Lawyers Recruited to Fight Terrorist Use of Consumer PCs

Government and other systems need protection against terrorists, too, Lungren said. “We're trying to go back and do that in the public sector,” he said. “We need to do that in the private sector.” Awareness of the problem is far too low all the way around, Lungren said. The committee will look more closely at how al-Qaeda uses the Internet in coming months, committee General Counsel Jessica Herrera-Flanigan said at a separate conference session.

More heed will be paid the rest of this Congress than in the past to the Federal Information Security Management Act, Herrera-Flanigan said. The law isn’t the solution to securing government systems, but it has helped by focusing attention on the problem, she said.

The Transportation Security and Infrastructure Protection Subcommittee plans fall hearings on information- sharing about infrastructure between business and government, said Herrera-Flanigan. Use of contractors by the Department of Homeland Security and other agencies will be a focus, she said. “The scariest thing to me” is the challenge of trying to guard control systems for utilities and other vital infrastructure, Herrera-Flanigan said. Phone system vulnerabilities readily can be turned into cyberattacks, she said.

Lungren gave a qualified endorsement of the performance of the Department of Homeland Security’s only two secretaries. Incumbent Michael Chertoff, never had run an operation on that scale before, he said. But “right now, Chertoff has got more than his sea legs,” Lungren said. “He’s got control of that department,” with the benefit of “a good team.” Predecessor Thomas Ridge “did a good job, but finally after a few years I think we needed a new push,” he said.

Herrera-Flanigan was more detailed and less kind in her assessment of department performance on data security. She enumerated worries about the breadth of access to the National Asset Database of potential terrorism targets and to the Terrorist Screening Center watch list, theft from headquarters of a Transportation Security Agency hard drive containing the most financially sensitive information on employees, perhaps even undercover federal air marshals, the printing of Social Security numbers on the envelopes in a Federal Emergency Management Agency mailing to all employees -- and just since July a General Accounting Office report on the ease with which outsiders manipulated information in the US-VISIT database on foreign visitors, and concerns in the department and Congress about whether to keep the supplier of troublesome software in the Secure Border Initiative. And “these are just the incidents we are hearing about,” Herrera- Flanigan said.

The breaches not only hurt morale, where TSA already had problems, Herrera-Flanigan said, but they cost money. In the FEMA case, a year’s monitoring credit reports for all workers cost $250,000, a measure also applied to TSA, she said.

Turning to cybersecurity research and development, Herrera-Flanigan said the Homeland Security Department should work more closely with companies, think tanks and academics. The agency has been “trying to recreate the wheel with respect to technology,” she said.

With the Bush era winding down, by next year many senior department officials will leave, Herrera-Flanigan said. With the turnover, “we may see a revisiting of what was discussed a few year ago” in the way of putting strict information- security standards in federal contracts and perhaps banning contractors for noncompliance, she said. A congressional push toward that goal a few years ago was stopped by “pushback” from contractors and disagreement in the security industry about which standards to use, so voluntary efforts have been the focus, Herrera-Flanigan said.

In a new law implementing recommendations by the Sept. 11 commission, Sen. Joseph Lieberman, I-Conn., succeeded in keeping voluntary companies’ certification and accreditation as properly prepared in information security, Herrera- Flanigan said. But “as lawyers we know what ‘voluntary’ really means” when it comes to civil liability, she said.

American Bar Association Notebook…

Congress will “make some substantial changes to what we passed” in the Foreign Intelligence Surveillance Act bill this month, said Rep. Ed Perlmutter, D-Colo., a member of the House Homeland Security Committee. When the new law sunsets in six months, lawmakers will “put the courts back into play more than they are” in overseeing electronic communications eavesdropping, he said Sunday at the American Bar Association conference in San Francisco. Perlmutter said he opposed the FISA bill because “it violated several provisions of the Bill of Rights.” There was a “full-court press by the Administration to push through a substantial expansion” of its eavesdropping powers “in the waning days” before the August congressional recess, he said. Lawmakers had little chance to study this “big piece of legislation that was really read on the House floor,” Perlmutter said. Even a failed Democratic proposal “pushed up against the Fourth Amendment in my opinion and maybe even over -- but less so than the Republicans'” successful measure, he said. Rep. Dan Lungren, R-Calif., said a crucial change allows warrantless eavesdropping on foreign intelligence targets to include communications with people in the U.S. “We were losing a huge amount of information” because this wasn’t allowed under a January ruling by a FISA judge, even though many of the messages would have been subject to surveillance because they used to go by way of satellites, he said. Lungren said he was persuaded to support the bill by the importance of this information, the nonpartisan professional record of Director of National Intelligence Mike McConnell and knowing that “the amount of chatter internationally with respect to terrorist operations has increased dramatically” of late. The committee works cooperatively across party lines, Perlmutter said. Though he and Lungren disagreed about the FISA legislation, Perlmutter said, he trusted Lungren to explain what McConnell was talking about in a briefing. “I didn’t understand half his terminology,” Perlmutter said of McConnell. “He was talking all around the subject.”

----

The Department of Homeland Security spent 2006 fixing nearly half of 200 plus information technology issues auditor KPMG had tagged in 2005, but in 2006 KPMG found 150 new problems, the auditor told the department’s inspector general in a report aired Monday. KPMG found “incomplete or inadequate” policies on computer incident response at four agencies within the department; improper background checks of contractors working on information technology systems at three agency components; and noncompliance with department computer security awareness training rules or specialized training policies at three components. Passwords for financial-data servers and databases were “missing and weak” in a “large number of instances” at six agency components; “inappropriate authorizations and excessive user access privileges” were found in several places at nine components; and workstations, servers and network devices lacked needed security patches or proper security configurations at five components. Access to operating system software was limited improperly or completely open at six components and changes to “sensitive” settings weren’t always documented, KPMG said. Application controls had weak or expired passwords, outdated user accounts and overly broad access privileges at nine agency components. KPMG said many of the problems were inherited from agencies merged to create the department. It said the problem areas “did not incorporate strong security controls from the outset and will take several years to fully address.”