 | |
| |
TechnologyDaily Mobile
Figuring Out Where The FBI Fits In Computer Crime Fighting
One year ago, computer users returning to work after the first weekend of spring discovered a computer virus raging across cyberspace. Dubbed the "Melissa" virus by its author, the fast-replicating e-mail attachment tied up the computer servers of scores of businesses, and caused significant financial damage to businesses worldwide. But in addition to drawing upon the resources of traditional computer virus sleuths, Melissa brought another player to the table: the FBI.
The agency's National Infrastructure Protection Center took on one of its first high-profile public campaigns as Director Michael Vatis looked into the TV cameras positioned in the auditorium of the J. Edgar Hoover building and promised to bring the perpetrator to justice. It worked. Within a week, New Jersey police, in cooperation with the FBI and America Online, had arrested David Smith, who subsequently pled guilty to computer crimes and was sentenced to five years in federal prison.
But despite the success of the Melissa "sting," many in the technology and telecommunications industry remain deeply skeptical of the agency and its ability to work with them on all but the most routine criminal matters.
With the FBI's militant opposition to the export of strong cryptography and its demand that the Communications Assistance for Law Enforcement Act (CALEA) mandated a slew of new surveillance powers, many in industry were inclined to be skeptical when a draft version of a Clinton administration plan for defending computer networks surfaced in July.
Attitude Shift Apparent
The proposal called for the Federal Intrusion Detection Network (FIDNet) at NIPC to monitor electronic communications on government computer networks, and suggested that the scheme eventually would be extended to private sector systems. Those implications aroused a firestorm of controversy from privacy advocates, industry and congressional critics. The administration quickly downplayed such a reading. In the final report issued in January, FIDNet had been demoted to the role of a "burglar alarm" and positioned at the more neutral General Services Administration.
But the past year has seen a dramatic change in attitudes on both sides of the divide. President Clinton's retreat on encryption exports has been matched by a renewed readiness in the Internet industry to stand by Attorney General Janet Reno in endorsing Internet crime-fighting measures. And with Congress finally bringing legislative proposals to the table, what is most remarkable about the subject is how quickly a new consensus seems to be emerging that technology and government can work together to enhance computer security.
A key to this consensus is that the private sector's efforts must not be stymied by heavy-handed government attempts to take over computer security on their networks. Since the February denial-of-service attacks on several popular consumer Web sites, several administration officials have urged that the private sector must lead in this area. Those officials testifying before Congress include: Reno, FBI Director Louis Freeh, Deputy Attorney General Eric Holder, and William Reinsch, director of the Commerce Department's Bureau of Export Administration. Even President Clinton voiced these sentiments at a White House summit on cybersecurity.
Another key tenet of the consensus is that the federal government should do a better job of securing its own computer networks. That is one goal of "Defending America's Cyberspace: National Plan for Information System Protection," the January administration report, which generated largely favorable reaction from Capitol Hill and industry.
"It will help to get the federal government's house in order," said Doug Sabo, director of information security programs for the Information Technology Association of America, which has a played a lead role in coordinating industry response to the national plan. It also is developing the Information Sharing and Advisory Council (ISAC) for the technology and telecommunications industry.
"We are adopting a wait and see attitude on FIDNet," he said. "As long as it operates the way it was characterized more recently, we wouldn't have problems with it."
Hail To The Cybersecurity Chief
But Congress also is demanding more accountability from executive branch computer systems, as evidenced by the Government Information Security Act, S. 1993, introduced by Senate Governmental Affairs Committee Chairman Fred Thompson, R-TN, and ranking member Joseph Lieberman, D-CT. The bill, which cleared the committee last week, would centralize control of all government computer networks and assign greater supervisory responsibility to the Office of Management and Budget.
Such a measure would advance the role of critical infrastructure protection "by building the trust and confidence of our partners in the private sector," said Frank Cilluffo, director of the Center for Strategic and International Studies' task force on information warfare and information assurance.
Although Thompson stopped short of endorsing a federal-level chief information officer, more individuals are calling for a new top-level position to handle cybersecurity. Cilluffo favors an assistant to the president for critical infrastructure protection, and last week Sen. Robert Bennett, R-UT — who heads the Senate's critical infrastructure protection task force — called for the appointment of a new chief information officer to advise the president.
Fighting For Their Rights
But for the effort the administration has put into assuaging the tech industry about its intentions on information security, industry likewise has taken steps to convince federal officials they don't want to lumped in with the Internet's criminal element. Although still wary that Internet service providers will be deputized in the fight against crime, a coalition of organization including the Internet Alliance, ITAA and America Online this month endorsed a separate administration report by Reno and Commerce Secretary William Daley on unlawful conduct on the Internet.
The report endorsed using existing laws to tackle online gambling, fraud, and child pornography while asking for new law enforcement tools that the administration says are necessary to combat malicious hackers. The top items on the agenda already have been introduced in Congress: a measure to extent "trap and trace" court orders nation-wide by Sen. John Kyl, R-AZ, and Sen. Charles Schumer, D-NY, and a measure to lower the $5,000 minimum damage threshold for criminal prosecution by Sen. Kay Bailey Hutchison, R-TX, as well as Kyl and Schumer.
More proposals are certain to follow. The Justice Department will host a forum on April 5 at Stanford Law School at which technology executives and law enforcement officials will debate whether other measures are necessary — and may butt heads on the contentious question of online anonymity. Another proposal — to modify the Freedom of Information Act to make it easier for businesses to share information about network intrusions with each other and with government appears to be more popular with technology industry officials than with policymakers.
But perhaps the most unusual aspect of the transformed debate on information security is the attitude now expressed by FBI officials. "Private companies are recognizing that they have to work with law enforcement, and they are working with us," NIPC's Vatis said before a Senate Commerce subcommittee in March. "We also need to show that we are capable of giving information back to the private sector, and sharing some of the technical exploits that we are seeing bad guys use," Vatis said. "Commerce does not thrive in anarchy, and it is in our national interest to make sure that the conditions are there to foster the further growth of e-commerce."
 | - by Drew Clark |
NEW FEATURE
-Advertisement-
