9/11: IT Security Then and Now

Since terrorists attacked the United States on Sept. 11, 2001, the government has begun a robust, and oft-criticized, electronic-surveillance program, but other IT-related security projects designed to thwart terrorism have made little progress.

Better cybersecurity leadership, more cargo scanning on airplanes and ships, and interoperable communications networks for emergency response agencies have all developed slowly. In some cases, fights in Congress have slowed progress, or the U.S. government has focused on other priorities. In other cases, the cost of IT projects has been an issue.

NYC on 9/11/01

The fifth anniversary of the attacks will focus attention as much on what has not been accomplished to protect the United States from future attacks as on what has been, chiefly the surveillance system. In recent months, civil liberties groups have protested the shadowy electronic-surveillance program run by the U.S. National Security Agency (NSA), with alleged cooperation from large telecommunications carriers. U.S. President George Bush has defended the program as necessary and legal, even as critics point out the NSA is spying on U.S. residents without court orders.

Critics say the emphasis on surveillance instead of other technology has led to an invasion of innocent people’s privacy and has not improved the nation’s security.

NYC in 2006

The Electronic Frontier Foundation (EFF), leading a lawsuit against AT&T for its alleged participation in the NSA surveillance program, says some U.S. FBI agents have complained about the quality of the leads generated by the program. “It’s like, ‘Oh great, more calls to Pizza Hut,’ ” said Kevin Bankston, an EFF staff attorney. “This many may not help us connect the dots; it may just be creating more dots.”

But there hasn’t been a major outcry about the NSA program from U.S. residents, with a common attitude being that innocent people should have nothing to hide.

“I worry that a lot of people are speaking out of fear,” Bankston said. “You wouldn’t want government cameras installed in your bedroom or your bathroom, not because you’re doing anything wrong there, but because there are areas of our lives that should be private.”

The biggest change since Sept. 11 is this culture of surveillance, added Jim Dempsey, policy director at the Center for Democracy and Technology, an advocacy group focused on civil liberties online. Congress’ quick passage of the Patriot Act following Sept. 11 generated huge debates about its expansion of law enforcement powers, but the NSA program happened without congressional approval, he said.

“All the ink that was spilled over the Patriot Act is irrelevant … if the president says he’ll do what he wants,” Dempsey added. Combined with technology advances in areas such as storage, location awareness and facial recognition, these expanded government powers create “a pretty wholesale assault on privacy.”

The Bush administration has defended its tactics, with the president saying this month that the government’s counterterrorism efforts have subverted a number of plots since 9/11, including an anthrax attack and an airplane hijacking plan.

The NSA surveillance program “helps protect Americans,” Bush said in a speech Thursday. He called on Congress to derail court challenges to the NSA program by passing laws approving the program. “If an al-Qaida commander is calling the United States, we need to know why they’re calling,” he said.

In three other IT-related areas, progress has been slow.

Cybersecurity

IT security groups have called for greater U.S. government emphasis on cybersecurity. In July 2005, U.S. Department of Homeland Security (DHS) Secretary Michael Chertoff announced plans to create a high-level position, assistant secretary for cybersecurity, but that position remains unfilled, despite pressure from IT groups.

In addition, the DHS has never scored above an “F” in the federal government’s annual computer security assessment. Another agency that has consistently pulled in “F’s” is the U.S. Department of Veterans Affairs, which was roiled earlier this year following a massive data breach.

Part of the problem is that the government is simply not as interested as it should be in paying for online defense, according to Marcus Sachs, a former Bush administration adviser on Internet security.

“It’s kind of hard to convince the Congress to continue to fund cybersecurity efforts when the entire nation is shaking in its boots over chemical weapons and dirty bombs,” said Sachs, who now works for SRI International, a research organization in Menlo Park, Calif. “We’ve not had any attributable cyberstuff that you could trace back to terrorism. … It’s hard to make a case as to why we need to be worried about it.”

Those kinds of attacks may still come, said O. Sami Saydjari, founder and president of Cyber Defense Agency, an IT security research and consulting firm in Wisconsin Rapids, Wis. Just one massive cyberattack would boost U.S. cyberdefense spending, but a major attack could cost U.S. businesses up to US$1 trillion, he said.

The technology to sufficiently harden U.S. cyberdefenses largely exists, but the government needs to create a program to improve the nation’s cybersecurity infrastructure, Saydjari said. “Waiting until we have these attacks is not the time to develop that program,” he added. “Every year, the [cyber] attacks are better.”

Communications interoperability for emergency agencies

Security experts, including the 9/11 Commission, have requested additional radio spectrum so that emergency response agencies can better communicate with each other. During the Sept. 11 attacks, some emergency responders found that their communication systems did not interoperate. More radio spectrum is on the way, but not until February 2009, the deadline Congress set for television stations to vacate the spectrum and move to all-digital broadcasts.

During a lengthy congressional debate over the digital TV transition, Sen. John McCain, an Arizona Republican, tried to move up the transition date, arguing emergency responders need the spectrum as soon as possible. But congressional concerns over the timing of commercial auctions for part of the freed spectrum led to the later date. If the auctions were too soon, the spectrum might not sell for the $10 billion Congress has budgeted, opponents of an earlier deadline said.

Meanwhile, some emergency response agencies are working with each other to improve interoperability, but those efforts are happening only in “pockets” of the United States, said Steven Jones, executive director of the First Response Coalition, a group advocating for interoperable emergency communications.

“There’s no national strategy to coordinate all these efforts,” Jones said. “Nationally speaking, I don’t know that we’re better off than we were five years ago.”

Cargo scanning

Hobbled by high costs and slow machines, airlines and cargo ships scan only a fraction of the baggage they carry, leaving their passengers at risk of hidden explosives and other weapons, critics say.

Most of the 6 billion pounds of cargo shipped on passenger airlines every year is commercial cargo, not checked baggage, and most of those crates and cartons are never scanned, exposing passengers to risk, according to U.S. Rep. Edward Markey, a Massachusetts Democrat.

The problem is even greater on commercial shipping venues, with unscanned cargo rolling into the United States every year aboard 11.2 million trucks, 2.2 million rail cars and 51,000 cargo ships, according to the DHS.

The U.S. Transportation Security Administration, which operates airport security systems, says it faces a dilemma of choosing between inexpensive but inaccurate machines and expensive, high-quality machines.

Airport workers now scan baggage with two types of systems. Explosive trace detection machines are affordable—they’re the size of a laser printer and cost a few thousand dollars—but rely on slow and error-prone human workers to collect test samples.

In contrast, explosive detection system machines can process up to 500 bags per hour but weigh as much as 17,000 pounds and cost up to $1 million. And airports must invest much more money to insert those machines into their existing baggage conveyor belts to speed the process.

Still, officials with the Bush administration insist they’ve made significant progress in fighting terrorism over the past five years. A “network” of law enforcement and intelligence agencies, improved terrorist databases and international cooperation have successfully thwarted multiple terrorist plots, U.S. Attorney General Alberto Gonzales said in a speech Thursday.

“If there is one thing that all Americans will be thinking and saying when we mark a terrible anniversary on Monday, it will be the simple phrase, ‘never again,’ ” he said. “And the goal of ‘never again’ cannot be achieved by the federal government alone, by any state government alone, or by any local police force alone. Our network of prevention is instead the key to protecting the American people.”

-Grant Gross, Ben Ames and Robert McMillan, IDG News Service (Washington Bureau)

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.