Fifteen years ago, cartoonist Peter Steiner drew two dogs sitting in front of a computer, one saying to the other, "On the Internet, nobody knows you're a dog." This iconic adage, cute in its day, is now a warning.

Criminal, terrorist and nation-state cyberattacks against banks, technology companies, online merchants, individuals and government agencies cost the U.S. economy $400 billion annually, focused most often on stealing business and military secrets, and personal data.

In cyberspace, not knowing for sure what person or device is on the other end of the line has serious downsides. It erodes overall trust, limits users' ability to secure their own systems, hinders effective governmental response, and causes organizations to collect more personal data than they really need.

The New York Times reported today that the Transportation Security Administration sent a letter to at least four graduate students at MIT informing them that the agency turned down their request for an identification card to work at the nation’s ports. The letters noted the students were “security threats.”

The students had applied for a so-called Transportation Worker Identification Credential, or TWIC, card, a program the federal government created after 9/11 to tighten security at the nation’s ports. The deployment of TWIC has been delayed for months for numerous reasons.

The Times article cites two cases, one involving a German student, the other a British student. In the rejection letters, John Busch, who is identified as a security administration official, wrote, “I have determined that you pose a security threat.”

The Washington Times is reporting that Sen. Russ Feingold, D-Wis., wants to know "why federal air marshals (FAMs) were prevented from boarding some flights because their names matched those on the terrorist no-fly list, and whether the problem has been solved."

The Times ran a story yesterday that said the problem has persisted for years, but it wasn't until April 23 that a new security directive was released "to address those situations where air carriers deny FAMs boarding based on 'no-fly list' names matches."

"Glad" to see that the government takes as long to address the problems of air marshals as the general public.

If this is all true, this is just too dumb for words.

Last week at the RSA Security Conference, several interesting workshops explored aspects of criminal hacking. One of them, conducted by Charlie Miller, examined the incentives for finding and disclosing vulnerabilities in enterprise software.

Imagine you are a Romanian software engineer with time on your hands, and you are able to find an unpatched vulnerability in an enterprise software program. The good news is that you can sell the information about the vulnerability for several times your monthly salary.

The bad news, for almost everyone else, is that you can get much more for it on the black market than from the two other legitimate buyers. Neither the manufacturer nor legitimate firms such as iDefense and Tipping Point, who package vulnerabilities for testing use by corporate computer security departments, will pay as much.

Tipping Point's Zero Day Initiative encourages vendors to patch their software via transparency. One of the pages, Upcoming Advisories, provides a list of known, unpatched vulnerabilities from major vendors. The vendors have been notified but have not issued a patch.

A recent look showed 34 "high severity" vulnerabilites that have been pending for over 8 months on average since Tipping Point notified the vendors. Obviously, room for improvement! We'll talk more about why vendors are slow in a later post.

According to senior officials inside and outside the national security establishment, the Nation is at war in cyberspace.

This war, like many things in cyberspace, confounds traditional boundaries. It is occurring in part on U.S. soil, where many of the attacked public and private sector computers are located. While some attacks are coming from foreign powers, others are from terrorist groups, and still others come from organized crime. Often the identity and intent of the attackers is unclear.

As Samuel Adams said in 1768, “Even when there is a necessity of military power, within the land . . . a wise and prudent people will always have a watchful & jealous eye over it.” Indeed, it is longstanding policy in this country that the military not be used to enforce the law on U.S. soil, except in major emergencies. This division between national security and civilian law enforcement activities is maintained in electronic surveillance as well. It colors the current FISA extension debate.

Few observers believe these divisions work in cyberspace. Yet there is no clear vision of how to proceed while guarding the underlying principles. For that reason, this matter deserves a considered public conversation. While a national cyber security initiative is necessary and timely, the secrecy surrounding the Administration’s program does not serve the Nation's long term interest.

Former Defense Secretary Robert McNamara said, speaking of Vietnam, "We failed to draw Congress and the American people into a full and frank discussion and debate of the pros and cons of a large-scale military involvement . . . before we initiated the action." We still have the opportunity to avoid that mistake in cyberspace.

Is IPv6 yesterday's news? Or is it? Are organizations integrating the fucntionality promised by IPv6 into the infrastructure of the organization? What is the level of commitment to incorporating the functionality of IPv6 to provide the enhanced security and information protection that is necessary as information sharing, information dissemination become the norm?

Is the there, there to obtain the long term focus to transition an organization from IPv4 to IPV6?
Has your organization started the journey?

In an editorial in the New York Times Thursday, the paper calls the 2007 Secure America Through Verification and Enforcement Act, " a bad idea compounded by the notoriously bad state of federal government records."

The act would, among other things, "force all workers, including citizens, to prove they have a right to earn a living," by relying on the Social Security Administration to verify Social Security numbers for workers, the paper contends. The problem is that one SSA database has a 4 percent error rate, which would mean possibly thousands of workers would face firings and discrimination.

Other federal databases contain errors. The inspector general at the Justice Department reported last year that the Terrorist Watch List, which is used to screen 270 million people a month to identify possible terrorists, has a large error rate. "In an examination of 105 records, for example, the auditors found that 38 percent of the records contained errors or inconsistencies that the [Terrorist Screening Center's] own quality-assurance efforts had not found," according to a Washington Post article.

As the federal government relies more on information technology to support critical decisions, the importance of how clean its data is rises.

How confident are you that your data is error free?

If you've ever gone through airport security with a laptop (and one-quarter of the flying public does), you'll know just how stressful it is trying to juggle your overcoat, briefcase and shoes while trying to pull your laptop out of its carrying case to place it in one of those gray plastic bins. It seems the Transportation Security Administration feels our pain. The agency has issued a request for information asking industry to come up with its best ideas for laptop cases that would allow TSA to scan the guts of the laptop while still in its carrying bag, according to an article posted by Government Security News. TSA's reasoning for the new bag:

If TSA was able to eliminate this requirement, it could lower passenger stress levels, increase checkpoint throughput, and reduce the number of claims TSA receives for laptops that have been damaged during screening.

It's not as easy as it sounds. TSA will not allow any zippers, pockets, clips, pens, cell phones or other paraphernalia we all stuff into laptop bag pockets to block the X-rays from viewing the inside of the laptop.

Industry has until April 17 to respond.

Revealing some of the inside frustration that comes with leaks to the press, John Grimes, chief information officer and assistant secretary of networks and information infrastructure at the Defense Department, said a “disloyal” person was to blame for disclosing information about President Bush’s Cyber Initiative, reportedly totaling several billion dollars.

It was unclear whether the disloyal individual Grimes referred to in his morning session at the Information Processing Interagency Conference was the person inside government that leaked the information or the reporter with The Wall Street Journal that decided to run with the story. Regardless, he seemed to take personally the release of details on the White House cybersecurity directive signed by President Bush in January.

“We did not want this public until we got [various issues] resolved,” including those relating to privacy, Grimes said, referencing the numerous hearings that have been scheduled since the story broke. each hearing requires executives at Defense, the departments of Homeland Security and State, and the Office of National Intelligence to prepare to testify.

“This comes down to political [culture] of decisions,” Grimes said. “Whether an attack is an act of war or criminal -- who makes that decision?”

Reports from news outlets seem to have prompted the release of some details – though not many – about the cybersecurity initiative. Most recently, DHS secretary Michael Chertoff released remarks made to a roundtable of bloggers.

"We are beginning our cyberstrategy," he said. "That will not be done this year, but I'm hoping we can get it, a cybercenter, up and running, and have a full set of plans and a funding budget to move forward over the next several years to get to the next level of cybersecurity."

The following item was posted by Anne Laurent, former executive editor of Government Executive magazine.

The folks over at Evolution of Security, the Transportation Security Administration's new blog, want you to know just how much nasty language and how many mean-spirited attacks they've suffered through. So, starting today, they've added a ticker showing how many posts to the blog its moderator has decided not to let see the light of day. The meter stood at 105 on opening day and will be updated weekly.

Just beneath it on the blog appears a link to the evil doing that will get you blocked, such things as personal attacks, profanity and threats, of course, but also, long embedded url strings, sensitive information and the ever pesky off-topic comment. Author "Glen" says that other than the proscribed topics, "all's fair in love and blogging."

In truth, Evolution of Security isn't bad for government work. One post details the story of the priest with razor blades in his Bible and others reveal the growing presence of security "zip lanes" that allow travelers with only carry-ons that will fit under the seat to "zip on through." What's more, TSA fearlessly links to Schneier on Security the blog of security guru and self-proclaimed curmudgeon, Bruce Schneier, as well as to Homeland Security Watch, neither of which are always complimentary.

It's no secret that terrorists use the Internet to communicate, but the use is becoming more sophisticated, according to Jeff Bardin, a blogger for CSO online. Bardin, who worked for the National Security Agency and served as a chief security information officer for several private corporations, recently downloaded the Mujahedeen Secrets 2 Program (بـرنـامـج // أســرار المجاهـديـن) and wrote in his blog:

This toolset provides groups like Al-Qaw-eda methods to securely transmit and wipe their files. Not that they haven’t had such tools in the past, but a second edition toolset demonstrates a software development lifecycle with some level of sophistication and planning.

Bardin said a look at the tool set -- which contains automatic (instantaneous-instant) message/messaging encryption/authentication and file encryption, as well as code signing and checking (digital signature creation/checking) and file shredding -- "reinforced [his] decision that the cyber jihad is ongoing and continuous."

Bardin wrote that Secrets 2 was easy to find, and that this comment from ‘alHambra’ was posted on the download site:

Mujahedeen Secrets #2 (Encryption Program) has been released today, and i just took a short look at it, but it is really a vast improvement compared to the first version, and seems like a really nice encryption program now. here's post and downloadinfo...

Kudos to fellow blogger Bruce McConnell on his testimony, which raises legitimate procedural questions about National Security Presidential Directive 54/ Homeland Security Presidential Directive 23 on cybersecurity. He also calls for a more detailed review of the Privacy Act.

The Federal Bureau of Investigations is teaming up with West Virginia University in national security efforts using biometric technology. According to a press announcement released yesterday, WVU will serve as the academic arm of the FBI's Biometric Center of Excellence, providing biometrics research support to the FBI and its law enforcement and national security partners.

The center will coordinate biometric and identity management activities within the FBI and partner with other U.S. government agencies to develop and train users on biometric technologies and systems. The goal is to leverage biometric technology in the fight against terrorism and intelligence efforts.

Thomas Bush, assistant director of the FBI's Criminal Justice Information Services Division, credited WVU as having "comprehensive, integrative research and education programs in biometrics," and being known around the world for identification technology research. Perhaps. But there's much to say about the value of proximity -- Clarksburg is home to the Criminal Justice Information Services Division, and Fairmont hosts the Internet Crime Complaint Center.

One has to also wonder how much of a role Sen. Byrd, D-WV, played in the decision, too. The FBI has Byrd to thank for driving the construction of a new Biometrics Fusion Center building at the Harrison County campus, with the addition of $7 million to the fiscal year 2006 Defense Appropriations bill signed into law. He also secured more than $141 million to launch and expand Defense's own biometrics initiatives, which of course contribute to FBI's efforts.

Of course, what came first? The chicken or the egg. Did Byrd's support of FBI efforts come because of its presence in West Virginia, or did the FBI's presence in West Virginia grow with support from Byrd. No doubt state government doesn't much care. This is not to discredit WVU contributions in the area of biometrics. It's National Science Foundation Center for Identification Technology Research teams up with other universities to drive research, which had earned praise in and outside federal government.

States' motor vehicle departments may be in for a treat: Incorporating a national standard for screening applicants in state and federal sex offender registries before issuing driver’s licenses.

The Government Accountability Office released results of a study this week that looked at the impact that such a requirement would have on states, noting that while 22 states use some form of driver’s license-related process to encourage registration or provide additional monitoring of convicted sex offenders, none have screening processes that compare driver’s license applicants’ information against both the state’s sex offender registry and the FBI’s national registry.

The Adam Walsh Child Protection and Safety Act of 2006 requires states to collect information about resident sex offenders and submit that information to the attorney general for inclusion in the National Sex Offender Registry (NSOR), maintained by the FBI. Most states’ sex offender registries are centrally maintained by a state criminal justice agency and need to be routinely updated – a challenge because sex offenders move and fail to comply with self-reporting requirements. Screening individuals against a state’s sex offender registry database when applying for or renewing a driver’s license would help solve that problem.

Fair enough, but what kind of burden does that place on states? A substantial one, according to the study. Most of the motor vehicle agencies in the 26 states surveyed said that “moderate to major modifications” to current IT systems would be needed, with major expense accrued from changes to software in particular. Officials in one state said that seven of the motor vehicle agency’s interrelated systems would need extensive software modifications, and officials in another state said that the types of software used to issue different types of licenses and collect fees are governed by complex rules and procedures – all of which would be impacted by additional screening processes.

So, just as state governments and their motor vehicle departments try to comply with the just released REAL ID requirements, yet another expensive, complex and controversial process requirement has been placed on the table. At least they know what they may be in for.

The Homeland Security Department announced today that the president’s budget, scheduled for release Monday, will include $12.14 billion for border security and immigration and enforcement efforts. But the details on IT are sparse.

According to the press release, $775 million will go toward secure border fencing, infrastructure and technology contributing to the Secure Border Initiative, or SBI, and $100 million will support the expanded use of E-Verify, DHS’ automated system employers use to confirm the employment eligibility of new hires. The department expects E-Verify participation to increase from about 50,000 employers now to more than 100,000 this year, and 300,000 in fiscal year 2009, according to the release.

DHS also announced that $442.4 million will go toward additional border patrol agents, $3 billion to enforcement activities by the Immigration and Customs Enforcement, and $1.8 billion to additional detention beds.

DHS officials gave no specifics of what those budget allocations will involve and whether any funds will go toward supporting IT efforts, but that doesn’t mean industry can’t provide some guesses. Ray Bjorklund, senior vice president and chief knowledge officer at FedSources, a federal research and marketing firm in McLean, Va., chimed in on the percent of funds he expects to go toward IT products and services:

• $775 million for secure border fencing, infrastructure and technology under SBI in fiscal 2009: 5 percent
• $442.4 million for additional border patrol agents: 0 percent
• $3 billion for enforcement activities: 2 percent
• $1.8 billion for ICE custody operations: 0 percent
• $100 million for E-Verify: 50 percent

Will the overall budget bring far bigger numbers for DHS IT efforts? One can only hope.

The Homeland Security Department may be considering some changes to FirstSource, its indefinite delivery, indefinite quantity small business contract for purchasing of commodity IT goods.

The contracting vehicle, which complements the Enterprise Acquisition Gateway for Leading Edge Solutions (EAGLE) contract for acquiring IT services solutions, was awarded to 11 businesses in February 2007 and is worth up to $3 billion if all options are exercised. So far, FirstSource has more than $380 million in pending and awarded orders.

Despite all the money funneling through, the contract has had its fair share of critics, largely due to the inclusion of joint ventures. Small businesses with fewer than 150 employees were eligible to bid FirstSource, but under the rules of the Small Business Administration's 8(a) Mentor-Protégé program, a joint venture between a small business (the protégé) and a large company (the mentor) qualifies as a small business as long as the protégé firm meets the size requirements. In theory, the program was developed to provide small businesses with guidance and direction, encouraging small-business growth.

Three joint ventures were awarded FirstSource contracts:

-- EG Solutions, a joint venture between Alaska-based Eyak Technology (fewer than 150 employees) and Chantilly, Va.-based GTSI (700 employees, and 2007 revenue of about $850 million)
-- ST Net Apptis, a joint venture between Gaithersburg, Md.-based St Net Inc. (about 20 employees) and Chantilly, Va.-based Apptis (1,500 employees and 2006 revenue of about $700 million)
-- MultimaxArray, a joint venture between Greenbelt, Md.-based Array Information Technology (fewer than 150 employees) and Herndon, Va.-based Multimax (more than 1,000 employees)

In June 2007, Multimax was acquired by Harris, who reported $4.2 billion in revenue in 2007.

A source close to the contract that asked to not be named said that the presence of those three joint ventures has left a bad taste in the mouths not only of their competing small businesses, but also DHS contracting officers, driving a decision to reevaluate the contract and consider some restructuring.

Why? Multiple sources on the contract claim that the protégé companies are doing little to none of the work under FirstSource, while their mentor counterparts provide the bulk of fulfillment and claim the majority of dollars.

It’s true that in many cases, contracts awarded under FirstSource are awarded directly to the large business. This is technically in violation of the rules, as the joint venture company holds the contract, not the mentor company alone. In January, for example, Nampa, Idaho-based MPC Computers, a wholly-owned subsidiary of MPC Corporation, announced that it will team up with “prime contractor Apptis” to fulfill a multi-year contract to supply desktop and notebook PCs to the U.S. Coast Guard, under DHS’ FirstSource contract. There was no mention of St Net or even St Net Apptis.

Regardless of whether or not joint ventures keep in the spirit of the small business program, a lot of speculation is swirling about what DHS may or may not do to adjust FirstSource requirements. A DHS representative said that, at this time, there are no plans to re-compete FirstSource and provided no other information.

SBA, on the other hand, all but verified changes, stating in an email that "there is nothing that requires DHS to exercise a contract option,” once the current contract expires in February 2009, and that “the new contract we are told will still be set-aside for small business with ‘expanded’ small business categories.”

While vague, mention of a new contract with different small business standards certainly supports claims that a change may be in the works. SBA directed all further inquiries to DHS, who remains mum.

Read more about concerns associated with joint ventures at GovernmentVAR.

Privacy and security has always been a tug-of-war issue: The argument is you have to give up some privacy to get some security. Mike McConnell, the director of national intelligence, is working on a cybersecurity plan that would ask Americans to give up a lot of privacy to get their security, according to a New Yorker article. (Subscription required.)

The proposal that is getting the most attention is giving the government the ability to search "the content of any email, file transfer or web search," according to an article on vnunet.com.

According to that article, the New Yorker author, Lawrence Wright:

suggested that this kind of monitoring is already going on. He spoke to an AT& T employee, Mark Klein, who claimed that he installed data switching systems in the company's exchange that copied all internet traffic to the National Security Agency.

"I know that whatever went across those cables was copied and the entire data stream was copied," said Klein. "We are talking about domestic as well as international traffic."

He added that previous claims by the Bush administration that only international communications were being intercepted are not accurate.

It's official: The Senate confirmed four new leaders at the Homeland Security Department last night, one of which could play a key role in cybersecurity efforts.

Robert Jamison was appointed under secretary for the National Protection & Programs Directorate. The office is charged with minimizing the department's risk through an integrated approach of physical and virtual threats. Previously, Jamison served as deputy administrator of the Federal Transit Administration, leading a transit security program and Lower Manhattan transportation recovery operation, which was established after 9/11.

Other confirmations included Julie Myers as assistant secretary of the U.S. Immigration and Customs Enforcement (ICE), Jeffrey Runge as chief medical officer and assistant secretary for the Office of Health Affairs, and Ross Ashley as assistant administrator of the Federal Emergency Management Agency.

DHS Secretary Michael Chertoff released a statement on the confirmations this morning.

We think you, the technology manager in the federal government and industry, have a pretty good insight into just what are the hot issues and events that will unfold in 2008 for the federal IT market. Over the past few weeks we've invited you to take an online survey to let us know what you think; we just want to take this opportunity to invite you to take the survey again, if you haven’t.

We are conducting the survey in conjunction with our friends at Government Futures, which is also offering readers a chance to place bets on what’s going to happen in the federal IT community using the prediction markets on Government Future's Web site.

If you have taken the survey and placed your bets, thank you. If you haven't, please visit the site and give us your opinions. The questions cover a number of hot areas, including information security, the next-generation Internet and federal information technology spending.

In January, we’ll host a webinar to discuss the results of the survey and present an analysis of the predictions.

In the December issue of Government Executive, we discuss some trends that IT experts told us would be important. Now, we want your opinion. So, please take the survey and join the government futures market to help us figure it out.

A group called Techno Patriots in Southern Arizona has set up its own version of the Department of Homeland Security’s Secure Border Initiative Network, called SBInet, replete with wireless cameras. The group says its do-it-yourself version has a better response time than the problem plagued Boeing-built DHS system, according to an article in the Sierra-Vista, Ariz., Herald.

Techno Patriots, which describes itself on its Web site as “basically a high tech Neighborhood Watch group on the border,” said it has installed a commercial grade wireless Internet infrastructure in Cochise County, Ariz., the most highly trafficked smuggling area in the United States.

The group said it has installed video cameras on this infrastructure, which are then monitored by its members, who keep an eye out for illegal immigrants. Techno Patriots said it can easily shift the cameras from one location to another and intends to eventually operate the system 365 days a year.

John Healy, the group’s director, told the Herald that the cameras used by Techno Patriots can be controlled remotely with a joystick, with only a two- to five-second delay from joystick touch to camera movement, compared to a 30- to 40-second delay for the SBInet cameras.

Techno Patriots may have some pretty nifty camera technology, but its Web site needs some work. I tried to use the “Contact Us” page to send an email to the group, only to receive a dreaded HTTP 404 “page not found” message.

“[A breach in] cybersecurity will be the next Pearl Harbor.” While not original (Win Schwartau, president of security consulting firm Interpact Inc., claims to have coined the phrase "electronic Pearl Harbor" more than 10 years ago), that’s what former Sen. Sam Nunn, D-Ga., said during a media dinner in D.C. last night. "We’re making as many problems as we are solving,” as vulnerabilities proliferate and hackers reverse-engineer patches released by vendors like Microsoft to enable access to the network. That leaves government vulnerable and to some degree unaware of the impending danger, until an attack serves as a wakeup call, he said, not unlike the infamous bombing during World War II. What should the government be doing? Nunn didn’t claim to know. He was just as elusive on another subject: a potential run for the White House in 2008, saying only that if it did happen, he’d run as an Independent candidate.

Sometimes it's hard to get a grasp on just how well the federal government is doing in securing the nation against possible terrorist attacks. After all, such information is generously stamped as not for public release because of national security reasons.

That means Americans frequently get a watered-down account of the government's performance when it comes to security. Sometimes very watered down. Consider this report that the inspector general at the Homeland Security Department posted this month. The report, if you can call it that, has to leave the public wondering why the department even bothered to waste resources to print it and store it on its Web site.

The report, with the title “A Review of Homeland Security Activities Along a Segment of the Michigan-Canadian Border (Unclassified Summary),” is a spine-straining three pages long. That includes the title page and the back page, on which is printed the boilerplate end-of-report information on how to request additional reports.

That leaves one page for the five-paragraph “Unclassified Summary," three paragraphs of which are devoted to the report's objective and how the IG conducted the review. The last two (short) paragraphs present the IG's findings and recommendations:

We identified several concerns regarding the integration and dissemination of intelligence, the protection of critical infrastructure/key resources, local targeting capabilities, the extent of local performance measures, and the need for additional technological resources.

We are recommending that DHS increase its local intelligence presence; better coordinate the funding of protective measures for critical infrastructure/key resources; introduce additional standard operating procedures at the ports of entry; and deploy additional technological resources along the border. DHS is already taking steps toward remedying some of these issues in response to concerns that were raised during the course of our review.

Ignorance is bliss, they say.

McQ Inc. said Boeing has selected it to provide a family of unattended sensors for the Homeland Security Department’s electronic border fence project, called the Secure Border Initiative Network (SBInet). McQ has a basic ordering agreement to provide unattended acoustic, magnetic and infrared sensors, according to contract information posted on Boeing’s online SBInet Toolbox contract page.

This summer, the Army Research Lab selected McQ’s unattended ground sensors as one of 10 “greatest inventions” of 2006.

In a related development, the House Homeland Security Committee plans to hold a hearing on the troubled SBInet project Oct. 24. DHS Secretary Michael Chertoff threatened last month to withhold payments on SBInet until Boeing fixes problems on a 28-mile pilot project in Arizona. “I'm not going to buy something with U.S. government money unless I'm satisfied it works in the real world,” Chertoff said last month at a congressional hearing.

The following item was posted by Jill Aitoro.

A glimpse at enrollment in the Homeland Security Department’s Transportation Worker Identification Credential (TWIC) program provided one very interesting truth: While sexy in concept, the process of credentialing is pretty mundane.

The Transportation Security Administration held a media event yesterday in Wilmington, Del., to show what workers will go through when enrolling for TWIC. (Video of the enrollment process is available for download at the Coast Guard web site. For those who care to take a look, you’ll see people seated, documents being filled out and photocopied, some movement of a computer mouse, and – easily most exciting of all – fingerprints being scanned. Take away the latter, and it could just as easily be a trip to the Department of Motor Vehicles.

Maybe more telling than the actual enrollment preview was the drive into the port in Wilmington. Not surprising, security gates guarded the entry, with cars lined up at all but one of the gates – the gate that was reserved for TWIC card holders. That lane moved quickly. Sexy or not, it got the point across.

This news item certainly will heap more suspicion on the Bush administration’s tactics for fighting terrorism.

A law firm in Vermont, which represents a client in Afghanistan and a prisoner at Guantanamo Bay, is accusing the federal government of tapping its phones and hacking into a computer used by one of the firm's partners, according to an article posted by the Burlington Free Press. Three partners in the law firm Gensburg, Atwell & Broderick recently sent a letter to clients telling them the firm "can't guarantee their communications were confidential," according to the article. The firm said it had found its phone lines crossed and that a computer forensic examination of the computer used by Robert Gensburg "found an application that disabled all security software and would have given someone access to all information on the computer," according to the article.

Gensberg said there may be an innocent explanation for the problems -- such as he may have accidentally downloaded some malware from the Internet -- but "we are quite confident that it is the United States government that has been doing the phone tapping and computer hacking," the lawyers wrote in their Oct. 2 letter to clients.

According to the article, there's no comment from U.S. officials or Verizon, which operates the phone lines for the law firm and is one of the telecommunication firms named in the Bush administration’s wiretapping program after 9/11:

U.S. Attorney Thomas D. Anderson, the federal government's top law enforcement official in Vermont, said Thursday that he couldn't comment. Verizon has consistently refused to comment on whether it is involved with national security issues, spokeswoman Beth Fastiggi said Thursday.

The Homeland Security Department has been working for years with the private sector to develop an operational plan it can follow in case a cyberattack takes down computers maintaining the critical infrastructure that supports the U.S. economy, such as networks operating the transportation, energy and financial systems. Or the electrical grid. They may want to hurry; cyberattacks on networks operated by electric utilities have jumped 90 percent in the past nine months, according to a security consultant that serves utilities. DHS has been criticized for the slow pace of creating a plan.

Hat tip: SANS Institute.

An article on a Web site operated by the Detroit Free Press about a driver's license fraud scheme in Michigan's Secretary of State's office raises an interesting question.

This month, a pair of Michigan state employees was caught selling fake driver's licenses, license plates and vehicle registration tags. The employees would identify a customer interested in obtaining the fake licenses and registration, would take the person's photo and then "use the name and personal information of an unwitting person already in the Secretary of State computer system" to produce the fake documents, according to the article.

This is the unnerving part: "The case broke after a sheriff's deputy noticed a fraudulent temporary license plate during a routine traffic stop," according to the article. The two employees' illegal activity on the state computer system was never flagged by the network. With the knowledge that most computer crimes come from within an organization, not from outside hackers, why wasn't the state system programmed to flag this unusual activity?

In addition, the article quotes Wayne County Sheriff Warren Evans musing about how "it is incredible in a post-Sept. 11 world that a government employee would provide anyone with picture identification under a false name." Maybe it's not that incredible, as illustrated by this Washington Post article. (As was the situation in the Michigan fraud case, this case was not broken by the state Department of Motor Vehicles but by the U.S. State Department's Bureau of Diplomatic Security.)

In the end, this Michigan case is what the Homeland Security Department can point to in its ongoing effort to enforce Real ID.

The following item was posted by Judi Hasson, a freelance journalist who writes about technology and lives in Washington, D.C.

It’s hard to know how safe we really are or if the federal government knows what it is doing when it comes to managing our security. Just last week, I had an example of a big snafu that turned up in my own mailbox.

My 18-year-old daughter applied for a passport, and it came without delay. (The State Department says it worked through its passport backlog during the summer.)

The passport looked good at first. All the information was correct, I thought. But the picture, well, um, the picture was not my daughter. It was a picture of a young woman with long, curly hair who looked nothing like my daughter. Well, my daughter does have long, curly hair, but that was about the only similarity.

A State Department official said that it is likely the correct picture of my daughter was scanned into the department's database, and it was human error that caused the wrong image to be printed on the passport. But if that's not the case, and given that many government databases are now linked to check identities, is it possible that more government databases have the wrong picture of my daughter? And who’s got my daughter’s picture on her passport?

It took several hours of phone calls to get to the right people at the local U.S. Post Office to help me. When I did, they told me I had to start the passport process over. I had to send them the official pink form for corrections and two new pictures. Later, I was told to forget the pink form and just bring in the document with the wrong picture to the passport office on 19th Street in Washington, D.C. Oh, and of course, the $97 passport fee would be waived, but not the cost of the new pictures.

The State Department official said the agency issued 18 million passports in fiscal 2006, and errors are very rare. “Frankly, we are human,” the official said. “The error rate is very low. The important thing in issuing a passport is that it has great security information.”

It was only a month ago that the State Department got some bad press when it was disclosed that the department printed the wrong birth date on a passport. Instead of 1972, the date was printed as 1872, according to the official.

As for my daughter's passport, the official said the State Department cannot tell if there has been a one-to-one swap. In other words, my daughter’s picture may be floating around on someone else’s passport, and there may be a domino effect of passports having wrong pictures. “The errors happen. We minimize them. We have a series of quality control measures. The thing we can do is fix them as fast as we can,” the official said.

But where is my daughter’s picture? And who is that friendly young woman staring out from my daughter’s new passport?

The following item was posted by Government Executive Senior Correspondent Katherine McIntire Peters.

The country’s schizophrenic approach to immigration was on full display this week. On Tuesday, Homeland Security’s Citizenship and Immigration Services (USCIS) bureau rolled out an enhanced version of its E-Verify program, an electronic screening tool aimed at identifying illegal workers during the hiring process. Employers participate in the program voluntarily, at least in most states. The day before the rollout, the Justice Department filed suit against the state of Illinois for passing a law that essentially blocks employers from enrolling in the program.

The Illinois law puts Homeland Security in the impossible position of enforcing a federal law that has been invalidated by the state. As Emilio Gonzalez, director of USCIS, observed during a briefing with reporters, “You either want us to enforce the law or you don’t.” Presumably that depends on whom you ask.

Scientists and engineers at the Jet Propulsion Laboratory are suing NASA and the California Institute of Technology, which manages JPL, over what they say are unwarranted and overly personal background checks under the governmentwide access cards required under Homeland Security Presidential Directive - 12, according to an article by the Associated Press.

The lawsuit was filed by 28 plaintiffs, many of whom “have worked on such projects as the Mars rovers, the Galileo probe to Jupiter and the Cassini mission to Saturn, but none are involved in classified work, according to the suit,” AP reports. “It seeks class-action status to represent similar JPL employees.”

The Department of Commerce also has been named in the suit because the department promulgates federal identification standards. To obtain an identification card, which will give employees access to federal buildings and computers, employees must fill out a form asking them about employment history, past residences and any illegal drug use.

More from the article:

The suit claims the directive was concerned "exclusively with the establishment of a common identification standard" and "contemplates no additional background investigation or suitability determination beyond that already required by law."

But according to the lawsuit, the Commerce Department and NASA instituted requirements that employees and contractors permit sweeping background checks to qualify for credentials and refusal would mean the loss of their jobs.

NASA calls on employees to permit investigators to delve into medical, financial and past employment records, and to question friends and acquaintances about everything from their finances to sex lives, according to the suit. The requirements apply to everyone from janitors to visiting professors.

The suit is structured so that it can become a class action suit. Could this just be the tip of the iceberg?

Much was made of Homeland Security Department Secretary Michael Chertoff's comment last week that residents of states that fail to follow the Real ID Act's requirement to issue more secure driver's licenses will be required to show a passport to gain entry into state parks, to board airplanes, or to enter any federal building. According to a CNN article:

"This is not a mandate," Chertoff said. "A state doesn't have to do this, but if the state doesn't have -- at the end of the day, at the end of the deadline -- Real ID-compliant licenses then the state cannot expect that those licenses will be accepted for federal purposes."

Just how serious DHS is about requiring these residents to show passports, or how much power the department has to make it happen, is highly questionable, points out security expert Bruce Schneier. In his blog last week, Schneier wrote that Chertoff's threat is "a lot of bluster." Schneier explained, "The federal government just can't say that citizens of -- for example -- Georgia (which passed a bill in May authorizing the Governor to delay implementation of REAL ID) can't walk into a federal courthouse without a passport. Or can't board an airplane without a passport -- imagine the lobbying by Delta Airlines here. They just can't."

Seventeen states have passed legislation opposing the law and other states are considering similar bills. Washington, Vermont and Arizona have already found some common ground.

Aviation officials in Los Angeles are pretty steamed at the folks at U.S. Customs and Border Protection.

A computer system used to process international travelers coming into the United States was down for nine hours Saturday, creating a backload of 17,000 travelers looking to enter the United States, according to a Los Angeles Times article. Thousands of travelers were stranded on planes for hours. According to the article, Steve Lott, chief spokesman in North America for the International Air Transport Association, explained the airport’s frustration with U.S. Customs this way: “Although ‘we understand that computer systems are not perfect, the frustration is why customs had no contingency plan.’"

LAX officials may be on to something. In June 2004, the Federal Emergency Management Agency issued the "Federal Preparedness Circular," which was sent to the "heads of federal departments and agencies.” The circular presents guidance on how agencies can set up a Continuity of Operations (COOP) plan. According to the circular (emphasis added):

It is the policy of the United States to have in place a comprehensive and effective program to ensure continuity of essential Federal functions under all circumstances. ... All Federal agencies, regardless of location, shall have in place a viable COOP capability to ensure continued performance of essential functions from alternate operating sites during any emergency or situation that may disrupt normal operations.

It seems as if most agencies didn't follow FEMA's guidance because on May 9 President Bush issued National Security Presidential Directive 51 and Homeland Security Presidential Directive 20. The directives mandate that agencies develop a COOP plan “to ensure that Primary Mission-Essential Functions continue to be performed during a wide range of emergencies, including … technological … emergencies.”

Bush's directive obviously came too late for international travelers coming through LAX Saturday. So maybe now's a good idea for a COOP plan to be at the top of Jayson Ahern’s to-do list at U.S. Customs. It was just last week that Ahern assumed the position of deputy commissioner for U.S. Customs and Border Protection – the No. 2 position at the agency. That's one bad first week on the job.

Not that we need reminding, but a report recently released by the Government Accountability Office on the security of passports and border crossing cards illustrates, yet again, that most security vulnerabilities are not caused by something lacking in the technology. Rather, it's an organization's business processes, such as a lack of training, that pose the gravest threats.

In its report "Border Security: Security of New Passports and Visas Enhanced, but More Needs to Be Done to Prevent Their Fraudulent Use," GAO concludes that the State Department "has added technical features and security techniques to the design and production of [electronic passports, introduced in 2005, and advanced visas, introduced in 2002] that make it much harder to counterfeit or alter new generations of passports and visas."

The threat, GAO reports, comes from government employees. For example, State Department passport acceptance agents, employees who accept the documents needed to apply for a passport or visa, have committed serious errors, such as:

important information missing from documentation, such as evidence of birth certificates and parents’ affidavits concerning permission for children to travel, as well as photos that were not properly attached to the application. One passport specialist also cited a case where the photo submitted with the application did not match the identity of the applicant. In another example, another passport official told us of a case where an acceptance facility had accepted a passport application for an individual without the person being present and, therefore, did not verify the applicant’s identity. In addition, managers at two passport offices said their offices often see the same mistakes multiple times from the same acceptance facility. These problems are of particular concern given the persistent attempts to fraudulently obtain legitimate passports using stolen identity documents.

Lack of training for Customs and Border Patrol (CBP) officers on the new high-tech travel documents also threatens security, GAO reports.

While CBP requires officers to complete courses that include segments in fraudulent document detection relating to passports and visas, CBP officials stated there is currently no program in place to ensure officers receive such training continually. Some senior officers at some of the ports we visited stated they had not been retrained on the security features of passports and visas and fraudulent document detection since basic training.

CBP officials say there just isn't any time to train officers because the ports of entry are understaffed.

As any security expert will tell you, strong security programs include managing the people, processes and technology. The saying "two out of three ain't bad" doesn't cut it for security.

For a look into how Immigration and Customs Enforcement officers do their job, check out a blog by a German information security expert, who was traveling this week to Las Vega to attend and teach at a security conference but was ordered to go back to Germany. For six years, Halvar Flake, also the CEO of Sabre Security, had traveled to the United States to train information security professionals (some of whom have been employees of the departments of Defense, Energy and Homeland Security). He held much of his seminars at the well known BlackHat security training conference. But when he arrived at a U.S. airport this week (he did not identify which one), Flake was stopped and questioned by ICE officers for four hours and eventually sent back to Germany. The reason: He didn’t have an H1B work visa.

While Flake’s straightforward account, written on his blog ADD/XOR/ROL (“a blog about reverse engineering, mathematics, politricks and some more …”), is an interesting inside look at how ICE interprets immigration policy, the more informative part of the blog is the comments section – which is highly populated. As expected, some submitters rail against the ICE the bureaucracy and apologize for how Flake was treated, but a fair number of people defend the agency and its officers, saying they did what they were supposed to do.

It would be informative to the debate, I think, to hear from government employees: Was Flake, a respected information security professional, a victim of an overly aggressive bureaucracy or was he treated fairly by the immigration laws?

Hat tip: Wired

A Customs and Border Protection officer with the Department of Homeland Security was convicted yesterday for unauthorized use of a government computer, Newsday.com reports.

Kelly Bossinger was convicted "on a three-count indictment charging her with unauthorized use of a government computer, lying and conspiring to lie," according to the article.

In 2004, Bossinger had asked other offices to use government computers to find out why Bossinger's sister had been stopped and searched at the U.S.-Canadian border. Bossinger was concerned that her sister was under investigation. She was.

It seems as if the Homeland Security Department doesn't want to be outdone by the Defense Department. On May 16, the Defense Academy for Credibility Assessment (formerly the Defense Department Polygraph Institute) released a request for proposals asking industry to provide ways it can use information technology and/or behavioral analysis methods to screen large groups of people who may be, say, preparing to board planes or attending an event. (See Government Executive's "The Shrink Approach to Airport Checkpoints.")

DHS released July 9 an RFP asking industry to provide IT solutions that use sensors to scan individuals who plan to board planes, trains or other modes of public transportation as well as people planning to attend "Special Security Events."

"Persons involved in or planning to be involved in possible malicious or deceitful acts will show various behavioral or physiological abnormalities," and sensors can help detect an individual's intention to do harm by applying monitoring systems for provide information on "cardiovascular, respiration, ... eye tracking as well as other promising technology capable of providing behavioral indicators," according to the RFP. "The goal is to take the individual outputs of the distinct sensors and combine them into a decision matrix in order to provide a single decision."

Maybe the folks at Defense and DHS need to get together to see if they can work together on this one.

Hat tip: Wired