense complex outside Washington, the same facility that houses the National Communications System, the government?s emergency communications apparatus.
The cyber army has two missions. The first is guarding Defense?s computer networks from attack, whether by domestic or foreign adversaries. Established only five years ago, the small force has earned its stripes repelling computer nemeses like the recent Slammer worm and hacks by Web site-defacing cyber vandals, many of them teenagers who are most active when they?re home on winter and summer vacations.
Two administrations have shrouded the task force?s second missioncyber offensein secrecy. The White House wouldn?t confirm the report of the new guidelines, but a spokesman acknowledged what is widely known among cyber experts: For years, the military has developed and maintained the ability to electronically battle its opponents.
Has the cyber army ever gone to battle? ?I cannot say,? Walter ?Dusty? Rhoads, the deputy commander and chief of staff of JTF-CNO, said in a recent interview.
Rhoads, an ex-fighter pilot who in 1995 became the founding commander of the Air Force?s first information warfare squadron, a predecessor of the current task force, also won?t reveal the weapons or the methods the cyber army could use. But officials and cyber war experts have said that the same arsenal of worms, viruses and hacking techniques employed by those who attack the government are almost certainly the same ones the government would use to attack its enemies. And Rhoads acknowledged that only people with a formal understanding of how computer attacks can occur, and how computer networks are vulnerable, have the skills to be members of the cyber army.
To conduct its defensive operations, the cyber army relies on intelligence analysis, some produced in-house and some from government and private sector sources, to assess countries? capabilities to attack U.S. systems. That information would also be a key to understanding how to defeat an enemy. That, Rhoades said, is the cyber army?s sole offensive mission.
The art of cyber war breaks into three categories: denial, disruption and exploitation, said Tom McDermott, the former head of information security for the National Security Agency. Any nation employing cyber offense would likely target an adversary?s critical communications or energy systems, shutting them down or cutting off access to them. Also, valuable information contained in enemy systems, such as military intelligence, could be captured, and false information could be spread through information networks to confuse the adversary.
To wage a cyber war effectively, a country needs a computer infrastructure and a computer-educated population from which to draw its soldiers, McDermott said. Iraq has those components, and some cyber analysts believe the Iraqi government maintains a computer attack squad.
As in traditional war, a cyber army might have to use both defensive and attack strategies. Rhoads said there are some classified policies and procedures in place now for conducting offensive operations, but he wouldn?t describe them. The White House reportedly ordered the drafting of cyber war guidelines last summer.
Cyber army soldiers possess many of the same skills as their adversaries. They hold advanced degrees in computer science, often have been trained as intelligence analysts and are fluent in network engineering, science and exploitation. They may have gleaned these skills in the classroom or on the job, in the private or public sector. The cyber army consists of about one-third each military, civilian and contractor personnel.
Rhoads said he and his colleagues attend hacker conferences to make the military?s presence known among the attendees, but also to drum up support for the government. The largest annual hacker gathering, Def Con, holds an annual ?Meet the Feds? panel. Defense officials have spoken at the convention to encourage the most talented attendees to help educate government personnel about cyber attack and defense. They?ve been both welcomed and greeted with contempt by those present.
Rhoads emphasized the government?s policy is not to hire so-called ?black hat? hackers, or those who use their skills illegally. Nevertheless, the soldiers in the cyber army, like hackers, have the skills and capabilities to wound their adversaries, and Rhoads said the Defense Department employs many individuals with the talents needed to be a cyber warrior.
Reflecting the subtle and perhaps arbitrary difference between black hat hackers and their ?white hat? counterparts, McDermott said, there is an ?extensive body of experts who have not crossed that line [of illegal hacking] who serve their government.?
Numerous cyber analysts and hackersregardless of their affiliationsay the likelihood is slim that any government could cause massive damage through electronic means on the scale associated with traditional combat. Cyber offense may, at best, be an accompaniment to common military operations that helps weaken an enemy?s resolve or defenses.
But McDermott cautioned the government not to assume the most powerful weapons in the cyber arsenal have already been exposed. A war might be the most opportune time to reveal new methods and weapons.
?Why would you expect an adversary to lay their cards on the table until it counts?? McDermott said.
*******************************
Lillie Coney
Public Policy Coordinator
Association for Computing Machinery Public Policy Committee
Suite 510
2120 L Street, NW
Washington, D.C. 20037