Ron Dick, the Federal Bureau of Investigations top cybercop, has something to say to people who think they can hide their identities online: “The ability to remain anonymous is your right.”
Thats not exactly the message critics might expect from the FBI, an agency that frets openly about the dangers of hacker activity on a network where sometimes no one knows your name.
But Dick knows that now its his National Infrastructure Protection Center thats under the gun. Civil libertarians have challenged the centers very existence, warning that centralized police powers could lead to online snooping that would make J. Edgar Hoover blush. Likewise, many businesses think the NIPC asks for too much sensitive information in its zeal for chasing online crooks.
Add to that a scathing General Accounting Office report on the NIPCs performance, released in late May, and you have a boss who is looking to deal.
“One of the things that I want to do is further solidify the partnerships we have established with the other federal agencies . . . and the private sector,” says Dick, a 23-year FBI veteran.
A 1998 Clinton directive was supposed to give the NIPC power to gather and analyze information from a wide variety of sources. Under the original plan, military, intelligence and other agencies, as well as the private sector, were all supposed to feed information about vulnerabilities in the nations networks to the center. Everyone, it seemed, would tell everyone else what hackers were up to on their networks.
But that never happened. Instead, a prolonged turf war broke out among the Department of Commerce, the Department of Defense, the Department of Justice and the National Security Council.
In fact, according to the GAO report, no federal agency is sharing the information it receives about online crimes with the NIPC. The DODs top brass could never agree on how to do it. Civilian agencies have fed some information to the DOCs Critical Infrastructure Assurance Office, but the CIAO claims that only the agencies themselves have the right to pass that data on to the FBI. The NSC, meanwhile, has recommended that the NIPC, its bureaucratic rival, be eliminated.
The private sector has set up some of its own information sharing centers, so company security chiefs can swap intelligence on what they see on their networks. But three years after President Bill Clinton called for their establishment, only four of the eight proposed centers are up and running. Most U.S. companies remain uncovered.
Critics fault the FBI for much of this mess. Marcus Ranum, chief technology officer at security software firm NFR Security, serves on a small board of Wall Street security executives. The group, which includes some of the worlds largest investment banks, meets regularly to talk about intrusions and how to fend them off. The FBIs tough-guy ways irritate people who have dedicated their lives to security, Ranum says.
“We dont need the FBI to tell us how to share information,” Ranum says. “Wall Street understands information sharing. They arent going to share this information with the FBI because theyre a bunch of grandstanding, gun-toting cowboys.”
Dick knows not everyone wants to tell his group the things they see. He knows many fear that agents will disrupt their operations, tie up personnel or leak sensitive information to the outside. But that, he says, misses the main mission of the NIPC. “The mission is to detect, deter, assess, warn and investigate,” Dick says, “and they are in that priority order.”
He goes further. If companies are so afraid that investigations will disrupt their operations, Dick says, they can report it to industry groups such as the information sharing and assessment centers anonymously. “Im not bothered by the fact that they arent telling me the names of the victims,” he says.
And it isnt as though much of this will end up on anyones front page. DOJ data show that no more than two dozen hacker cases are actually brought in in any given year. But that still does not satisfy corporations, which fear that reporters or competitors will learn about their problems through Freedom of Information Act (FOIA) requests.
Bruce Heiman, executive director at high-tech business lobbying group Americans for Computer Privacy, says FOIA reform is a top priority for his group. “The FBI may be able to make a theoretical legal argument that the FOIA protects information, but if companies and private-sector groups dont believe it, then they wont share the information,” Heiman says.
Dick says hes confident the FOIA laws will protect company secrets. But hes also willing to go along with new laws to seal more information from public eyes.
Faced with a hostile bureaucracy, an uncooperative private sector and a severe shortage of talent, others might throw in the towel. But Dick has been at the NIPC since its earliest days. Eventually, he says, the world will get better security.
“What is going to change the situation is when customers demand security in their products,” he says. He likens the problem to the one Ralph Nader faced after 60 years of cars with no seat belts and almost no anti-collision features. “Only recently have [auto buyers] demanded security,” Dick says. “Theyve delivered what the customer demanded.”