Friday, February 29, 2008
Privacy question on cyber security plan
Congress worries that .gov monitoring will spy on AmericansHouse, lawmakers yesterday raised concerns about the privacy implications of a Bush administration effort to secure federal computer networks from hackers and foreign adversaries, as new details emerged about the largely classified program.
Einstein, which DHS calls an "early warning system" for cyber-incidents, is described in a Homeland Security document from September 2004 as "an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian government." It's still only in place at 15 federal agencies, but Homeland Security Secretary Michael Chertoff requesting $293.5 million from Congress in next year's budget to roll it out government-wide.
The round-the-clock system captures traffic flow data, which currently includes source and destination IP addresses and ports, Internet Control Message Protocol data, and the length of data packets. According to an internal 2004 privacy impact assessment (PDF), "the program is not intended to collect information that will be retrieved by name or personal identifier." Members of the U.S. Computer Emergency Readiness Team, which coordinates federal responses to cyber attacks, analyze the downloaded records once per day in hopes of detecting worms and other "anomalous activity," pinpointing trends, and advising agencies on how best to configure their systems.
At a hearing convened here Thursday by the U.S. House of Representatives Homeland Security Committee, politicians directed pointed questions to Department of Homeland Security officials about their plans to expand an existing "intrusion detection" system known as Einstein. Among other things, the system will monitor visits from Americans--and foreigners--visiting .gov Web sites.
The unclassified portions of the project, known as the "cyber initiative," focus on drastically reducing the number of connections between federal agency networks and the Internet, and more closely monitoring those networks for malicious activity. Slightly more than half of all agencies have deployed the Department of Homeland Security's program.
But administration officials have not said how far monitoring would go, and whether oversight would extend to networks operated by state, local, and private sector entities, including government defense contractors.
A more real-time scrutiny of federal data flows is necessary because "our adversaries are very adept at hiding their attacks in normal everyday traffic," DHS Undersecretary Robert Jamison told the House Homeland Security Committee yesterday. He added that DHS is developing a privacy impact assessment on the new capabilities, which will be open to public review upon completion.
Some Democrats on the oversight panel were not assuaged by the administration's testimony. Rep. Bob Etheridge (D-N.C.), said he remained concerned about the program's impact on the privacy of his constituents. "It looks a little like the fox is guarding the hen house," he said.
But Jim Lewis, director of the technology arm of the Center for Strategic and International Studies, a Washington think tank, called the privacy concerns premature and overblown.
"There's a big difference between intercepting and reading e-mail and reacting to suspicious traffic going across your network," said Lewis, whose employer is working with Congress and the private sector on a set of cyber security policy recommendations for the next president.