Interesting People mailing list archives
IP: CRYPTO-GRAM, June 15, 2002
From: Dave Farber <dave () farber net>
Date: Sat, 15 Jun 2002 09:06:55 -0400
------ Forwarded Message From: Bruce Schneier <schneier () counterpane com> CRYPTO-GRAM June 15, 2002 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier () counterpane com <http://www.counterpane.com> A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available at <http://www.counterpane.com/crypto-gram.html>. To subscribe, visit <http://www.counterpane.com/crypto-gram.html> or send a blank message to crypto-gram-subscribe () chaparraltree com. Copyright (c) 2002 by Counterpane Internet Security, Inc. ** *** ***** ******* *********** ************* In this issue: Fixing Intelligence Failures Crypto-Gram Reprints News Counterpane News More on Secrecy and Security Comments from Readers ** *** ***** ******* *********** ************* Fixing Intelligence Failures Could the intelligence community have connected the dots? Why didn't anyone connect the dots? How can we make sure we connect the dots next time? Dot connecting is the metaphor of the moment in Washington, as the various politicians scramble to make sure that 1) their pet ideas for improving domestic security are adopted, and 2) they don't get blamed for any dot connection failures that could have prevented 9/11. Unfortunately, it's the wrong metaphor. We all know how to connect the dots. They're right there on the page, and they're all numbered. All you have to do is move your crayon from one dot to another, and when you're done you've drawn a lion. It's so easy a three-year-old could do it; what's wrong with the FBI and the CIA? The problem is that the dots can only be numbered after the fact. With the benefit of hindsight, it's easy to draw lines from people in flight school here, to secret meetings in foreign countries there, over to interesting tips from foreign governments, and then to INS records. Before 9/11 it's not so easy. Rather than thinking of intelligence as a simple connect-the-dots picture, think of it as a million unnumbered pictures superimposed on top of each other. Or a random-dot stereogram. Is it a lion, a tree, a cast iron stove, or just an unintelligible mess of dots? You try and figure it out. This isn't to say that the United States didn't have some spectacular failures in analysis leading up to 9/11. Way back in the 30 September 2001 issue of Crypto-Gram, I wrote: "In what I am sure is the mother of all investigations, the CIA, NSA, and FBI have uncovered all sorts of data from their files, data that clearly indicates that an attack was being planned. Maybe it even clearly indicates the nature of the attack, or the date. I'm sure lots of information is there, in files, intercepts, computer memory." I was guessing there. It seems that there was more than I thought. Given the bits of information that have been discussed in the press, I would have liked to think that we could have prevented this one, that there was a single Middle Eastern Terrorism desk somewhere inside the intelligence community whose job it was to stay on top of all of this. It seems that we couldn't, and that there wasn't. A budget issue, most likely. Still, I think the "whose fault is it?" witch hunt is a bit much. Not that I mind seeing George Bush on the defensive. I've gotten sick of his "we're at war, and if you criticize me you're being unpatriotic" nonsense, and I think the enormous damage John Ashcroft has done to our nation's freedoms and liberties will take a generation and another Warren Court to fix. But all this finger-pointing between the CIA and FBI is childish, and I'm embarrassed by the Democrats who are pushing through their own poorly thought out security proposals so they're not viewed in the polls as being soft on terrorism. My preference is for less politics and more intelligent discussion. And I'd rather see the discussion center on how to improve things for next time, rather than on who gets the blame for this time. So, in the spirit of bipartisanship (there are plenty of nitwits in both parties), here are some points for discussion: 1. It's not about data collection; it's about data analysis. Again from the 30 September 2001 issue of Crypto-Gram: "Demands for even more surveillance miss the point. The problem is not obtaining data, it's deciding which data is worth analyzing and then interpreting it. Everyone already leaves a wide audit trail as we go through life, and law enforcement can already access those records with search warrants [and subpoenas]. The FBI quickly pieced together the terrorists' identities and the last few months of their lives, once they knew where to look. If they had thrown up their hands and said that they couldn't figure out who did it or how, they might have a case for needing more surveillance data. But they didn't, and they don't." 2. Security decisions need to be made as close to the source as possible. This has all sorts of implications: airport X-ray machines should be right next to the departure gates, like they are in some European airports; bomb target decisions should be made by the generals on the ground in the war zone, not by some bureaucrat in Washington; and investigation approvals should be granted the FBI office that's closest to the investigation. This mode of operation has more opportunities for abuse, so oversight is vital. But it is also more robust, and the best way to make things work. (The U.S. Marine Corps understands this principle; it's the heart of their chain of command rules.) 3. Data correlation needs to happen as far away from the sources as possible. Good intelligence involves finding meaning amongst enormous reams of irrelevant data, and then organizing all those disparate pieces of information into coherent predictions about what will happen next. It requires smart people who can see connections, and access to information from many different branches of government. It can't be by the various individual pieces of bureaucracy, whether it be the CIA, FBI, NSA, INS, Coast Guard, etc. The whole picture is larger than any of them, and each one only has access to a small piece. 4. Intelligence and law enforcement have fundamentally different missions. The FBI's model of operation -- investigation of past crimes -- does not lend itself to an intelligence paradigm: prediction of future events. On the other hand, the CIA is prohibited by law from spying on citizens. Expecting the FBI to become a domestic CIA is a terrible idea; the missions are just too different and that's too much power to consolidate under one roof. Turning the CIA into a domestic intelligence agency is an equally terrible idea; the tactics that they regularly use abroad are unconstitutional here. 5. Don't forget old-fashioned intelligence gathering. Enough with the Echelon-like NSA programs where everything and anything gets sucked into an enormous electronic maw, never to be looked at again. Lots of Americans managed to become part of Al Qaeda (a 20-year-old Californian did it, for crying out loud); why weren't any of them feeding intelligence to the CIA? Get out in the field and do your jobs. 6. Organizations with investigative powers require constant oversight. If we want to formalize a domestic intelligence agency, we are going to need to be very careful about how we do it. Many of the checks and balances that Ashcroft is discarding were put in place to prevent abuse. And abuse is rampant -- at the federal, state, and local levels. Just because everyone is feeling good about the police today doesn't mean that things won't change in the future. They always do. 7. Fundamental changes in how the United States copes with domestic terrorism requires, um, fundamental changes. Much as the Bush Administration would like to ignore the constitutional issues surrounding some of their proposals, those issues are real. Much of what the Israeli government does to combat terrorism in its country, even some of what the British government does, is unconstitutional in the United States. Security is never absolute; it always involved tradeoffs. If we're going to institute domestic passports, arrest people in secret and deny them any rights, place people with Arab last names under continuous harassment, or methodically track everyone's financial dealings, we're going to have to rewrite the Constitution. At the very least, we need to have a frank and candid debate about what we're getting for what we're giving up. People might want to live in a police state, but let them at least decide willingly to live in a police state. My opinion has been that it is largely unnecessary to trade civil liberties for security, and that the best security measures -- reinforcing the airplane cockpit door, putting barricades and guards around important buildings, improving authentication for telephone and Internet banking -- have no effect on civil liberties. Broad surveillance is a mark of bad security. All in all, I'm not sure how the Department of Homeland Security is going to help with any of this. Taking a bunch of ineffectual little bureaucracies and lumping them together into a single galumptious bureaucracy doesn't seem like a step in the right direction. Leaving the FBI and CIA out of the mix -- the largest sources of both valuable information and turf-based problems -- doesn't help, either. And if the individual organizations squabble and refuse to share information, reshuffling the chain of command isn't really going to make any difference -- it'll just add needless layers of management. And don't forget the $37 billion this is all supposed to cost, assuming there aren't the usual massive cost overruns. Couldn't we better spend that money teaching Arabic to case officers, hiring investigators, and doing various things that actually will make a difference? The problems are about politics and policy, and not about form and structure. Fix the former, and fixing the latter becomes easy. Change the latter without fixing the former, and nothing will change. I'm not denying the need for some domestic intelligence capability. We need something to respond to future domestic threats. I'm not happy with this conclusion, but I think it may be the best of a bunch of bad choices. Given this, the thing to do is make sure we approach that choice correctly, paying attention to constitutional protections, respecting privacy and civil liberty, and minimizing the inevitable abuses of power. My original articles: <http://www.counterpane.com/crypto-gram-0109a.html#4> <http://www.counterpane.com/crypto-gram-0109a.html#8> ------ End of Forwarded Message For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: CRYPTO-GRAM, June 15, 2002 Dave Farber (Jun 15)