US net snooping plans debunked
FIDNET not a threat after all. Well, not yet, anyway...
Terror spread across the Net on Thursday when New York Times correspondent John Markoff broke the Big Story: a National Security Council draft proposal will put the FBI in control of "a sophisticated software system to monitor activities on non-military Government networks, and a separate system to track networks used in crucial industries." Ghastly. The body to be created will be called the Federal Intrusion Detection Network, or FIDNET. Big Brother by another name, no doubt. Libertarian alarmists and conspiracy paranoiacs dropped their daily meds and rose angrily, if unsteadily, to arms. "The plan... specifies that the data [FIDNET] collects will be gathered at the National Infrastructure Protection Center (NIPC), an interagency task force housed at the Federal Bureau of Investigation," the Times went on, adding that "the plan strikes at the heart of a growing controversy over how to protect the nation's computer systems while also protecting civil liberties -- particularly since it would put a new and powerful tool into the hands of the FBI." But it so happens that The Register has its own copy of the draftt proposal, and unlike the New York Times, we've actually read ours. Let's just have a peek at the text. The first observation we make is that the text states plainly, "the GSA (General Services Administration) is responsible for establishing the FIDNET Program Office: this includes creating an interagency management team from the defence, intelligence, technical, legal, and law-enforcement communities." According to our reading, FBI's NIPC team will come in later, when FIDNET data gathered by the GSA suggest criminal activity. Again we take the unconventional approach of consulting the text: "FIDNET will provide raw/filtered data from network sensors and the Federal Computer Incident Response Capability. NIPC will continue to be responsible for further data processing." We remain at a loss to explain why the NYT reported that FIDNET would "put a new and powerful tool into the hands of the FBI." On the contrary, it appears that the Bureau's NIPC will be a tool of the GSA, if and when it decides the government has been cracked. Michael Vadis, FBI's Director of NIPC, made it clear during testimony to the Senate Y2K Committee yesterday that the FBI will respond only where there is evidence of a federal crime. The only language we found in any way alarming was, "FIDNET will interface with the currently planned intrusion detection systems being developed for DOD (Department of Defence) and national security agencies." We didn't quite know what the pseudo-verb "interface" was intended to mean, but we know that American law enforcement and the military are forbidden to do a great deal in the way of "interfacing". As the very existence of America's Act of Posse Comitatus indicates a history of some difficulty in distinguishing between civil and military purviews, this little snippet naturally raised our eyebrows. On this matter the Department of Justice computer crimes division declined to be helpful. The level of interdependence between military and non-military bodies being contemplated is indeed a controversial issue, but it seems unlikely that the final product will initiate military involvement in civilian affairs enough to invite a popular backlash. Elections are coming up, after all; and the FIDNET system will present itself as a tempting target for cyberterrorists if its management becomes odious, thereby having the ironic effect of decreasing security for government systems. Assuming that the language of the proposal does get tidied up a bit, we can expect a much softer line in reference to DOD's role in FIDNET. This still leaves the matter of DOD participation in case of an emergency. The president is permitted by law to suspend the Act of Posse Comitatus in difficult circumstances, such as insurrection, mayhem in the streets, foreign invasion, or those the Y2K rollover might possibly present. A further bit of constitutional intrigue will undoubtedly emerge if a foreign military organization should attack a US civilian network related to banking, energy, transportation or some other essential service. It does not necessarily follow that the DOD would need access to civilian networks in order to reply on behalf of the USA. Vadis for one thinks an organised attack is inevitable. He declined to go into specifics, but left us with the strong impression that hostile military bodies overseas are developing the means to disable military, government and civilian networks remotely via an internet-based attack. Clinton's National Security Advisor, Sandy Berger, said on Thursday that there exist "governments that we know are developing systems to get access to our computer systems." Not an especially comforting thought. "We know that, in fact... there have been intrusions into sensitive systems," Berger added. Whether or not such an attack is being planned, it is certain that the US government expects one. We wonder if the increased level of connection among government systems needed for FIDNET to monitor them effectively might not lead to increased vulnerability. Whether it happens, or when it happens, it is sure to be a jurisdictional nightmare; and the FIDNET proposal does foreshadow that confusion with its own vague language. A crucial point here is that the proposal leaked to us is in draft form and now seven weeks old. The Register's contact on the White House National Security Council, who goes by the name of "an administration official," made it clear that the final draft will not be ready for submission to the President until September at the earliest. The FIDNET document is at present quite fluid, and on its way past numerous reviewers including the Department of Justice computer crimes division, the General Services Administration, the Department of Defence, the National Security Council and the FBI. Furthermore, our source at NSC tells us, the proposal currently being circulated does address and tighten up the unfortunately vague "interface" language. The level of involvement between DOD and non-military government agencies is intended to be little more than an advisory relationship and a sharing of new quirks, bugs and attack techniques much as "one police department might share tips with another in a different jurisdiction." The language which led to an assumption by many that FIDNET might one day monitor private-sector networks is also being clarified. NSC says that there will not be even an opt-in programme for private users to voluntarily choose such monitoring. FIDNET will, however, share its tricks with private enterprise, and leave it to them to implement what it chooses, on its own nickel. The Register will report fully and eagerly on the specific changes to the FIDNET proposal as soon as the latest version is leaked. It might actually make sense to withhold judgment on the piece until after it's been reviewed and polished. Just a thought. ®
Sponsored: Network DDoS protection