When approved by Congress, perhaps as early as Monday, the massive new bureaucracy will become--among other things--the nation's clearinghouse for developing plans to prevent electronic attacks, thwart them when they occur and release advisories to the public.
According to the version of the billby the House last week, department analysts will have security clearances and work so closely with the CIA, FBI, National Security Agency and the Defense Intelligence Agency that they'll even share personnel.
The department will mash together five agencies that currently divvy up responsibility for "critical infrastructure protection." Those are the FBI's National Infrastructure Protection Center, the Defense Department's National Communications System, the Commerce Department's Critical Infrastructure Assurance Office, an Energy Department analysis center and the Federal Computer Incident Response Center.
It's not yet clear whether this is a good idea or a bad idea. It hasn't been debated thoroughly so far. "I doubt more than 10 people in Congress know (what's) in the bill," Rep. Henry Waxman, D-Calif., said last week. And the bill could either increase or decrease existing levels of bureaucratic wrangling. For instance, President Bush's Critical Infrastructure Protection Board is also charged with developing a plan to secure the Internet, which could presage a turf battle between the new department and the White House.
One dark possibility is that this effort will link up with the Defense Department's Information Awareness Office...which is reportedly creating large-scale data warehouses to
analyze everyday activities.
"We've heard of a lot of bad blood and conflict over the last few years between these organizations," says Will Rodger, director of public policy at the Computer and Communications Industry Association, whose members include AOL Time Warner, Sun Microsystems, Nortel Networks and Oracle. "We're hopeful that when these parties are under the same roof, they can put aside whatever differences they've had."
Washington's centralization of computer security could improve federal agencies' practices--and create a near-irresistible temptation to start telling American businesses what to do. "We right now don't feel that the bill threatens industry," Rodger says. "That said, we're definitely more watchful and definitely more vigilant because we're looking at a government that has taken more power upon itself."
The beltway bureaucracy's recent interest in computer security began in earnest with an executive order that President Clinton signed in May 1998. It created the NIPC and envisioned an "innovative framework for critical infrastructure protection." The denial-of-service attacks in February 2000 piqued more federal attention, and the Sept. 11, 2001, terrorist attacks made aggressive government involvement in computer security a certainty. It's no coincidence that Congress last week$900 million over five years to universities for computer security research.
One little-noticed section of the Department of Homeland Security bill takes this involvement to a new level. It creates a Homeland Security Advanced Research Projects Agency (HSARPA), modeled after the Defense Advanced Research Projects Agency (DARPA), and hands it at least $500 million a year to fund the development of new technologies. According to the bill, HSARPA will "promote revolutionary changes in technologies that would promote homeland security, advance the development (of technologies), and accelerate the prototyping and deployment of technologies that would address homeland vulnerabilities."
What that means is anyone's guess, but one dark possibility is that this effort will link up with the Defense Department's Information Awareness Office, run by former national security adviser John Poindexter, which is reportedly creating large-scale data warehouses to analyze everyday activities like credit card purchases and travel reservations.
One dismaying feature of the Department of Homeland Security is that the final version of the bill partially immunizes the new agency from the Freedom of Information Act (FOIA). Any information businesses give the department that's related to "critical infrastructure"--think details on viruses or operating system vulnerabilities--will not be subject to FOIA. According to the Society of Professional Journalists, this would "hide virtually all information submitted" to the department.
"The question is whether you create an additional exemption for information that could reveal vulnerabilities," says Marc Rotenberg of the Electronic Privacy Information Center. "It's a complicated issue, but FOIA has in the past weighed in favor of openness." Rotenberg points out that the existing FOIA law already allows agencies to withhold information that's proprietary or could endanger national security.
Whether or not you agree with Rotenberg and the journalists' group--and I think they make a good point--the fact that the House Republican leadership inserted this wording in the bill at the last minute without telling anyone is worrisome. The Senate had come up with a reasonable compromise. But House Majority Leader Dick Armey, R-Texas, ditched it at the last minute, gave his colleagues only an hour or two to read a 484-page bill and then prevented anyone from amending the legislation once it came to a vote.
This move comes as the Bush administration is simultaneously increasing government secrecy and reducing Americans' privacy. Let's hope the new department can overcome the dismal circumstance of its birth.