Security

Channel Register accuses RSA of sitting on information about the cyberattack on its SecurID system

More e-reads here.

The FBI came to Congress Thursday to outline the problems law enforcement officials are increasingly facing in executing court ordered wiretaps, but did not offer a proposed solution for lawmakers to consider.

During a hearing before the House Judiciary Crime, Terrorism and Homeland Security Subcommittee, even critics acknowledged law enforcement faces a problem but there was much debate over what should be done to address it. Under the 1994 Communications Assistance for Law Enforcement Act, telecommunications companies are required to develop and deploy solutions to enable court-ordered wiretaps.

However, FBI General Counsel Valerie Caproni and Smithfield, Va., Police Chief Mark Marshall, who testified for the International Association of Police Chiefs, argued that they increasingly find that some telecom providers, particularly those not covered by CALEA, are unable to execute the requested wiretaps.

Caproni said law enforcement officers need to know that when they go to a communications provider with a wiretap order, that the provider will have the technical ability to carry out that court order. She said as technology has advanced, law enforcement has faced challenges getting even basic information sought by a pen register request, which seek the names and telephone numbers of suspected criminals.

When asked what specific changes the FBI is seeking, Caproni said the Obama administration is still developing its policy proposal and expects to release something soon. After the hearing, she said such a proposal may be done by spring.

The New York Times reported last fall that the administration would like all communications providers whether it's a telephone company or Internet messaging service to be able to comply with a wiretap order seeking real-time access to communications.

While the administration has yet to detail a specific proposal, some Democratic members of the committee and others said they worry that the FBI wants to require telecom providers to build back-door access into their networks.

"Forcing telecom providers to build backdoors into their systems will actually make us less safe and less secure," House Judiciary ranking member John Conyers, D-Mich., said.

But when Rep. Ben Quayle, R-Ariz., questioned whether law enforcement is seeking a back-door to the Internet, Caproni said the administration does not want "wiretapping of the Internet. We just want the ability to serve a targeted order on a targeted person on a provider."

Caproni said the FBI would like to see a solution that would get at the bulk of the cases law enforcement investigates and acknowledged that cases involving the use of encryption or other sophisticated means of securing communications will require more technical solutions. "The reality is that ... criminals are sometimes lazy and often resort to what is easy," she said.

But Susan Landau, a fellow at Harvard University's Radcliffe Institute for Advanced Study and a former Sun Microsystems engineer, said any requirement that seeks to build access into a communication system would be vulnerable to hackers who could exploit the same access that the law enforcement is seeking.

She added that a system that would allow bulk access is likely to be exploitable.
"I don't think we can possibly build into various communications infrastructures wiretapping solutions that allow bulk access" that isn't also easy to subvert, Landau said.

Instead, she said the FBI needs to invest more in research into intercepting new technologies as they are being deployed in the marketplace and to share the expertise it does have with local law enforcement officials who may not have the budgets to tackle new technologies on their own.

A coalition of tech associations and privacy groups Tuesday released a "statement of concern" about the FBI's proposals to expand a current law requiring communications providers to ensure law enforcement can conduct wiretaps on their networks.

The statement was released by a dozen groups including the Business Software Alliance, Center for Democracy and Technology, Computer and Communications Industry Association, the Net Coalition, and TechAmerica, and comes two days before a House Judiciary subcommittee hearing Thursday on ensuring lawful government surveillance with the rise of new technologies.

"Lawful electronic surveillance plays an important role in enabling government agencies to fulfill their obligations to stop crime and to protect national security," according to the statement from the groups. "These goals, however, must be reconciled with other important societal values, including cybersecurity, privacy, free speech, innovation and commerce."

The statement calls on the FBI and the Obama administration to answer several questions before lawmakers consider any proposals to expand the law known as the Communications Assistance for Law Enforcement Act, which requires telecom providers to design wiretapping capabilities into their networks.

These questions include explaining what problems would expanding CALEA address, have alternatives to a new CALEA-like mandate been considered sufficiently, and have narrower approaches been pursued.

Once these questions are answered, the groups say any effort to expand CALEA must address several issues including preserving the trust of communication users, safeguarding cybersecurity, protecting innovation, continuing to allow the use of strong encryption without introducing new vulnerabilities, avoiding unfunded mandates, and anticipating international demands that may result from expanding U.S. surveillance laws.

Deserting and embarrassing their GOP House leadership, 26 Republicans--including several members of the Tea Party Caucus--bolted Tuesday night to join Democrats in a surprise rejection of a centerpiece of Bush-era powers to fight terrorism that curbed American civil liberties, National Journal reported.

The House Republican leaders had expected an easy victory in their efforts to reauthorize three expiring powers under the PATRIOT Act--among them, allowing ''roving wiretaps'' and searches of people's medical, banking, and library records. It is likely the GOP will succeed in a later vote, but Tuesday night's rebuff sent a strong message.

By a 277-148 margin, the bill fell just shy of the two-thirds majority needed to pass the House under suspension of the rules, representing somewhat of an embarrassment for House Republicans on a matter of national security. Republicans were accusing Democrats, many of whom had supported the extension of the provisions in the 111th Congress, of hypocrisy.

The American Civil Liberties Union applauded the House's action and urged critics of the PATRIOT Act to push lawmakers to continue to resist efforts to extend the law.

"For the nearly 10 years it has been law, the over-reaching Patriot Act has been abused by law enforcement to violate innocent Americans' privacy," Laura Murphy, director of the ACLU's legislative office, said in a statement. "We urge both the House and the Senate to keep up this momentum and continue to fight the extension of these provisions that put Americans' privacy at risk." To read more, click here.

The U.S. government Tuesday began testing new airport screening technology that does not generate an image of a person's body, in an effort to address concerns raised by privacy and civil liberties organizations, National Journal reported.

The use of whole-body scanning machines at airports has been controversial largely because the machines create an image of a person's body without clothes. The Transportation Security Administration has said the machines give airport screeners the best chance of finding hidden objects on travelers.

But TSA is now testing new software that will only generate a generic outline of a person. Threatening items will be marked on the outline.

"We are always looking for new technology and procedures that will both enhance security while strengthening privacy protections," TSA Administrator John Pistole said. "Testing this new software will help us confirm test results that indicate it can provide the same high level of security as current advanced imaging technology units while further enhancing the privacy protections already in place." Click here to read more.

Updated: 4:23 pm EST:
One of the strongest critics of the TSA's scanner program, Electronic Privacy Information Center Executive Director Marc Rotenberg, dismissed the agency's latest moves to address concerns about the scanners.

"It's not for the TSA to decide whether the TSA has done enough to protect privacy," Rotenberg said. "There has to be an independent evaluation and that is what the TSA
has opposed."

Rotenberg's group has filed a Freedom of Information Act request with the TSA seeking documents about the agency's latest screening technology. He said since the TSA has yet to respond to this request, EPIC plans to file a lawsuit this week to compel the agency to turn over the documents.

Meanwhile, the ranking member on the House Homeland Security Committee called on TSA Tuesday to conduct an updated assessment of the new system's impact on privacy and civil liberties.

"While I commend TSA for its continuing effort to improve our aviation security, we must also continue to protect the privacy of the flying public," Rep. Bennie Thompson, D-Miss., said in a statement.

Juliana Gruenwald contributed to this story.

House and Senate committee leaders on Wednesday backed dueling legislation to extend online surveillance provisions of the USA PATRIOT Act that are set to expire at the end of February, Nextgov.com reported.

Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., introduced the bipartisan 2011 USA PATRIOT Act Sunset Extension Act, which would continue to allow roving wiretaps of suspects who change computers or phone numbers to avoid monitoring; tracking of "lone wolves" -- people of interest with no known links to terrorist groups; and retrieval of records and other tangible evidence from organizations with a court order. The proposal, which would expire in December 2013, also demands greater judicial supervision.

Last Congress, Leahy's committee approved a nearly identical bill (S.1692) backed by the Obama administration, but the full Senate instead opted to pass a straight temporary extension -- without the oversight measures -- that expires Feb. 28.

Meanwhile, House Judiciary Committee Chairman Lamar Smith, R-Texas, announced on Wednesday he has thrown his support behind a bill, H.R. 67, that House Ingelligence Chairman Mike Rogers, R-Mich., unveiled on Jan. 5 that would extend the three expiring provisions for a shorter period of time, to 2012. It contains no additional oversight provisions. To read more, click here.

A House Judiciary subcommittee grappled Tuesday with the issue of whether Congress should require Internet service providers and possibly other online firms to retain data for a set time period for possible use by law enforcement, National Journal Daily reported.

Internet service providers are already required by law to preserve data once notified by law enforcement, but they don't have to retain it for a specific amount of time. "Not all ISPs retain this important data, and the length of time such data is retained often varies from one provider to the next," Crime, Terrorism, and Homeland Security Subcommittee Chairman Jim Sensenbrenner, R-Wis., said during a hearing on the issue before his panel. To read more, click here. (Subscription required)

House Homeland Security Chairman Peter King, R-N.Y., Wednesday urged Treasury Secretary Timothy Geithner to place the whistleblower website WikiLeaks and its founder on a U.S. government list that would ban people and companies in the United States from conducting business with both.

WikiLeaks has come under fire by lawmakers and some Obama administration officials for releasing classified and other sensitive U.S. government documents, including most recently thousands of State Department diplomatic cables.

In a letter, King called on Geithner to place WikiLeaks and its founder Julian Assange on Treasury's Specially Designated National and Blocked Persons List, which is maintained by the department's Office of Foreign Asset Control. The list includes such groups and invidusals as terrorists and narcotics traffickers, according to the State Department.

"The U.S. government simply cannot continue its ineffective piecemeal approach of responding in the aftermath of WikiLeaks' damage," King wrote. "The administration must act to disrupt the WikiLeaks enterprise. The U.S. government should be making every effort to strangle the viability of Assange's organization."

King noted that U.S. firms such as Amazon.com, PayPal and Visa that had been doing business with WikiLeaks have since stopped. But he noted that Assange signed a book deal late last year with U.S. publishing company Alfred A. Knopf that will pay him about $1 million, which will help him keep WikiLeaks going. "Assange seems more emboldened than ever in WikiLeaks' continued viability," King added.

Sen. John Ensign, R-Nev., along with Senate Homeland Security and Governmental Affairs Chairman Joe Lieberman, I-Conn., and Sen. Scott Brown, R-Mass., introduced legislation in the closing weeks of the last Congress that would amend the Espionage Act to make it illegal to publish the names of human intelligence informants to the U.S. military and intelligence community.

More than 10 years after 9/11, the U.S. Capitol Police still conducts its daily operations on an analog, non-encrypted radio network that can be effortlessly and legally monitored with a cheap police scanner, National Journal reported.

For years, officers, management, and labor representatives have asked Congress to upgrade the system, parts of which were built when Thomas P. "Tip" O'Neil was the Speaker of the House. It is so old that replacement radios are hard to come by and repairing them is difficult because many of the parts are no longer made.

Monday morning, anyone listening in with a scanner would have heard units responding to a "10-100"--the code for a potential hazardous material incident or suspicious package--at the Capitol South Metro Station. They could have monitored routine responses to door alarms, requests for assistance, and redeployments around the Capitol grounds. They would have heard an officer performing a routine explosives sweep on the exterior of the Cannon House Office Building. To read more, click here.

A wide swath of civil rights activists, consumer advocates, Libertarians and security analysts blasted the now-infamous airport body scanners at a conference organized by the Electronic Privacy Information Center Thursday.

The diverse group of policy leaders and advocates argued that the controversial airport security devices are at a minimum pointless and ineffective and, at the worst, dangerously intrusive.

Well-known consumer advocate and former presidential candidate Ralph Nader called the Transportation Security Administration's decision to use the body scanners a "fundamentally irrational strategy" based on reactionary tendencies and fueled by corporate and political pressures.

Other panelists agreed, calling on Congress to cut funding for the scanners that "see" through passengers' clothing and produce images of their bodies.

"When Libertarians and Ralph Nader agree that a program is bad, it's time for the government to listen up," said Wes Benedict, executive director of the Libertarian Party's National Committee. "Government is supposed to protect our rights, not take them away. When is enough enough?"

Several security professionals urged the TSA to focus on more effective security measures -- many less technology based -- that have been proven to work, including basic detection of guns and bombs, behavioral profiling, and bomb-detection dogs.

Since the terrorist attacks on Sept. 11, 2001, two changes -- strengthening cockpit doors and convincing passengers to fight back -- have increased air travel safety, said Bruce Schneier, chief technology officer at the security company BT Counterpane. "Pretty much everything else is security theater."