Bush signs Homeland Security bill

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1023-975305.html?tag=fd_lede1_hed

By Declan McCullagh 
Staff Writer, CNET News.com
November 25, 2002

When President Bush signed a bill on Monday creating the Department of
Homeland Security, he started a process that will reshuffle
bureaucracies, permit greater Internet surveillance and refocus the
government's computer security efforts.

The authors of the massive law, which totals about 500 pages, envision
a far greater role for the government when it comes to making sure
operating systems, hardware and the Internet are secure. The law
allocates $500 million for research into new technologies. It also
classifies certain activities as new computer crimes, stiffens
penalties and permits Internet providers to hand more information
about subscribers to police.

"The department will gather and focus all our efforts to face the
challenge of cyberterrorism, and the even worse danger of nuclear,
chemical and biological terrorism," Bush said during a White House
ceremony Monday afternoon. "This department will be charged with
encouraging research on new technologies that can detect these threats
in time to prevent an attack."

Bush nominated Tom Ridge, the former Pennsylvania governor who's
currently a White House advisor, to run the new department.

White House spokesman Ari Fleischer warned on Monday that it will take
"a couple years" to integrate the 22 existing federal agencies that
will make up the new department and to deal with culture clashes and
incompatible computer systems. Together, these agencies--the list
includes the Secret Service, the Immigration and Naturalization
Service, the Coast Guard and the Border Patrol--employ about 170,000
people.

"In the process of bringing people together, there are, of course,
going to be wrinkles that need to get ironed out," Fleischer said. "No
transition is perfect. (But) this process will lead to enhanced
homeland security for the American people."

Privacy concerns

The final law prohibits the Justice Department's proposed
citizen-informant program called TIPS (terrorist information and
prevention system) and rejects "the development of a national
identification system or card."

But civil liberties groups are concerned about the impact the law will
have on privacy, especially when linked with a pair of controversial
projects funded by the Defense Advanced Research Projects Agency
(DARPA).

The agency considered and abandoned a plan to curtail Internet
anonymity by tagging browsing with unique markers for each person,
while funding a mammoth database that would feature profiles of nearly
all Americans' behaviors and spending habits.

"Is it appropriate for the U.S. Department of Defense to pursue an
aggressive program of (technology development) that can be used for
surveillance of Americans?" asked Marc Rotenberg, the director of the
Electronic Privacy Information Center.

Rotenberg called for the ouster of former admiral John Poindexter, who
runs DARPA's Total Information Awareness (TIA) program, saying
Poindexter's past efforts to create similar databases made him
unsuitable to head the project.

Last week, Sen. Chuck Grassley of Iowa, asked the Defense Department's
inspector general to conduct a "complete review" of DARPA's TIA
program. Grassley will become chairman of the Senate Finance committee
next year, at which time he'll be in a position to place a check on
the program's funding.

The details

After the reorganization is complete, the new department will mash
together five agencies that currently divvy up responsibility for
"critical infrastructure protection." Those are the FBI's National
Infrastructure Protection Center, the Defense Department's National
Communications System, the Commerce Department's Critical
Infrastructure Assurance Office, an Energy Department analysis center
and the Federal Computer Incident Response Center.

A last-minute addition to the Homeland Security bill was the 16-page
Cyber Security Enhancement Act, which the House approved as a
standalone bill in July. It expands the ability of police to conduct
Internet or telephone eavesdropping without first obtaining a court
order, grants Internet providers more latitude to disclose information
about subscribers to police in emergency circumstances and says those
convicted of malicious hacking face sentences as severe as life in
prison.

Another addition, which was opposed by open-government activists and
journalist groups, says that information that businesses give the
department that's related to "critical infrastructure" will not be
subject to the Freedom of Information Act. That could include details
on virus research, security holes in applications and operating system
vulnerabilities.

The law also establishes an office designed to become "the national
focal point for work on law enforcement technology." Categories
include computer forensics, tools for investigating computer crime,
DNA identification technologies and the development of firearms that
recognize their owner. The office also is charged with funding the
creation of tools to help state and local law enforcement agencies
thwart computer crime.

The Department of Homeland Security law also creates a Directorate for
Information Analysis and Infrastructure Protection that is charged
with analyzing vulnerabilities in systems including the Internet,
telephone networks and other critical infrastructures, and orders the
creation of a "comprehensive national plan for securing the key
resources and critical infrastructure of the United States" including
information technology, financial networks and satellites.

The law also...

* requires all federal agencies, including the CIA, the Defense 
  Department and the National Security Agency, to provide the new 
  department with any "information concerning the vulnerability of the 
  infrastructure of the United States;" 

* punishes any department employee with one year in prison for 
  disclosing details that are "not customarily in the public domain" 
  about critical infrastructures; 

* creates a privacy representative and a civil liberties officer to 
  ensure that the department follows reasonable "privacy protections 
  relating to the use, collection and disclosure of personal 
  information;" 

* allows the department to create a national corps of volunteers to 
  "assist local communities to respond and recover from attacks on 
  information systems and communications networks." 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.