IT security lags five years on from September 11

Questions remain

Since terrorists attacked the United States on September 11, 2001, the US government has begun a robust, and oft-criticised, electronic-surveillance programme, but other IT-related security projects designed to thwart terrorism have made little progress.

Better cybersecurity leadership, more cargo scanning on aeroplanes and ships and interoperable communications networks for emergency response agencies have all developed slowly. In some cases, fights in Congress have slowed progress, or the US government has focused on other priorities. In other cases, the cost of IT projects has been an issue.

The fifth anniversary of the attacks has focused attention as much on what has not been accomplished to protect the US from future attacks as on what has been— chiefly, the surveillance system. In recent months, civil liberties groups have protested against the shadowy electronic-surveillance programme run by the US National Security Agency (NSA), with alleged cooperation from large telecommunications carriers. US President George W Bush has defended the programme as necessary and legal, even as critics point out the NSA is spying on US residents without court orders.

Critics say the emphasis on surveillance instead of other technology has led to an invasion of innocent people’s privacy and has not improved the nation’s security.

The Electronic Frontier Foundation (EFF), leading a lawsuit against AT&T for its alleged participation in the NSA surveillance programme, says some US Federal Bureau of Investigation agents have complained about the quality of the leads generated by the programme.

“It’s like, ‘Oh great, more calls to Pizza Hut,’” says Kevin Bankston, an EFF staff attorney. “This many may not help us connect the dots — it may just be creating more dots.”

But there hasn’t been a major outcry about the NSA programme from US residents, with a common attitude being that innocent people should have nothing to hide.

“I worry that a lot of people are speaking out of fear,” Bankston says. “You wouldn’t want government cameras installed in your bedroom or your bathroom, not because you’re doing anything wrong there, but because there are areas of our lives that should be private.”

The biggest change since September 11 is this culture of surveillance, says Jim Dempsey, policy director at the Centre for Democracy and Technology, an advocacy group focused on civil liberties online. Congress’ quick passage of the Patriot Act following September 11 generated huge debates about its expansion of law enforcement powers, but the NSA programme happened without congressional approval, he says.

“All the ink that was spilled over the Patriot Act is irrelevant … if the president says he’ll do what he wants,” Dempsey says. Combined with technology advances in areas such as storage, location awareness and facial recognition, these expanded government powers create “a pretty wholesale assault on privacy.”

The Bush administration has defended its tactics, with the president saying this month that the government’s counter-terrorism efforts have subverted a number of plots since September 11, including an anthrax attack and an aeroplane hijacking plan.

The NSA surveillance programme “helps protect Americans,” Bush said in a speech earlier this month. He called on Congress to derail court challenges to the NSA programme by passing laws approving the programme. “If an Al Qaeda commander is calling the United States, we need to know why they’re calling,” he said.

In three other IT-related areas, progress has been slow.

Cybersecurity

IT security groups have called for greater US government emphasis on cybersecurity. In July 2005, US Department of Homeland Security (DHS) Secretary Michael Chertoff announced plans to create a high-level position, assistant secretary for cybersecurity, but that position remains unfilled, despite pressure from IT groups.

In addition, the DHS has never scored above an “F” in the federal government’s annual computer security assessment. Another agency that has consistently pulled in “Fs” is the US Department of Veterans Affairs, which was roiled earlier this year following a massive data breach.

Part of the problem is that the government is simply not as interested as it should be in paying for online defence, according to Marcus Sachs, a former Bush administration advisor on internet security.

“It’s kind of hard to convince Congress to continue to fund cybersecurity efforts when the entire nation is shaking in its boots over chemical weapons and dirty bombs,” says Sachs, who now works for SRI International, a research organisation in Menlo Park, California.

“We’ve not had any attributable cyberstuff that you could trace back to terrorism ... it’s hard to make a case as to why we need to be worried about it.”

Those kinds of attacks may still come, says O Sami Saydjari, founder and president of Cyber Defence Agency, an IT security research and consulting firm in Wisconsin Rapids, Wisconsin. Just one massive cyber-attack would boost US cyber-defence spending, but a major attack could cost US businesses up to US$1 trillion, he says.

The technology to sufficiently harden US cyber-defences largely exists, but the government needs to create a programme to improve the nation’s cybersecurity infrastructure, Saydjari says. “Waiting until we have these attacks is not the time to develop that programme,” he says. “Every year, the [cyber] attacks are better.”

Communications interoperability for emergency response agencies

Security experts, including the 9/11 Commission, have requested additional radio spectrum so that emergency response agencies can better communicate with each other. During the September 11 attacks, some emergency responders found that their communication systems did not interoperate. More radio spectrum is on the way, but not until February 2009, the deadline Congress set for television stations to vacate the spectrum and move to all digital broadcasts.

During a lengthy congressional debate over the digital TV transition, Senator John McCain, an Arizona Republican, tried to move up the transition date, arguing emergency responders need the spectrum as soon as possible. But congressional concerns over the timing of commercial auctions for part of the freed spectrum led to the later date. If the auctions were too soon the spectrum might not sell for the $10 billion Congress has budgeted, opponents of an earlier deadline says.

Meanwhile, some emergency response agencies are working with each other to improve interoperability, but these efforts are happening only in “pockets” of the US, says Steven Jones, executive director of the First Response Coalition, a group advocating interoperable emergency communications.

“There’s no national strategy to coordinate all these efforts,” Jones says.

“Nationally speaking, I don’t know that we’re better off than we were five years ago.”

Cargo scanning

Hobbled by high costs and slow machines, airlines and cargo ships scan only a fraction of the baggage they carry, leaving their passengers at risk of hidden explosives and other weapons, critics say.

Most of the six billion pounds of cargo shipped on passenger airlines every year is commercial cargo, not checked baggage, and most of those crates and cartons are never scanned, exposing passengers to risk, according to US Representative Edward Markey, a Massachusetts Democrat.

The problem is even greater on commercial shipping venues, with unscanned cargo rolling into the US every year aboard 11.2 million trucks, 2.2 million rail cars and 51,000 cargo ships, according to the DHS.

The US Transportation Security Administration, which operates airport security systems, says it faces the dilemma of choosing between inexpensive but inaccurate machines and expensive, high-quality machines.

Airport workers now scan baggage with two types of systems. Explosive trace detection machines are affordable — they’re the size of a laser printer and cost a few thousand dollars — but rely on slow and error-prone human workers to collect test samples.

In contrast, explosive detection system machines can process up to 500 bags per hour but weigh as much as 17,000 pounds and cost up to US$1 million. And airports must invest much more money to insert those machines into their existing baggage conveyor belts to speed the process.

Still, officials with the Bush administration insist they’ve made significant progress in fighting terrorism over the last five years.

A “network” of law enforcement and intelligence agencies, improved terrorist databases and international cooperation have successfully thwarted multiple terrorist plots, US Attorney General Alberto Gonzales says.

“If there is one thing that all Americans will be thinking and saying [in marking] a terrible anniversary ... [it is] the simple phrase: ‘never again,’” he says. “And the goal of ‘never again’ cannot be achieved by the federal government alone, by any state government alone, or by any local police force alone. Our network of prevention is instead the key to protecting the American people.”

Join the newsletter!

Error: Please check your email address.

Tags secuityseptember 11Networking & Telecomms ID

More about BushEFFElectronic Frontier FoundationFederal Bureau of InvestigationNational Security AgencyNSAPizza HutSRI InternationalTechnologyTransportationUS Federal Bureau of Investigation

Show Comments
[]