U.S. backs off private monitoring

With criticism rolling in from all quarters, U.S. government officials on Wednesday backed away from a controversial plan to monitor private-sector networks for hacking activity.

The proposed Federal Intrusion Detection Network (FIDNET) plan, details of which were revealed by the New York Times Wednesday, has been in the works for at least a year, a National Security Council spokesman told ZDNN. The proposal for the government to monitor critical systems for security breaches arose out of concerns about the growing vulnerability of government computer networks and sensitive private-sector networks to hackers, the spokesman said. (The NSC advises the president on national security issues.)

But in spite of indications in a government document on the plan obtained by the Center for Democracy and Technology -- which indicates that private networks would also be watched -- the NSC spokesman denied that there is any plan for the surveillance of private online data.

The document outlining details of the plan says the FIDNET monitoring system would cover "critical government and ultimately private-sector information." Information gathered about network security breaches within one of the plan's three "pillars" -- the Department of Defence computer network, other federal networks and private sector networks -- "would also be shared with the other two pillars," according to the document.

The document coalesces with comments made by Jeffrey Hunker, senior director for critical infrastructure at the National Security Council, at the Black Hat Security Conference in Las Vegas earlier this month. "We depend on systems that were never meant to protect data from an organized threat," he told ZDNN. "The truth of the matter is that you all [the industry] own the systems that are going to be the target. It is not the federal government systems."

However, in an interview with ZDNN, Jim Dempsey, senior staff counsel at CDT, said: "We feel the government should spend its resources closing the security holes that exist, rather than to watch people trying to break in," Jim Dempsey, senior staff counsel at CDT, said in an interview. In spite of assurances from government officials that any monitoring would be largely automated, somewhere down the line a person would have to step into the process, Dempsey said -- and this is where such a system could be abused.

The government document detailing the plan acknowledges that "trained, experienced analysts" will have to step in to determine the nature of any suspected security breaches.

But the NSC spokesman said the government does not plan to monitor private networks or read e-mail messages, but rather to "look for anomalous activities" such as evidence of denial of service attacks on military and other government networks. This was little comfort to civil libertarians and other high-tech industry watchers, who blasted the plan as an Orwellian attack on privacy. "I think this is a very frightening proposal," said Barry Steinhardt, associate director of the American Civil Liberties Union, in an interview. "The FBI has abused its power in the past to spy on political dissenters. This type of system is ripe for abuse," Steinhardt said.

"I think the threats (of network vulnerability) are completely overblown," said David Sobel, general counsel at the Electronic Privacy Information Center, in an interview. The perceived security threat is leading to "a Cold War mentality" that threatens ordinary citizens' privacy, Sobel said.

"The most serious concern about this is that it could move us closer to a surveillance society," said Ed Black, president of the Computer and Communications Industry Association, in an interview. "It's critical that if they do this, they should not retain any of the information that is gathered."