excerpt from my book on technology, terrorism, and
DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
firstname.lastname@example.org. If you're dying to order the book, send
mail to the same address.
It didn't matter how obviously necessary a security measure was. Resistance to any change was strong. A case in point was the effort to install intrusion monitoring on the federal government's own networks.
To succeed, most cyberattacks must do two things. The hackers first have to get malicious code into the network they’ve targeted. Then they have to get stolen information out. If we can detect either step, we can thwart the attack. So one way to defend our networks is to do a thorough job of monitoring traffic as it goes in and out.
We’ve known this for a decade. The Clinton administration’s cybersecurity strategy, drafted in 1999 and released in early 2000, called for a network of intrusion detection monitors that could inspect packets going into and out of all federal government networks. President Clinton requested funds for intrusion monitoring in his outgoing budget. But civil libertarians quickly launched a campaign against it.
It was an odd battle for them to choose. The point of the monitoring network was to inspect government communications. Even the most extreme privacy zealot shouldn’t be shocked to discover that the government was reading its own mail, much less that it was inspecting its mail for malware. By then, government agencies were already screening emails for spam; the intrusion detection network simply extended that concept to other unwanted packets. What’s more, since roughly the 1980s, these computers had been displaying warnings users that government systems are subject to monitoring.
But privacy groups were spoiling for a fight. They portrayed the proposal as the second coming of Big Brother.
"I think this is a very frightening proposal," an ACLU representative told ZDNet News.
"We feel the government should spend its resources closing the security holes that exist, rather than to watch people trying to break in," said a counsel for the Center for Democracy and Technology.
"I think the threats (of network vulnerability) are completely overblown," said the general counsel for the Electronic Privacy Information Center, adding that claims of a security threat is leading to "a Cold War mentality" that threatens ordinary citizens' privacy.
In the end, civil liberties resistance was so strong that only the Defense Department was allowed to build an intrusion detection network. For years thereafter, the civilian agencies experienced intrusions that could have been prevented by the intrusion prevention system proposed by President Clinton. But once burned was twice shy. The privacy groups had thoroughly tainted the idea of intrusion prevention on the Hill, and there was real reluctance to revisit the issue. When the Bush Administration wrote its cybersecurity strategy, it did not even try to revive the idea.
Finally, though, five years later, the Bush Administration decided to force the issue. Mike McConnell, the Director of National Intelligence, had been my boss at NSA, and he had spent the years after leaving NSA building a cybersecurity practice at a large consulting firm. A quiet, self-deprecating Southerner with a talent for briefing higher-ups, McConnell was determined to move cybersecurity to the front burner.
He didn’t have to work too hard to persuade DHS to take on the challenge. We were alarmed at the ease with which attacks were being launched against civilian agencies. With the backing of President Bush and Mike McConnell, we again proposed an intrusion detection network for civilian agencies. And civil libertarians once again renewed the fight to stop us – as though nothing had changed in ten years. Without the slightest evidence of irony, they again raised privacy objections to the government monitoring its own communications.
We got further than President Clinton did, but not much. Congress appropriated funds for the project, but it had not been fully implemented when Barack Obama was elected President. Spooked by the privacy outcry, the Obama Administration postponed full implementation of intrusion monitoring so that it could again examine all of the privacy issues. Pilot projects are underway, but final decisions about how, when, and whether to implement effective intrusion monitoring are still awaiting consensus among the lawyers.
Meanwhile, attacks similar to those that compromised the Dalai Lama’s network are continuing. The privacy debate had caused ten years of delay, and it may yet kill an effective intrusion prevention system.