Early Prime Day Deals Roe v. Wade Overturned Surface Laptop Go 2 Review 4th of July Sales M2 MacBook Pro Deals Healthy Meal Delivery Best TVs for Every Budget Noise-Canceling Earbuds Dip to $100

Perspective: Say hello to Big Brother

CNET News.com's Washington Watcher Declan McCullagh explains why the federal centralization of computer security is going to create a near-irresistible temptation for Uncle Sam to start telling American businesses what to do.

WASHINGTON--Like it or not, the proposed Department of Homeland Security firmly establishes Washington's central role in computer and network security.

When approved by Congress, perhaps as early as Monday, the massive new bureaucracy will become--among other things--the nation's clearinghouse for developing plans to prevent electronic attacks, thwart them when they occur and release advisories to the public.

According to the version of the bill approved by the House last week, department analysts will have security clearances and work so closely with the CIA, FBI, National Security Agency and the Defense Intelligence Agency that they'll even share personnel.

The department will mash together five agencies that currently divvy up responsibility for "critical infrastructure protection." Those are the FBI's National Infrastructure Protection Center, the Defense Department's National Communications System, the Commerce Department's Critical Infrastructure Assurance Office, an Energy Department analysis center and the Federal Computer Incident Response Center.

It's not yet clear whether this is a good idea or a bad idea. It hasn't been debated thoroughly so far. "I doubt more than 10 people in Congress know (what's) in the bill," Rep. Henry Waxman, D-Calif., said last week. And the bill could either increase or decrease existing levels of bureaucratic wrangling. For instance, President Bush's Critical Infrastructure Protection Board is also charged with developing a plan to secure the Internet, which could presage a turf battle between the new department and the White House.

One dark possibility is that this effort will link up with the Defense Department's Information Awareness Office...which is reportedly creating large-scale data warehouses to analyze everyday activities.
That's one problem that has plagued the FBI's highly-touted National Infrastructure Protection Center (NIPC). In a blistering 108-page report released last year, government auditors said the NIPC has become a federal backwater that is surprisingly ineffective in pursuing malicious hackers or devising a plan to shield the Internet from attacks. NIPC representatives weren't able to get agreements from the Defense and Commerce departments on how to share data; the Secret Service pulled agents that had been posted at NIPC; the White House gave NIPC the cold shoulder; and the spy agencies refused to take the upstart seriously.

"We've heard of a lot of bad blood and conflict over the last few years between these organizations," says Will Rodger, director of public policy at the Computer and Communications Industry Association, whose members include AOL Time Warner, Sun Microsystems, Nortel Networks and Oracle. "We're hopeful that when these parties are under the same roof, they can put aside whatever differences they've had."

Washington's centralization of computer security could improve federal agencies' practices--and create a near-irresistible temptation to start telling American businesses what to do. "We right now don't feel that the bill threatens industry," Rodger says. "That said, we're definitely more watchful and definitely more vigilant because we're looking at a government that has taken more power upon itself."

The beltway bureaucracy's recent interest in computer security began in earnest with an executive order that President Clinton signed in May 1998. It created the NIPC and envisioned an "innovative framework for critical infrastructure protection." The denial-of-service attacks in February 2000 piqued more federal attention, and the Sept. 11, 2001, terrorist attacks made aggressive government involvement in computer security a certainty. It's no coincidence that Congress last week awarded $900 million over five years to universities for computer security research.

One little-noticed section of the Department of Homeland Security bill takes this involvement to a new level. It creates a Homeland Security Advanced Research Projects Agency (HSARPA), modeled after the Defense Advanced Research Projects Agency (DARPA), and hands it at least $500 million a year to fund the development of new technologies. According to the bill, HSARPA will "promote revolutionary changes in technologies that would promote homeland security, advance the development (of technologies), and accelerate the prototyping and deployment of technologies that would address homeland vulnerabilities."

What that means is anyone's guess, but one dark possibility is that this effort will link up with the Defense Department's Information Awareness Office, run by former national security adviser John Poindexter, which is reportedly creating large-scale data warehouses to analyze everyday activities like credit card purchases and travel reservations.

One dismaying feature of the Department of Homeland Security is that the final version of the bill partially immunizes the new agency from the Freedom of Information Act (FOIA). Any information businesses give the department that's related to "critical infrastructure"--think details on viruses or operating system vulnerabilities--will not be subject to FOIA. According to the Society of Professional Journalists, this would "hide virtually all information submitted" to the department.

"The question is whether you create an additional exemption for information that could reveal vulnerabilities," says Marc Rotenberg of the Electronic Privacy Information Center. "It's a complicated issue, but FOIA has in the past weighed in favor of openness." Rotenberg points out that the existing FOIA law already allows agencies to withhold information that's proprietary or could endanger national security.

Whether or not you agree with Rotenberg and the journalists' group--and I think they make a good point--the fact that the House Republican leadership inserted this wording in the bill at the last minute without telling anyone is worrisome. The Senate had come up with a reasonable compromise. But House Majority Leader Dick Armey, R-Texas, ditched it at the last minute, gave his colleagues only an hour or two to read a 484-page bill and then prevented anyone from amending the legislation once it came to a vote.

This move comes as the Bush administration is simultaneously increasing government secrecy and reducing Americans' privacy. Let's hope the new department can overcome the dismal circumstance of its birth.