Firewall Wizards mailing list archives
Re: FBI's InfraGard
From: Vin McLellan <vin () shore net>
Date: Thu, 29 Apr 1999 04:04:08 -0400
I want to apologize to those who felt that I was denigrating their efforts to work with law enforcement officers through the FBI's InfraGard program. I do feel strongly that the decision to place the National Intrastructure Protection Center (NIPC) in the hands of the FBI, an agency which measures success in terms of arrests, is among the more retarded policy decisions out of D.C. in recent years. Right up there with the Clipper chip. I suspect, however, that I let my irritation about the Clinton/Reno decision to waste the (desperately needed) NIPC on the G-men led me to color my reaction to InfraGard -- which I dismissed, quoting a more informed source, as a harvesting machine for rumors of corporate crime and computer intrusions. A mechanism, perhaps, to gather some Real World information to buttress the interesting <ahem> statistics the FBI and the CSI churn up in their annual surveys? (Ever wonder how they manage to select that woeful field of cybermugged corporate respondents? In the '99 survey, as I recall, over 30 percent of their respondents reported losses of over a million dollars each, due to illicit intrusions into their computers or networks. A _random_ sample?) I did receive several personal notes that made it very clear, however, that many of the infosec professionals who are participate in InfraGard are doing so for the best of reasons, and with every intention of helping the FBI Agents and other lawmen get a constructive and realistic grip on the technologies technical vulnerabilities (and the political context within which corporations confront cyber threats.) It is also clear that I was flat wrong to suggest that retired FBI agents now in corporate jobs are the core of the group. I wrote:
They wire the old ex-Feebees into a privileged rumor network in the hope that they will more readily toss in tips and rumors about IT attacks and threats -- if not about their own employers, then about competitors, the brother-in-law's firm, stories they heard at the bar, etc. They are getting desperate to hear about the sort of attacks that no corporate officer in his right mind is gonna report to the Bureau.
William Yang < wyang () gcfn net>, a member of the InfraGard Executive Board, pointed out that Former FBI Agents are in short supply within InfraGard. He also explained:
The "privileged rumor network" is only a small part of the Infragard program, though it is the most tangible in terms of understandability to the (marginally clued) press. Some people may distrust the FBI's motives, and I'm not going to debate what's going through the minds of the decision-makers at the FBI. However, the facts (as seen from the inside) indicate that this is a product of scurrilous rumor and outrageous innuendo. The analysis above is patently false and completely unfounded.
I apologize for the scurrilous rumor, but I guess I'll stand by the outrageous innuendo. I apologize for my errors, but I suggest that the FBI has fostered a deliberately ambiguous posture with regard to any need for strong privacy or information security technologies in American business, or elsewhere. Suspicions about a new FBI outreach program are thus not unfounded. Inaccurate maybe, but not unfounded. Sez Mr. Yang:
Infragard is made up of IT security managers and security engineers, working with law enforcement because we want our police to actually protect us the way they're charged to! We also agree that security issues cross corporate lines too easily: we need to be able to work together to facilitate the resolution of security problems, and Infragard is an expedient way to get to know who works where, to build some trust and some professional relationships that will be mutually beneficial.
Like most citizens, I want the FBI to successfully track down and arrest the crooks. I can also see how a forum like InfraGard can be useful to Agents, as well as to the corporate and academic technocrats who join up. (It never hurts to know who to call -- and it helps if all parties to a discussion of theft or computer intrustion know how to spell TCP and the like.) I think the idea (expressed forcefully by several InfraGard activists) that IT security managers and sysops are going to casually educate law enforcement officers about compsec and comsec so that they can "protect us the way they're charged to" is misguided, patronizing, and silly. The other points Mr. Yang makes above seem sensible enough, however. If different needs and motives bring different types of people to InfraGard, I suppose that only makes it an organization like any other. I also suspect that few corporate IT guys in InfraGard are unaware of the fact that the Bureau is eager to get directly involved in the sort of internal corporate inquiry into evildoin' and theft that corporate management today (quite sensibly) goes to great lengths in an attempts to keep the cops out. Suerte, _Vin -------- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _A Thinking Man's Creed for Crypto _vbm * Vin McLellan + The Privacy Guild + <vin () shore net> * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
Current thread:
- FBI's InfraGard Stout, Bill (Apr 17)
- <Possible follow-ups>
- Re: FBI's InfraGard Vin McLellan (Apr 20)
- solaris + tis Anderson Alves de Albuquerque (Apr 21)
- Re: FBI's InfraGard George Jones (Apr 29)
- Re: FBI's InfraGard Joseph S D Yao (Apr 29)
- Re: FBI's InfraGard Vin McLellan (Apr 29)
- RE: FBI's InfraGard Russ (Apr 29)