COMPUTERGRAM INTERNATIONAL: JULY 29 1999 Internet Editor: Nick Patience ([EMAIL PROTECTED]) + FBI to Monitor Non-Military Networks for Terrorist Activity? By Rachel Chalmers The Clinton Administration has developed plans for a computer monitoring system to be overseen by the FBI. The plan, which was leaked and published on the Center for Democracy and Technology (CDT)'s web site at http://www.cdt.org, was drafted in response to a May 1998 Presidential Decision Directive. That Directive called on the Executive Branch to devise strategies to protect critical infrastructure like computer networks. "The protection of our Nation's vital computer-based systems must become a central part of the mission of our corporations and our government agencies," writes President Clinton in the introduction, adding: "the effort will not be easy." The draft goes on to detail a network of thousands of software monitoring programs which would track computer activities, looking for evidence of intrusions and other crimes. It calls for the public and private sectors to cooperate in the construction of this Federal Intrusion Detection Network (FIDNET). "Basically, FIDNET is a 'netted' intrusion detection monitoring system for non-DoD government computers," explains the CDT's Jim Dempsey. "Intrusion detection monitors installed on individual systems or networks will be 'netted', so that an intruder or intrusion technique used at one site will be automatically known at all sites. The FBI will be at the center of the system: 'raw/filtered' data from the network of sensors will be provided to the National Infrastructure Protection Center (NIPC) that has been created at the FBI... Ultimately, the plan states, it is the goal to have similar monitoring sensors installed on private sector information systems." Private sector cooperation, in this context, appears to be synonymous with co-option. The New York Times quotes unnamed government officials protesting that they are not interested in surveillance. They say they just want to find the patterns of behavior that suggest illegal activity. But the draft doesn't specify what kind of data FIDNET would collect or which government or corporate networks it would monitor. Nor does it say how the information FIDNET collects might be made available to law enforcement officials. As for the privacy implication, the draft argues that since Government employees consent to monitoring of their computer activities as a condition of their employment: "the collection of certain data identified as anomalous activity or a suspicious event would not be considered a privacy issue." Civil libertarians object that FIDNET is ill-defined and that its scope is potentially enormous. Worse, it appears to place surveillance at the center of the Government's response to infrastructure threats, threats that might be better countered with less intrusive measures. "The fight over this could make the fight over encryption look like nothing," Georgetown University professor Mary Culnan told the Times. "The conceptual problem is that there are people running this program who don't understand how citizens feel about privacy in cyberspace." Worst of all, in the CDT's view, is the implicit blurring of boundaries between America's corporations and its military. The ultimate beneficiary of FIDNET's activities - of this exercise in private and public sector "cooperation" - appears to be the Department of Defense (DoD). "It seems there already is a DoD contingent detailed to the FBI's NIPC," Dempsey concludes. "The DoD contingent at the NIPC will have access to reports on civilian agency systems."
