Re: FBI's InfraGard

[Vin McLellan <vin () shore net>]

        I want to apologize to those who felt that I was denigrating their
efforts to work with law enforcement officers through the FBI's InfraGard
program.
 
         I do feel strongly that the decision to place the National
Intrastructure Protection Center (NIPC) in the hands of the FBI,  an agency
which measures success in terms of arrests, is among the more retarded
policy decisions out of D.C.  in recent years.  Right up there with the
Clipper chip.

        I suspect, however, that I let my irritation about the Clinton/Reno
decision to waste the (desperately needed) NIPC on the G-men led me  to
color my reaction to  InfraGard -- which I dismissed, quoting a more
informed source, as  a harvesting machine for rumors of corporate crime and
computer intrusions.  

        A mechanism, perhaps,  to gather  some Real World  information to
buttress the interesting <ahem> statistics the FBI and the  CSI churn up in
their annual surveys?  (Ever  wonder how they manage to select that woeful
field of cybermugged corporate respondents?  In the '99 survey, as I recall,
over 30 percent of their  respondents reported losses of over a million
dollars each, due to illicit intrusions into their  computers or networks.
A _random_ sample?)

        I did receive  several personal notes that made it very clear,
however,  that many of the infosec professionals who are participate in
InfraGard are doing  so for the best of reasons, and with every intention of
helping the FBI Agents and other lawmen get a constructive and realistic
grip on the technologies  technical vulnerabilities (and the political
context within which corporations confront cyber threats.)   

        It is also clear that I was flat wrong to suggest that retired FBI
agents now in corporate jobs are the core of the group.  I wrote:

> > They wire the old ex-Feebees into a privileged rumor network in the
> > hope that they will more readily toss in tips and rumors about IT
> > attacks and threats -- if not about their own employers, then about
> > competitors, the brother-in-law's firm, stories they heard at the bar, etc.
> >
> > They are getting desperate to hear about the sort of attacks that
> > no corporate officer in his right mind is gonna report to the Bureau.

         William Yang < wyang () gcfn net>, a member of the InfraGard Executive
Board, pointed out that Former FBI Agents are in short supply within
InfraGard.  He also explained:

> The "privileged rumor network" is only a small part of the Infragard
> program, though it is the most tangible in terms of understandability
> to the (marginally clued) press.
>
> Some people may distrust the FBI's motives, and I'm not going to
> debate what's going through the minds of the decision-makers at the
> FBI.  However, the facts (as seen from the inside) indicate that this
> is a product of scurrilous rumor and outrageous innuendo.  The
> analysis above is patently false and completely unfounded.

        I apologize for the scurrilous rumor, but I guess I'll stand by the
outrageous innuendo.   

        I apologize for my errors, but I suggest that the FBI has fostered a
deliberately ambiguous posture with regard to any need for strong privacy or
information security technologies in American business, or elsewhere.  

         Suspicions about a new FBI outreach program are thus not unfounded.
Inaccurate maybe, but not unfounded.  Sez Mr. Yang:

> Infragard is made up of IT security managers and security engineers,
> working with law enforcement because we want our police to actually
> protect us the way they're charged to!  We also agree that security
> issues cross corporate lines too easily: we need to be able to work
> together to facilitate the resolution of security problems, and
> Infragard is an expedient way to get to know who works where, to build
> some trust and some professional relationships that will be mutually
> beneficial.

       Like most citizens,  I want the FBI to  successfully track down and
arrest the crooks.  I  can also see how a forum like  InfraGard can be
useful to Agents, as well as  to the corporate and academic technocrats who
join up.  (It never hurts to know who to call --  and it helps if all
parties to a discussion of theft or computer intrustion know how to spell
TCP and the like.) 

        I think the idea (expressed forcefully by several InfraGard
activists) that IT security managers and sysops are going to casually
educate law enforcement officers about compsec and comsec so that they can
"protect us the way they're charged to" is misguided, patronizing, and silly.  

        The other points Mr. Yang makes above seem sensible enough, however.
If different needs and motives bring different types of people to InfraGard,
I suppose that only makes it an organization like any other.  

        I also  suspect that few corporate IT guys in InfraGard are unaware
of the fact that the Bureau is eager to get directly involved in the sort of
internal corporate inquiry into evildoin' and theft that corporate
management today (quite sensibly) goes to great lengths in an attempts to
keep  the cops out.

        Suerte,
                        _Vin
--------
  "Cryptography is like literacy in the Dark Ages. Infinitely potent,
for good and ill... yet basically an intellectual construct, an idea,
which by its nature will resist efforts to restrict it to bureaucrats
and others who deem only themselves worthy of such Privilege."
  _A Thinking Man's Creed for Crypto  _vbm

 *     Vin McLellan + The Privacy Guild + <vin () shore net>    *
      53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548