IP: CRYPTO-GRAM, June 15, 2002

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Bruce Schneier <schneier () counterpane com>

                  CRYPTO-GRAM

                  June 15, 2002

               by Bruce Schneier
                Founder and CTO
       Counterpane Internet Security, Inc.
            schneier () counterpane com
          <http://www.counterpane.com>


A free monthly newsletter providing summaries, analyses, insights, and
commentaries on computer security and cryptography.

Back issues are available at
<http://www.counterpane.com/crypto-gram.html>.  To subscribe, visit
<http://www.counterpane.com/crypto-gram.html> or send a blank message to
crypto-gram-subscribe () chaparraltree com.

Copyright (c) 2002 by Counterpane Internet Security, Inc.


** *** ***** ******* *********** *************

In this issue:
      Fixing Intelligence Failures
      Crypto-Gram Reprints
      News
      Counterpane News
      More on Secrecy and Security
      Comments from Readers


** *** ***** ******* *********** *************

          Fixing Intelligence Failures



Could the intelligence community have connected the dots?  Why didn't
anyone connect the dots?  How can we make sure we connect the dots next
time?  Dot connecting is the metaphor of the moment in Washington, as the
various politicians scramble to make sure that 1) their pet ideas for
improving domestic security are adopted, and 2) they don't get blamed for
any dot connection failures that could have prevented 9/11.

Unfortunately, it's the wrong metaphor.  We all know how to connect the
dots.  They're right there on the page, and they're all numbered.  All you
have to do is move your crayon from one dot to another, and when you're
done you've drawn a lion.  It's so easy a three-year-old could do it;
what's wrong with the FBI and the CIA?

The problem is that the dots can only be numbered after the fact.  With the
benefit of hindsight, it's easy to draw lines from people in flight school
here, to secret meetings in foreign countries there, over to interesting
tips from foreign governments, and then to INS records.  Before 9/11 it's
not so easy.  Rather than thinking of intelligence as a simple
connect-the-dots picture, think of it as a million unnumbered pictures
superimposed on top of each other.  Or a random-dot stereogram.  Is it a
lion, a tree, a cast iron stove, or just an unintelligible mess of
dots?  You try and figure it out.

This isn't to say that the United States didn't have some spectacular
failures in analysis leading up to 9/11.  Way back in the 30 September 2001
issue of Crypto-Gram, I wrote: "In what I am sure is the mother of all
investigations, the CIA, NSA, and FBI have uncovered all sorts of data from
their files, data that clearly indicates that an attack was being
planned.  Maybe it even clearly indicates the nature of the attack, or the
date.  I'm sure lots of information is there, in files, intercepts,
computer memory."  I was guessing there.  It seems that there was more than
I thought.

Given the bits of information that have been discussed in the press, I
would have liked to think that we could have prevented this one, that there
was a single Middle Eastern Terrorism desk somewhere inside the
intelligence community whose job it was to stay on top of all of this.  It
seems that we couldn't, and that there wasn't.  A budget issue, most likely.

Still, I think the "whose fault is it?" witch hunt is a bit much.  Not that
I mind seeing George Bush on the defensive.  I've gotten sick of his "we're
at war, and if you criticize me you're being unpatriotic" nonsense, and I
think the enormous damage John Ashcroft has done to our nation's freedoms
and liberties will take a generation and another Warren Court to fix.  But
all this finger-pointing between the CIA and FBI is childish, and I'm
embarrassed by the Democrats who are pushing through their own poorly
thought out security proposals so they're not viewed in the polls as being
soft on terrorism.

My preference is for less politics and more intelligent discussion.  And
I'd rather see the discussion center on how to improve things for next
time, rather than on who gets the blame for this time.  So, in the spirit
of bipartisanship (there are plenty of nitwits in both parties), here are
some points for discussion:

1.  It's not about data collection; it's about data analysis.  Again from
the 30 September 2001 issue of Crypto-Gram: "Demands for even more
surveillance miss the point.  The problem is not obtaining data, it's
deciding which data is worth analyzing and then interpreting it.  Everyone
already leaves a wide audit trail as we go through life, and law
enforcement can already access those records with search warrants [and
subpoenas].  The FBI quickly pieced together the terrorists' identities and
the last few months of their lives, once they knew where to look.  If they
had thrown up their hands and said that they couldn't figure out who did it
or how, they might have a case for needing more surveillance data.  But
they didn't, and they don't."

2.  Security decisions need to be made as close to the source as
possible.  This has all sorts of implications: airport X-ray machines
should be right next to the departure gates, like they are in some European
airports; bomb target decisions should be made by the generals on the
ground in the war zone, not by some bureaucrat in Washington; and
investigation approvals should be granted the FBI office that's closest to
the investigation.  This mode of operation has more opportunities for
abuse, so oversight is vital.  But it is also more robust, and the best way
to make things work.  (The U.S. Marine Corps understands this principle;
it's the heart of their chain of command rules.)

3.  Data correlation needs to happen as far away from the sources as
possible.  Good intelligence involves finding meaning amongst enormous
reams of irrelevant data, and then organizing all those disparate pieces of
information into coherent predictions about what will happen next.  It
requires smart people who can see connections, and access to information
from many different branches of government.  It can't be by the various
individual pieces of bureaucracy, whether it be the CIA, FBI, NSA, INS,
Coast Guard, etc.  The whole picture is larger than any of them, and each
one only has access to a small piece.

4.  Intelligence and law enforcement have fundamentally different
missions.  The FBI's model of operation -- investigation of past crimes --
does not lend itself to an intelligence paradigm: prediction of future
events.  On the other hand, the CIA is prohibited by law from spying on
citizens.  Expecting the FBI to become a domestic CIA is a terrible idea;
the missions are just too different and that's too much power to
consolidate under one roof.  Turning the CIA into a domestic intelligence
agency is an equally terrible idea; the tactics that they regularly use
abroad are unconstitutional here.

5.  Don't forget old-fashioned intelligence gathering.  Enough with the
Echelon-like NSA programs where everything and anything gets sucked into an
enormous electronic maw, never to be looked at again.  Lots of Americans
managed to become part of Al Qaeda (a 20-year-old Californian did it, for
crying out loud); why weren't any of them feeding intelligence to the
CIA?  Get out in the field and do your jobs.

6.  Organizations with investigative powers require constant oversight.  If
we want to formalize a domestic intelligence agency, we are going to need
to be very careful about how we do it.  Many of the checks and balances
that Ashcroft is discarding were put in place to prevent abuse.  And abuse
is rampant -- at the federal, state, and local levels.  Just because
everyone is feeling good about the police today doesn't mean that things
won't change in the future.  They always do.

7.  Fundamental changes in how the United States copes with domestic
terrorism requires, um, fundamental changes.  Much as the Bush
Administration would like to ignore the constitutional issues surrounding
some of their proposals, those issues are real.  Much of what the Israeli
government does to combat terrorism in its country, even some of what the
British government does, is unconstitutional in the United
States.  Security is never absolute; it always involved tradeoffs.  If
we're going to institute domestic passports, arrest people in secret and
deny them any rights, place people with Arab last names under continuous
harassment, or methodically track everyone's financial dealings, we're
going to have to rewrite the Constitution.  At the very least, we need to
have a frank and candid debate about what we're getting for what we're
giving up.  People might want to live in a police state, but let them at
least decide willingly to live in a police state.  My opinion has been that
it is largely unnecessary to trade civil liberties for security, and that
the best security measures -- reinforcing the airplane cockpit door,
putting barricades and guards around important buildings, improving
authentication for telephone and Internet banking -- have no effect on
civil liberties.  Broad surveillance is a mark of bad security.

All in all, I'm not sure how the Department of Homeland Security is going
to help with any of this.  Taking a bunch of ineffectual little
bureaucracies and lumping them together into a single galumptious
bureaucracy doesn't seem like a step in the right direction.  Leaving the
FBI and CIA out of the mix -- the largest sources of both valuable
information and turf-based problems -- doesn't help, either.  And if the
individual organizations squabble and refuse to share information,
reshuffling the chain of command isn't really going to make any difference
-- it'll just add needless layers of management.  And don't forget the $37
billion this is all supposed to cost, assuming there aren't the usual
massive cost overruns.  Couldn't we better spend that money teaching Arabic
to case officers, hiring investigators, and doing various things that
actually will make a difference?

The problems are about politics and policy, and not about form and
structure.  Fix the former, and fixing the latter becomes easy.  Change the
latter without fixing the former, and nothing will change.

I'm not denying the need for some domestic intelligence capability.  We
need something to respond to future domestic threats.  I'm not happy with
this conclusion, but I think it may be the best of a bunch of bad
choices.  Given this, the thing to do is make sure we approach that choice
correctly, paying attention to constitutional protections, respecting
privacy and civil liberty, and minimizing the inevitable abuses of power.

My original articles:
<http://www.counterpane.com/crypto-gram-0109a.html#4>
<http://www.counterpane.com/crypto-gram-0109a.html#8>

------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/