Clips September 22-23, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips September 22-23, 2003

ARTICLES

Southeast Asia unveils cyber-crime fighting plan
U.S. to sharply cut number of H-1B visas
JetBlue Target of Inquiries by 2 Agencies
Anger at Bangladeshi snooping plans
VeriSign seeks advice on controversial new service
Report: Net piracy has five more years of growth
In worm war, feds fight the clock
Feds should boost IT research, report says
NIST issues security drafts
Homeland Security misses reporting deadlines 


*******************************
USA Today
Southeast Asia unveils cyber-crime fighting plan
September 19, 2003

SINGAPORE (Reuters)  Southeast Asian governments have a message for
hackers, virus writers and other "cyber-criminals"  we're
ganging up on you.
The Association of South East Asian Nations (ASEAN) announced plans on
Friday to share information on computer security by next year and create
a regional cyber-crime unit by 2005. And it hopes to enlist the rest of
Asia and then the world into the plan.

The world suffered three major computer virus attacks, including a
variant of the fast-spreading Sobig e-mail worm, last month, costing
companies and governments about $800 million in damage.

Under the new arrangement, ASEAN nations  Singapore, Malaysia,
Thailand, the Philippines, Indonesia, Myanmar (Burma), Vietnam, Cambodia,
Laos and Brunei  each would form Computer Emergency Response Teams,
or CERTS, by 2005.

These would share instantly information on hackers, worms and viruses,
while cooperating against new forms of cyber-crime. The first step 
a framework to share the information  would be in place from next
year, an ASEAN joint statement said on Friday.

"In this way, everybody gets early warning and can take
action," Singapore's minister for information, communications and
the arts, Lee Boon Yang, told reporters.

Lee said the size of teams would vary from country to country, but would
consist of at least 12 people.

Virgilio Pena, the under secretary for the department of transportation
and communications in the Philippines, said at least six ASEAN members
have an emergency response system in place, while others are still
developing their teams.

"We hope eventually to widen the scope of the response teams beyond
ASEAN to the Asia-Pacific and to a global scale," he 
added.

Boosting trade

In a joint statement, ASEAN telecommunications ministers also agreed to
implement pacts to harmonise standards for telecoms equipment testing,
which would speed up delivery times and lower business costs for
companies.

In the first phase by 2005, Southeast Asian nations will share a common
standard for testing telecoms equipment.

Currently, equipment tested in one country faces another round of tests
when arriving in a destination market that can take weeks or
months.

"This is the beginning of freer trade in telecommunications
equipment, easier market access, lower entry barriers, lower costs to
exporters," Lee said.

The pacts will be signed on a bilateral basis, and for a start,
negotiations will be held between Singapore and Brunei and Singapore and
Indonesia.

"We import a lot of telecom equipment from Singapore, and it would
be easy for us to work together," said Brunei's minister of
communications, Zakaria Sulaiman. 
*******************************
CNET News.com
U.S. to sharply cut number of H-1B visas
September 22, 2003, 3:45 PM PDT

The United States is about to cut the number of employment visas it
offers to highly qualified foreign workers from 195,000 to 65,000,
immigration experts said Monday. 

Unless Congress acts by the end of this month--and there is little sign
it will do so--the change will automatically take effect Oct. 1.
Employers, especially technology companies, argue the move will hurt them
and the economy. 

The change will affect the number of H-1B visas that can be issued each
fiscal year. The visas are mostly used to bring high-tech experts from
Asia, especially from the Indian sub-continent, to work in the United
States for up to three years. 

"The fact that Congress doesn't seem anxious to act reflects the
political climate, with a lack of jobs for Americans," New York
immigration lawyer Cyrus Mehta said. 

"The pressure to change the limit will build up again when the
economy picks up," Mehta said. 

The Senate Judiciary Committee held a hearing on the issue last week.
Committee Chairman Orrin Hatch, R-Utah, noted that many U.S. high-tech
workers are unemployed and the committee needed to find ways of helping
them without hurting the country's ability to compete globally. 

Vermont Democratic Sen. Patrick Leahy said: "Given the weakness of
our current economy, and the rising unemployment we have experienced
under President Bush's stewardship, many who supported the increase in
2000 now believe that 65,000 visas are sufficient." 

But Patrick Duffy, a human resources attorney for Intel, said finding the
best-educated engineering talent from around the world was critical to
his company's future. 

"We expect that we will continue to sponsor H-1B employees in the
future for the simple reason that we cannot find enough U.S. workers with
the advanced education, skills and expertise we need," he said.

Elizabeth Dickson, director of immigration services for Ingersoll-Rand,
speaking on behalf of the U.S. Chamber of Commerce, said: "In the
near term, we simply must have access to foreign nationals. Many of them
have been educated in the United States. By sending them home, we are at
best sending them to our own foreign plant sites, and at worst to our
competitors." 

Immigration attorneys expect the new rules to set off a scramble by
companies to fill their slots early before the ceiling is reached. How
quickly that happens depends on the state of the economy, they 
said.
*******************************
New York Times
September 23, 2003
JetBlue Target of Inquiries by 2 Agencies
By PHILIP SHENON with JOHN SCHWARTZ

WASHINGTON, Sept. 22  Two federal agencies announced today that they
had opened investigations into JetBlue Airways in response to the
airline's admission that it had provided travel records on more than a
million passengers to a Pentagon contractor, violating its own privacy
rules.

The moves by the Department of Homeland Security and the Federal Trade
Commission came as JetBlue disclosed that it had hired Deloitte &
Touche, the accounting firm, to review the company's privacy policies and
determine if they needed to be revamped.

The fast-growing three-year-old airline, which is based in New York and
has worked to build a reputation for bargain fares and customer-friendly
policies, apologized to customers last week after disclosing that it
provided an Army contractor with more than five million computer files,
reflecting the travel records of 1.1 million passengers in 2001 and
2002.

The contractor, Torch Concepts, based in Huntsville, Ala., matched the
JetBlue records against another database to determine the passengers'
Social Security numbers, occupations and family size in an effort to
identify potential terrorists.

Although spokesmen for JetBlue and Torch Concepts have insisted that the
passenger records were never shared with the government, privacy rights
groups have expressed outrage over the passenger-screening project,
describing the airline's decision to release the data to another private
company as a grave violation of consumer privacy rights.

The Department of Homeland Security, which assumed responsibility for
airport and airline security earlier this year, said it would try to
determine if any government officials violated federal privacy laws in
helping coordinate the passenger-screening study conducted by Torch
Concepts.

The department's chief privacy officer, Nuala O'Connor Kelly, who is
conducting the inquiry, said in a telephone interview that "this is
an issue that concerns me and concerns the department  there was no
notice to citizens or consumers about the use of their data and the
sharing of data."

The Federal Trade Commission said that its investigation was prompted by
a complaint filed today by a privacy rights organization, the Electronic
Privacy Information Center in Washington, that urged the commission to
bring civil charges against JetBlue for violating its own corporate
privacy rules.

"We take these allegations very seriously and will review the
petition carefully," said a commission spokeswoman, Claudia Bourne
Farrell. "The F.T.C. has been very active in the area of assuring
consumer privacy."

The Army, which hired Torch Concepts as a contractor on the project last
year, said it was also reviewing the issues raised in JetBlue's admission
of privacy violations. "Given the public interest, and rightly so,
we'll be looking into this," said the spokesman, Maj. Gary C.
Tallman.

He said that the Army had wanted Torch Concepts to carry out a
data-mining project to determine how information analysis could be used
to protect military bases from terrorist attacks. 

He said that the contractor decided to test its data-mining theories by
applying them to a large collection of data  passenger records from
a major airline. Spokesmen at Torch Concepts and the Army said it is
unclear why JetBlue was chosen for the project over other
airlines.

In a statement released tonight, JetBlue said that it had hired Deloitte
& Touche "to assist the airline in its analysis and continued
development of its privacy policy."

The airline said it wanted "to let our customers know that we are
fully committed to their privacy." The airline said that lawyers for
Torch Concepts had "confirmed to JetBlue that no identifiable
customer data was released to any third party, including the Department
of Defense or the Transportation Security Administration, and that all
the data has been destroyed."

An airline spokesman, Gareth Edmondson-Jones, said in an interview that
the airline had not seen the complaint filed with the Federal Trade
Commission and had no immediate response to the allegations. 

He said that in the last few days the airline had received about 1,500
complaints through e-mail from customers about the privacy violations,
but that there had been no rush of cancellations or any other discernible
effect on the airline's reservations.

He repeated the company's explanation for its decision to turn over the
passenger data last year, saying the airline was motivated by patriotism
and a concern for the safety of its passengers in the aftermath of the
terrorist attacks on Sept. 11, 2001.

Spokesmen for Torch Concepts and the Army said Torch was hired for the
data-mining project through a major military contractor, SRS Technologies
of Newport Beach, Calif., a high-technology engineering company that is
helping to develop the Pentagon's controversial Terrorism Information
Awareness program.

An SRS spokesman said that the Army had introduced SRS to Torch Concepts
last year and had asked SRS to hire the company as a sub-contractor, a
procedure that is not unusual in military procurement since it eases the
military's bookkeeping when dealing with small companies.

The SRS spokesman said he did not believe that his company had been fully
briefed on the details of Torch's work, nor had there ever been any
connection between Torch's work for the Army and SRS's work for the
Pentagon on the information awareness project, originally known as Total
Information Awareness.

The project, a legacy of the Sept. 11 attacks, has been harshly
criticized by some lawmakers and by privacy rights advocates as a
dangerous effort to expand government surveillance of the public in the
name of antiterrorism.

In promotional material, Torch Concepts says it specializes in so-called
pattern-recognition technology  specifically, a system known as
Acumen, or adaptive concept understanding from modeled enterprise
networks," which allows patterns to be detected from mountains of
data. 

On its Web site, Torch Concepts says Acumen "has been applied
successfully in data-mining applications in the health care and financial
industries." It works, the company says, through a "unique
synthesis of adaptive neural methods, internal models and fuzzy
logic."
*******************************
BBC Online
Anger at Bangladeshi snooping plans
By Alistair Lawson 
BBC Dhaka correspondent

Plans to allow the authorities in Bangladesh to monitor e-mails and
telephone conversations have provoked outrage among human rights experts
and telecoms analysts.

The Bangladeshi cabinet is considering changes to the 2001
Telecommunications Act that would make bugged phone calls and intercepted
e-mails permissible in legal proceedings. 

The government says the suggested changes are crucial in the battle
against terrorism and lawlessness. 

But human rights experts and telecom specialists have expressed disquiet
over the proposals. 

Stern measures 

"They represent a fundamental breach of our right to
communicate," said telecoms expert Abu Sayed Khan. 

"If they are enacted it will be a devastating blow for freedom of
speech and will turn the country into a police state. 

"Bangladesh already has some of the most restrictive laws in
relation to internet and telephone access in the whole of Asia," Mr
Khan told BBC News Online. 

Members of the public complained at the time it was easier to get a gun
license than a fax. 

Likewise when the first mobile telephones were introduced in the late
1980s, it was necessary for subscribers to obtain "security
clearance" from the authorities before they could be used. 

Mr Khan said the situation has deteriorated in recent days, and that
Bangladesh is one of the few countries in Asia where the right to
communicate is being so systematically violated. 

"The worrying thing for businessmen in particular is that these
regulations make them far more vulnerable to industrial espionage and
blackmail," he said. 

"For them the only consolation appears to be that the authorities
here do not seem to have the know-how to monitor calls made by roaming
cellphones or satellite telephones. 

"But it is only a question of time before they do." 

Fear of crime 

The government has defended the proposals by arguing that crime has
soared so much in recent years that drastic action is necessary.

The Home Minister, Altaf Hossain Chowdhury, has said that improving law
and order was one of the government's top priorities and that no stone
would be left unturned in the fight against crime. 

"If people are safer in their homes and safer on the streets as a
result of these measures then the government stands full by them,"
said a Home Ministry spokesman. 

"The right of people to be free from the fear of crime and terrorism
is more important than this small infringement of individual
liberties." 

Ultimately only a relatively small number of people will be affected by
the proposals which are expected to come shortly before parliament.

Bangladesh has one of the lowest ratios of landline telephones per head
of population in the world. It is estimated to be around seven phones for
every 1000 people. 

It is not uncommon for landline customers of the Bangladesh Telegraph and
Telecommunications Board to wait years before they get a connection.

Earlier this year Dhaka resident Mohammed Ismail hit the headlines when
he received a phone after waiting 27 years. 

With up to half a million people still waiting to be connected, there are
not that many telephones and e-mails to bug. 
*******************************
USA Today
VeriSign seeks advice on controversial new service

SAN FRANCISCO (Reuters)  VeriSign said Monday it would ask outside
experts to review its controversial new service that captures mistaken
Web searches after being hit with two lawsuits and opposition from the
body that oversees Internet policy.
VeriSign said it was creating a committee of "Internet leaders"
to advise it on technical matters although it planned to continue
offering its SiteFinder service, launched last week amid a firestorm of
protest from privacy advocates and rivals.

"We're not backing down, but we will work with others," said
VeriSign spokesman Tom Galvin. 

VeriSign's new service, launched a week ago, takes searches for
".com" and ".net" Web addresses that are misspelled
or have not yet been registered and redirects them to a VeriSign Web page
that includes options and pay-for-placement topic links.

While VeriSign says it is offering a convenience for people who
previously received an error message, Internet users have cried foul,
claiming VeriSign is overstepping its authority and hijacking certain
common Web searches.

SiteFinder also interferes with anti-spam services that block e-mail from
non-existent domains, causing problems for network administrators,
critics say.

The Internet Corporation for Assigned Names and Numbers has asked
VeriSign to suspend its service until it can gather more information, and
the Internet Architecture Board, which advises ICANN, also opposes the
service, said ICANN spokeswoman Mary Hewitt.

ICANN is looking into its legal rights in the matter and reviewing
ICANN's contracts that allow VeriSign to serve as the keeper of the
master list for all Web addresses ending in ".com" and
".net," she said.

Two lawsuits filed

Last week, Netster.com, which provides a similar service, filed an
anti-trust lawsuit against VeriSign. Monday, VeriSign rival Go Daddy
Software said it also has sued, claiming VeriSign is misusing its
position to gain an unfair competitive advantage by intercepting and
profiting from Internet traffic.

SiteFinder is harming Go Daddy's business by allowing Internet users to
easily search for domain names in their browser without having to visit a
domain name registrar Web site, said Christine Jones, general counsel for
Go Daddy.

VeriSign declined to comment on the litigation. 

Additionally, privacy advocates have stated that VeriSign may be
gathering an undue amount of information from users  and could
conceivably gather private information about their Web-surfing habits or
even the contents of their e-mails to the company.

According to a story in PC World (pcworld.com), SiteFinder can collect
e-mail sent to nonexistent domains. (In the past, such messages would
have "bounced" to the sender without ever leaving the sender's
ISP.) Potentially, VeriSign could harvest the contents of such e-mail. A
company spokesman denied that it is in fact doing so.

And technologists have strongly criticized the method by which VeriSign's
system works. The SiteFinder system works by using "wildcards"
to figure out where sloppy typists might have meant to go online. That
approach, however, wreaks havoc with a number of naming conventions
already in place on the Net and could lead to even more
confusion.

Company response

In response to the complaints, VeriSign is creating a committee that will
be made up of a half dozen Internet leaders to be announced later this
week that will advise the company on technical aspects of the SiteFinder
service, Galvin said.

"The committee will be chartered with providing technical
information," he said. "But of course we will take seriously
whatever feedback they give us."

He declined to say whether the company would end the service if the
committee recommended that. "They are not there to give us a
recommendation. They are there to help us gather the information so we
can make the best long-term decisions about this service," he
added.

As a result of the service, VeriSign's site has had 65 million visits and
4 million to 7 million unique visitors per day, according to Galvin. He
would not provide any estimates of how much money the company is making
from the service.

No stranger to uproar

This is not the first time VeriSign has been embroiled in controversy.
VeriSign's Network Solutions business, which initially had a government
contract to register domains, was plagued for years with complaints that
it maintained a monopoly until ICANN allowed other companies to register
Web addresses as registrars.

VeriSign remains the registrar, or controller, of the database containing
the two most popular domains.

In recent years, VeriSign has backed off a marketing campaign after
competitors sued it for deceptive advertising and VeriSign's plan to
offer a waiting list for Web addresses was also stymied following a
backlash.
*******************************
USA Today
Report: Net piracy has five more years of growth
September 22, 2003

LONDON (Reuters)  The ever-expanding market for pirated music will
continue to haunt music executives for at least another five years,
outstripping growth for the industry's own fledgling online businesses, a
new study said on Monday.
The report by Informa Media said global Internet music sales, which
includes sales of CDs from retail Web sites such as Amazon.com and song
downloads from services such as Apple Computer's iTunes, will reach $3.9
billion by 2008, up from $1.1 billion in 2002.

But the value of lost sales due to CD-burning and downloading free songs
off so-called peer-to-peer networks such as Grokster and Kazaa will rise
to $4.7 billion in the same period from $2.4 billion this year, the
British research firm said.

"The reason we're so downbeat is we think the peer-to-peer problem
is going to only get worse. In 2008, broadband will be prevalent around
the world," said Simon Dyson, the report's author.

The roll-out of faster broadband connections has made it more convenient
for Internet users to download free music off the Web. Millions of
Internet users around the globe regularly log on to the peer-to-peer
network to obtain all manners of copyright-protected materials from
Eminem songs to films.

The industry has responded with fee-based download services of its own,
but consumer uptake has been slow.

This one-step-forward-two-steps-back scenario is hardly comforting for
the major music labels which blame Net piracy for triggering a sharp
decline in global music sales in the past three years.

Dyson said a host of Internet file-sharing services are now beginning to
appear in languages such as Russian and Chinese, potentially dashing the
industry's hopes of building a loyal customer base in these emerging
markets.

"This is where the industry's growth is supposed to come from,"
Dyson said.

On a positive note, online sales will account for nearly 12% of the
entire global music market by 2008, up from 4.5% this year. The larger
share is due to the industry's recent push to make more products
available for download.

It's a rare bit of promising news for an industry that's been ravaged by
new technologies.

The music trade body, the International Federation of Phonographic
Industry (IFPI), reported in July the sale of pirated compact discs 
a problem that has dogged the industry for the past decade  has more
than doubled in the past three years as costs of CD-burning devices
plummet.

The IFPI represents scores of independent and major music labels
including EMI, Sony Music, Warner Music, Universal Music, and
Bertelsmann's BMG.
*******************************
Federal Computer Week
In worm war, feds fight the clock
Worms coming faster; patching pace not keeping up
BY Diane Frank 
Sept. 22, 2003

Worms are appearing more frequently than ever, but patches are not
keeping pace, federal officials warned.

Agencies are using many solutions to patch their systems and networks
against security vulnerabilities, they said, but it's tough to keep up
because the time between vulnerability discovery and exploitation keeps
getting shorter.

In the past two years, the cycle has shrunk from months to weeks, said
Robert Dacey, director of information security at the General Accounting
Office. Worse yet, the number of security vulnerabilities discovered in
software is increasing every month, he said, testifying Sept. 10 before
the House Government Reform Committee's Technology, Information Policy,
Intergovernmental Relations and the Census Subcommittee. 

Vendors usually make patches quickly available once someone has
discovered a vulnerability, but it takes time for agencies to test and
apply those patches on their thousands of systems. "Given these
increasing risks, effective patch management systems have become
critical," Dacey said. 

Most agencies, for example, applied the patch for the vulnerability in
several of Microsoft Corp.'s operating systems that the Blaster worm and
its variant attacked last month, just three weeks after the patch was
released. But the worm affected approximately 1,000 systems, slowing down
federal e-mail systems and occasionally taking down networks, said Norm
Lorentz, chief technology officer at the Office of Management and Budget.
This was one of the quickest exploitations of a known vulnerability,
experts said. 

At this point, 47 agencies have signed up to use the Federal Computer
Incident Response Center's Patch Authentication and Dissemination
Capability, said Larry Hale, director of FedCIRC, which is now part of
the Homeland Security Department's National Cyber Security
Division.

Many of those agencies are still testing the service, which pushes out
notices of security patches based on each agency's submitted
infrastructure profile, he said.

"By automating the process, agencies will no longer have the burden
of having to manually apply patches, which will enable them more time to
focus on building a more robust configuration management program,"
he said.

Other agencies use other solutions, and some use both the FedCIRC service
and a commercial solution, Lorentz said.

"There are different approaches; we do not dictate which method they
use," he said. However, "there can be variation in the tools,
but there cannot be variation in the expected outcome," which is
that agencies apply patches before an attack.

Because the majority of vulnerabilities continue to exist because of
basic flaws in commercial software, industry is also developing a process
to discover vulnerabilities and notify vendors. The goal is to develop
patches before someone with malicious intent finds the hole and publishes
the details for anyone to exploit. 

In July, the Organization for Internet Safety, a group of security
researchers, security companies and other software vendors, published
guidelines for reporting software flaws and for vendors to respond to the
reports.

Cooperation between vendors and users has been growing during the past
few years, and FedCIRC, and now the cybersecurity division, are now often
involved in remediation and response discussions in the early stages of a
vulnerability's cycle.

Once a patch is available, agencies are required by OMB and the Federal
Information Security Management Act of 2002 to report through FedCIRC on
their patch-application status, but there is no automatic reporting
process, Lorentz pointed out to the subcommittee. 

There is also no way for FedCIRC officials to automatically determine
anything beyond how many times a patch has been downloaded through the
dissemination capability, and that is not a good metric because a single
patch can be used for thousands of systems, Hale said.

"You can't tell how many computers have been inoculated by a single
download, but it's the best thing we've got," he said.
*******************************
Federal Computer Week
Feds should boost IT research, report says
BY Randall Edwards 
Sept. 22, 2003

The federal government's support of information technology research is
"essential" and must be raised to meet the growing challenges
researchers face, according to a new report from the National Academies'
Computer Science and Telecommunications Board.

The report, released by the National Academies today, states that
agencies such as the National Science Foundation and the Defense Advanced
Researched Projects Agency must play larger roles in IT research and must
have the government's support to sustain a broad scope of
research.

While touting the United States as the international leader in IT, the
report calls for an increase in federal funding. Agencies must
"adjust their strategies and tactics as national needs and
imperatives change," the board states.

The focus of IT research must align with national needs, the report says.
Homeland security, an increase of commodity IT products and a growing
dependence of economic and social activity on networking and computer
capabilities are shaping the approach to federally funded computer
research, according to the report.

Government support for IT research should complement industrial research,
the board said. Federal sponsorship of university-based research programs
must also continue in order to develop an IT talent base to support
future growth in both government and industrial research.

Other federal agencies that provide funding for IT research include NASA,
the Energy Department, the National Institutes of Health, and parts of
the Defense Department in addition to DARPA.
*******************************
Federal Computer Week
NIST issues security drafts
BY Diane Frank 
Sept. 22, 2003  

The National Institute of Standards and Technology last week released
drafts of two security publications to help agencies define the levels of
security necessary for different types of information systems and
establish or fine-tune processes for handling security incidents.

The final draft of Federal Information Processing Standard (FIPS) 199,
"Standards for Security Categorization of Federal Information and
Information Systems," is the first step in a series of standards,
guidelines and requirements mandated under the Federal Information
Security Management Act (FISMA) of 2002. The standard, released Sept. 17,
outlines ways to link different types of federal information and systems,
and the risks each faces. NIST will later tie this to guidance for the
appropriate level of security, depending on the assigned level of
risk.

The standard focuses on three security areas for information and systems:
confidentiality, integrity and availability. It then defines three levels
of potential impact on organizations or individuals if any of those
security areas are compromised. 

Assigning a level of risk is not a clear-cut process, because it must be
considered in the context of each agency, states the draft, which
includes several examples of how to apply the three security areas and
three impact levels. The document, for instance, discusses the difference
between a system that needs high availability but holds information that
needs only low confidentiality measures, and a system that can be offline
for a period of time, but needs both high confidentiality and integrity
for its information.

The institute on Sept. 15 released a draft of the Computer Security
Incident Handling Guide (Special Publication 800-61), intended to help
agencies meet a FISMA requirement to establish some level of incident
handling capability and report to the Office of Management and Budget and
the Federal Computer Incident Response Center (FedCIRC).

Incident Response Centers are receiving a lot of attention now because of
the number and severity of recent attacks, such as the Blaster worm and
SoBig.F virus that surfaced last month. Many agencies already have such
capabilities, but the latest guide is designed to help existing and new
organizations. 

It outlines best practices within a response center, common policies to
work with outside partners, and examples of how a response center fits
within an agency's larger technology and policy structure. 

The guidance is designed for the chief information officers and their
security staffs, and details sharing information, addressing morale
issues, the benefits and pitfalls of having an employee-staffed response
center or one that is partially outsourced, and other issues.

Comments on the draft guidance may be sent to NIST by Oct. 15 at
IncidentHandlingPub800-61@xxxxxxxx.
*******************************
Government Computer News
09/23/03 
NOAA protects Web servers from user surge accompanying Isabel 
By William Jackson 

The National Oceanic and Atmospheric Administration?s Web site
experienced a dramatic increase in visitors last week as Hurricane Isabel
approached the East Coast. 

Visitors looking for information about the storm?s location and predicted
track pushed traffic to as many as 9 million hits per hour, from an
average of less than 2 million per day typically. 

?It?s critical that this site be fully operational at all times,? said
Gary Falk, NOAA?s director of IT and telecom operations. 

But by Friday, Sept. 12, as Isabel was bearing down on the East Coast,
the agency?s main site was experiencing performance problems from the
traffic surge. It turned to Akamai Technologies Inc. of Cambridge, Mass.,
to manage content deliver through its EdgeSuite network of servers.

?We had been in discussions with [NOAA] for quite some time,? said Keith
Johnson, Akamai?s vice president for public-sector operations. By the
weekend before the hurricane?s landfall, the situation had become
critical. 

?This information needed to get out,? Johnson said. The alternative to
using Akamai?s content delivery ?would be to go down. They couldn?t
handle the volume.? 

The service was deployed over the weekend, redirecting visitor requests
to Akamai?s Domain Name System server, which sends them to a caching
server at the Internet?s edge. A set of metadata rules for building Web
pages from dy-namic content on NOAA servers was developed. The EdgeSuite
service polls host servers only for dynamic or updated data, reducing
workload and improving availability. 

By Monday morning, four siteswww.noaa.gov,
www.nhc.noaa.gov,
www.noaanews.noaa.gov,
and sdd.noaa.govwere being accessed through the EdgeSuite system of
15,000 servers on 11,000 networks in 70 countries. 

The reliance on Akamai for content delivery is becoming fairly common
within government. 

The White House Web site began using the service in July 2002 following
Code Red worm attacks there. The FBI began using it on Sept. 11, 2001,
and the Centers for Disease Control and Prevention followed suit after
the anthrax attacks the next month.
*******************************
Government Executive
September 18, 2003 
Homeland Security misses reporting deadlines 
By Greta Wodele, CongressDaily 

The Homeland Security Department has missed deadlines set by the House
Appropriations Committee to assess the cost, scope and timetable for
technology-related projects, according to committee aides. The deadlines
are part of the legislation that would fund the department in fiscal
2004.

A division of Homeland Security in charge of assessing threats to the
nation's infrastructure missed two deadlines last month set by the panel:
an Aug. 1 deadline for a report on special authority that the division
needs to hire additional intellectual and cybersecurity analysts and an
Aug. 30 deadline to report on the current number of analysts the unit
employs.

The department also missed an Aug. 15 deadline on security standards for
containers that store classified information and materials, and failed to
report by Sept. 1 on the cost and scope of protecting intellectual
property rights related to pirated or counterfeit products used to fund
terrorist groups.

Homeland Security Appropriations ranking member Martin Olav Sabo,
D-Minn., criticized the agency for failing to turn over the
data.

"With its unwillingness or inability to provide detailed budget and
policy information, the [department] hinders our ability to accurately
assess and fund out nation's homeland security needs," said
Sabo.

A Congressional Research Service analyst added that a new agency is
difficult for an oversight panel to monitor. 

"The committee in its oversight function for a newly emerging agency
wants to make sure that it has the best information available to it, as
it determines the appropriate levels of funding for each account,"
the CRS analyst said. 

A committee aide said the panel included some of the deadlines in its
report on the bill in order to obtain information that the department
failed to include in its budget request. It wants the data for a
House-Senate conference to negotiate the final legislation.

A committee spokesman said appropriators would like to finish action on
the measure this month. 

Brian Roehrkasse, a department spokesman, declined to explain why the
agency has missed the deadlines or the status of the reports, saying that
the timetables are not binding because the bill has not been enacted yet.
Roehrkasse also said the department has "already provided massive
amounts of information to the Appropriations Committee."

Another aide on the panel said it is not unusual for agencies to miss
congressional deadlines, but they do so at their peril. Last year, the
Appropriations panel penalized the Coast Guard with a fine for failing to
submit its long-term financial plan, the aide added.

The committee also requested a report from the Transportation Security
Administration on its plan for installing additional explosive-detection
systems at airports. The report was due Sept. 1. A TSA spokesman said it
submitted the report to the panel, but calls to the committee to confirm
that it was received were not returned.

The committee also has outlined several deadlines in the coming months
and into 2004 for reports on a wireless communications system and
radiation-detection technology, among other departmental programs.
*******************************