Date : July 28, 1999
Title : U.S. Drafting Plan for Computer Monitoring System
Author : John Markoff
Source : New York Times (Technology)
Url Ref:
The Clinton Administration has developed a plan for an extensive computer monitoring system, overseen by the Federal Bureau of Investigation, to protect the nation's crucial data networks from intruders.

The plan, an outgrowth of the Administration's anti-terrorism program, has already raised concerns from civil liberties groups.

A draft prepared by officials at the National Security Council last month, which was provided to The New York Times by a civil liberties group, calls for a sophisticated software system to monitor activities on nonmilitary Government networks and a separate system to track networks used in crucial industries like banking, telecommunications and transportation.

The effort, whose details are still being debated within the Administration, is intended to alert law enforcement officials to attacks that might cripple Government operations or the nation's economy.

But because of the increasing power of the nation's computers and their emerging role as a backbone of the country's commerce, politics and culture, critics of the proposed system say it could become a building block for a surveillance infrastructure with great potential for misuse.

They also argue that such a network of monitoring programs could itself be open to security breaches, giving intruders or unauthorized users a vast window into Government and corporate computer systems.

Government officials said the changing nature of military threats in the information age had altered the nature of national security concerns and created a new sense of urgency to protect the nation's information infrastructure.

"Our concern about an organized cyberattack has escalated dramatically," Jeffrey Hunker, the National Security Council's director of information protection, who is overseeing the plan, said Tuesday. "We do know of a number of hostile foreign governments that are developing sophisticated and well-organized offensive cyber attack capabilities, and we have good reason to believe that terrorists may be developing similar capabilities."

As part of the plan, networks of thousands of software monitoring programs would constantly track computer activities looking for indications of computer network intrusions and other illegal acts.

The plan calls for the creation of a Federal Intrusion Detection Network, or Fidnet, and specifies that the data it collects will be gathered at the National Infrastructure Protection Center, an interagency task force housed at the Federal Bureau of Investigation.

Such a system, to be put fully in place by 2003, is meant to permit Government security experts to track "patterns of patterns" of information and respond in a coordinated manner against intruders and terrorists.

The plan focuses on monitoring data flowing over Government and national computer networks. That means the systems would potentially have access to computer-to-computer communications like electronic mail and other documents, computer programs and remote log-ins.

But an increasing percentage of network traffic, like banking and financial information, is routinely encrypted and would not be visible to the monitor software. Government officials argue that they are not interested in eavesdropping, but rather are looking for patterns of behavior that suggest illegal activity.

Over the last three years, the Pentagon has begun to string together entire network surveillance systems using filters that report data to a central site, much as a burglar alarm might be reported at the local police station.

Officials said such a system might have protected against intrusions recently reported in computers at the Bureau of Labor Statistics, which produces information like the consumer price index that can affect the performance of the stock market.

The draft of the plan, which has been circulated widely within the executive branch, has generated concern among some officials over its privacy implications. Several officials involved in the debate over the plan said that the situation was "fluid" and that many aspects were still not final.

The report is vague on several crucial points, including the kinds of data to be collected and the specific Federal and corporate computer networks to be monitored. The report also lacks details about the ways information collected in non-Governmental agencies would be maintained and under what conditions it would be made available to law enforcement personnel.

Government officials said that the National Security Council was conducting a legal and technical review of the plan and that a final version is to be released in September, subject to President Clinton's approval.

The plan was created in response to a Presidential directive in May 1998 requiring the Executive Branch to review the vulnerabilities of the Federal Government's computer systems in order to become a "model of information and security."

In a cover letter to the draft Clinton writes: "A concerted attack on the computers of any one of our key economic sectors or Governmental agencies could have catastrophic effects."

But the plan strikes at the heart of a growing controversy over how to protect the nation's computer systems while also protecting civil liberties -- particularly since it would put a new and powerful tool into the hands of the F.B.I.

Increasingly, data flowing over the Internet is becoming a vital tool for law enforcement, and civil liberties experts said law enforcement agencies would be under great temptation to expand the use of the information in pursuit of suspected criminals.

The draft of the plan "clearly recognizes the civil liberties implications," said James X. Dempsey, staff counsel for the Center for Democracy and Technology, a Washington civil liberties group, "But it brushes them away."

The draft states that because Government employees, like those of many private companies, must consent to the monitoring of their computer activities, "the collection of certain data identified as anomalous activity or a suspicious event would not be considered a privacy issue."

Dempsey conceded the legal validity of the point, but said there was tremendous potential for abuse.

"My main concern is that Fidnet is an ill-defined monitoring system of potentially broad sweep," he said. "It seems to place monitoring and surveillance at the center of the Government's response to a problem that is not well suited to such measures."

The Federal Government is making a concerted effort to insure that civil liberties and privacy rights are not violated by the plan, Hunker said.

He said that data gathered from non-Government computer networks will be collected separately from the F.B.I.-controlled monitoring system at a separate location within a General Services Administration building. He said that was done to keep non-Government data at arm's length from law enforcement.

The plan also has drawn concern from civil libertarians because it blends civilian and military functions in protecting the nation's computer networks. The draft notes that there is already a Department of Defense "contingent" working at the F.B.I.'s infrastructure protection center to integrate intelligence, counterintelligence and law enforcement efforts in protecting Pentagon computers.

"The fight over this could make the fight over encryption look like nothing," said Mary Culnan, a professor at Georgetown University who served on a Presidential commission whose work led to the May 1998 directive on infrastructure protection.

"The conceptual problem is that there are people running this program who don't understand how citizens feel about privacy in cyberspace."

The Government has been discussing the proposal widely with a number of industry security committees and associations in recent months.

Several industry executives said there is still reluctance on the part of industry to directly share information on computer intrusions with law enforcement.

"They want to control the decision making process," said Mark Rasch, vice president and general counsel of Global Integrity, a company in Reston, Va., coordinating computer security for the financial services industries.

One potential problem in carrying out the Government's plan is that intrusion-detection software technology is still immature, industry executives said. Park, Calif., and a pioneer in the field of intrusion detection systems.

Current systems tend to generate false alarms and thus require many skilled operators.

"The commercial intrusion detection systems are not ready for prime time," said Peter Neumann, a computer scientist at SRI International in Menlo

But a significant portion of the $1.4 billion the Clinton Administration has requested for computer security for fiscal year 2000 is intended to be spent on research, and Government officials said they were hopeful that the planned effort would be able to rely on automated detection technologies and on artificial intelligence capabilities.

For several years computer security specialists have used software variously known as packet filters, or "sniffers," as monitoring devices to track computer intruders. Like telephone wiretaps, such tools can be used to reconstruct the activities of a computer user as if a videotape were made of his computer display.

At the same time, however, the software tools are routinely misused by illicit computer network users in stealing information such as passwords or other data.

Commercial vendors are beginning to sell monitoring tools that combine packet filtering with more sophisticated and automated intrusion detection software that tries to detect abuse by looking for behavior patterns or certain sequences of commands.