Congress worries that .gov monitoring will spy on Americans

WASHINGTON--A new Bush administration plan to capture and analyze traffic on all federal government networks in real time is generating privacy worries from congressional Democrats and Republicans alike.

At a hearing convened here Thursday by the U.S. House of Representatives Homeland Security Committee, politicians directed pointed questions to Department of Homeland Security officials about their plans to expand an existing "intrusion detection" system known as Einstein. Among other things, the system will monitor visits from Americans--and foreigners--visiting .gov Web sites.

Einstein, which DHS calls an "early warning system" for cyber-incidents, is described in a Homeland Security document from September 2004 as "an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian government." It's still only in place at 15 federal agencies, but Homeland Security Secretary Michael Chertoff requesting $293.5 million from Congress in next year's budget to roll it out government-wide.

The round-the-clock system captures traffic flow data, which currently includes source and destination IP addresses and ports, Internet Control Message Protocol data, and the length of data packets. According to an internal 2004 privacy impact assessment (PDF), "the program is not intended to collect information that will be retrieved by name or personal identifier." Members of the U.S. Computer Emergency Readiness Team, which coordinates federal responses to cyber attacks, analyze the downloaded records once per day in hopes of detecting worms and other "anomalous activity," pinpointing trends, and advising agencies on how best to configure their systems.

Homeland Security says the setup has helped reduce the time it takes for agencies to share such data from four to five days to four to five hours. The next step is to hire more analysts and enable the analysis to occur in real time, DHS says.

Beyond that, it's not exactly clear what will change, including whether the system will gather more information than before, or what will be done with it. But some politicians said they're already apprehensive about the new plans.

"I encourage you to try to find something beyond Einstein that's going to be focusing on bad guys, not just focusing on the general public but finding some way to protect the privacy of American citizens," said Rep. Paul Broun (R-Ga.).

Rep. Jane Harman (D-Calif.) criticized the department on one hand for treating cyber threats with sufficient urgency--a common refrain from members of both parties ever since the sprawling government agency's inception. But she also questioned the new approach being offered.

"I can assure you constituents of mine listening to this hearing are thinking about this as the government sets up a new spy network," she said. "What would you advise me to tell my constituents (who want to know) how I'm going to stop this latest government spy network?"

Robert Jamison, a Homeland Security undersecretary whose division oversees cybersecurity activities, declined to talk specifics, saying details must be reserved for a classified session.

"We have privacy and civil rights folks involved in this," he said. "We're in the process doing a privacy impact assessment for the new capability as we move forward."

Government agencies are required by law to produce such a report whenever they're planning to use a new technology that could involve collection of personally identifiable information. The goal is to ensure that no information is collected, stored, or accessed either unnecessarily or unlawfully.

The fact that Homeland Security officials are drawing up a new privacy impact assessment for the expansion of the Einstein project would seem to indicate they're considering gathering additional information, although it was unclear after Thursday's hearing whether that's the case.

Jamison, for one, claimed Einstein's new capabilities will be "no different" from those in commercial products used to detect worms or other malware. He indicated, however, that the government has no intention of scaling back the scope of its network monitoring.

"Adversaries are very adept at hiding their attacks in normal traffic--normal, everyday traffic that comes across the network that very well could be disguised and could be malicious," Jamison told the committee.

Einstein is just one part of Homeland Security's attempts to revamp its cybersecurity reputation. It's also working with the Office of Management and Budget on a project that would reduce the number of points at which all federal agency networks connect to the Internet--which right now numbers around 4,000--and thus encounter vulnerabilities from outside their realms.

Whenever a system monitors users' communications, privacy concerns naturally arise, said James Lewis, who runs the technology policy wing of the Center for Strategic and International Studies, a Washington think tank, and is working with members of Congress to devise cybersecurity policy recommendations for the next president. In this case, however, he said he didn't see any reason to be alarmed about Einstein quite yet.

"For Einstein to really affect privacy, you'd need to monitor and collect the communications, store them, and analyze them (e.g. have somebody actually read the content)," he said in an e-mail interview after Thursday's hearing. "I'm told that DHS won't store Einstein data and won't be analyzing it, which greatly reduces any risk to privacy."

Committee leaders warned that they'd be watching closely to see whether the plans pan out.

"It's hard to believe this administration now believes it has the answers to secure our federal networks and critical infrastructure," said Committee Chairman Bennie Thompson (D-Miss.).