Which intrusion is worse?
The debate over a federal intrusion- detection system — which would collect
data on information security breaches and then distribute warnings governmentwide — should not center on whether the government needs such a system but on
how it should be built.
Unfortunately, such a system — once called the Federal Intrusion Detection
Network and now named the Automated Intrusion Detection Capability — faces
several formidable obstacles. The technology required would be some of the
most advanced available. But agencies worry about retributions that may
come from submitting embarrassing security breaches to an outside agency.
And Congress wrings its hands over a system that may open up Americans'
private transactions with government to outside eyes.But the fact of the
matter is that such a system is needed to protect private data such as Social
Security numbers, individual health data, and nuclear weapons information.
As government conducts more business online, an effective system that
monitors cyberattacks and gets the word out on how best to patch security
holes will be needed more than ever.
To be sure, certain privacy concerns — especially concerning when and
how law enforcement agencies such as the FBI will be involved when cyberattacks
are reported — must be carefully thought out. As pointed out by a security
expert in this week's cover story (Page 18), the government doesn't want
another Wen Ho Lee incident, in which the government's zeal to secure computers
overruns individuals' rights. But those who oppose the monitoring system
for privacy reasons put at risk the very privacy they seek to protect.
Officials with the Critical Information Assurance Office have met with
several members of Congress and their staffs to allay privacy concerns and
explain exactly what the monitoring system will and will not do. The CIAO
may think about doing the same with agencies and offer assurances about
how the security data they submit to it will be used.
If Congress genuinely believes in protecting Americans' privacy, it
must adequately fund a security monitoring system. And if agencies want
to do the same, they should support the system, too.
Connect with the FCW staff on Twitter @FCWnow.