A Push From Homeland Security

[InfoSec News <isn () c4i org>]

http://www.nytimes.com/2003/06/30/technology/30NECO.html

By STEVE LOHR
June 30, 2003 

ROBERT LISCOUSKI left his job as the head of information security at
Coca-Cola three months ago to join a start-up. "I refer to it as
DHS.com, and that's probably a good way to think about it," he said.

The pace of work is frenetic, the organization is being built from the
ground up, and, like a dot-com in the euphoria years, the new
Department of Homeland Security - the DHS in Mr. Liscouski's locution
- will have some serious money to spend.

Mr. Liscouski, an assistant secretary at the department, who spoke at
a conference last Wednesday, hit a nerve with his analogy. The
computer executives at the gathering in Washington were suitably
amused, nodding and smiling - wistfully no doubt. Nothing, of course,
will bring back the dot-com heyday. But to much of Silicon Valley, the
government's mandate to improve homeland security looks as if it could
be the next-best thing - a technology push, stimulated by government,
that is expected to create a lucrative market in computer hardware and
software for surveillance, data collection, data analysis and
cybersecurity.

The government is shopping for high-technology tools capable of
finding terrorists and defending against cyberattacks on the computer
networks that run the nation's financial, transportation and
communications systems.

Dependence on the private sector was the mantra of the Bush
administration officials who spoke at the conference, "Information
Technology Leadership in a Security-Focused World." The gathering was
sponsored by the Information Technology Industry Council, a trade
organization, and the Center for Strategic and International Studies,
a research group.

As Paul Kurtz, the special assistant to the president on the White
House Homeland Security Council, said at the conference, "We will take
the best and brightest ideas in the private sector and apply them to
homeland security."

That stance is probably less a political philosophy than a pragmatic
recognition of the technical realities of homeland security. About 85
percent of the computers and networks connected to the Internet, for
example, are owned and operated by companies.

"The systems are designed and owned by the private sector," said Adam
Golodner, an associate director at the Institute for Security
Technology Studies at Dartmouth College. "That's a very different
world from traditional defense, where if the Pentagon wants a new
strike-force bomber it is totally built to the government's
specifications."

Yet relying so much on the industry for both equipment and ideas
raises a policy issue. As the government and private sector adopt a
dot-com enthusiasm for the "best and brightest" security technologies,
will both sides lose perspective on what is truly in the public
interest?

There is a tension, for example, between the interests of homeland 
security and personal privacy. Security and personal privacy are not 
necessarily at odds; an individual's financial transactions over the 
computer networks of modern banking systems, for instance, cannot be 
private unless they are secure.

Still, the drive toward homeland security seems fraught with privacy 
peril. One broad approach being explored for improving security 
involves collecting vast sets of personal information in computer 
databases, then sorting and analyzing the data to look for suspicious 
activities and possible terrorists.

The optimistic view is that technology can sidestep any trade-off 
between homeland security and personal privacy. "Information 
technology will be a force for more security and more privacy, a force 
for greater security and greater individual freedom," Bill Gates, the 
chairman of Microsoft, said in a luncheon speech at the conference.

Not everyone in attendance was convinced. "What he said is fine for 
rhetoric, but I'm not sure it's true," said Lance J. Hoffman, a 
computer scientist and security expert at George Washington 
University.

One concern, Mr. Hoffman said, is that the national effort to improve 
homeland security will mean that all the investment and research goes 
into computer security, while the privacy implications are given short 
shrift. To prevent that, he advocates public investment on both sides 
of the security-privacy ledger.

As a possible model, Mr. Hoffman points to the National Human Genome 
Research project. The government sets aside part of the project's 
annual budget, 3 percent to 5 percent, for a research program into the 
ethical, legal and social implications of genetic research.

"In the short-term drive to improve security, we want to make sure 
that whatever we do is consistent with a long-term balancing point of 
preserving civil rights," Mr. Hoffman said. "You want those kinds of 
decisions to have been considered and thought through."

Speaking at the conference, John J. Hamre, the president of the Center 
for Strategic and International Studies, made a somewhat different 
argument for trying to strike a balance in homeland security policy. A 
former deputy secretary of defense, Mr. Hamre said that there was no 
complete answer to all security threats, so there were limits to what 
technology could be expected to do.

At the conference, industry executives spoke highly of the raft of 
technologies that can and are being deployed in the quest for homeland 
security - data-sifting software, artificial intelligence, probability 
theory, iris recognition and digital-video surveillance gear. And most 
people emphasized the need for clever software to integrate the 
computer networks of federal, state and local law enforcement 
agencies, so they can share information more easily.

That is all potentially useful, Mr. Hamre said, but he added that the 
effort to gather and sift through oceans of data might be misguided. 
The appropriate metaphor for domestic surveillance, he said, was the 
old one of looking for a needle in a haystack. By piling up the data, 
"we're adding more hay to the stack," Mr. Hamre said.

Before trying to integrate the thousands of federal, state and local 
computer systems, Mr. Hamre said, it might be wise to spell out 
clearer rules for sharing information on the roughly 40,000 people on 
terrorist "watch lists" among the federal agencies that keep those 
lists.

"The problem is terrorists," Mr. Hamre said, "not lack of 
information." 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.