Analytics // Security Monitoring
12/14/2012
07:04 PM
Connect Directly
RSS
E-Mail
50%
50%

U.S. Creates System To Look For 'Future Crimes'

In March, the United States granted counterterrorism officials the ability to hold data on Americans for up to five years. Now, the controversy surrounding the data-analysis program has come to light

The U.S. government green-lighted a program in March to retain data on U.S. citizens for up to five years as part of a counterterrorism monitoring and analysis effort, despite privacy concerns raised by high-ranking homeland-security and justice officials.

The concerns, first reported in The Wall Street Journal this week, suggest that the National Counterterrorism Center (NCTC) is trying to build an extensive monitoring system that can find terrorists using large datasets. Established in 2004, the NCTC brings together analysts from a variety of agencies and tasks them with sifting through intelligence reports for signs of terrorism activity.

Under the rules signed in March, the center can retain information on ordinary Americans for up to five years, even if they are not connected to terrorism or other crimes. While the monitoring system appears similar to those used by many companies to investigate compromises using forensic data, critics have worried that it undermines citizens' civil rights.

"Innocent people can be investigated and their data kept for years," said Chris Calabrese, legislative counsel for the American Civil Liberties Union, in a statement. "It can be shared with foreign governments. All of this in service of, not just terrorism investigations, but also investigations of future crimes."

Civil libertarians are not the only ones with concerns about the scope of the data collection and monitoring involved in the NCTC's analysis system. At the Department of Justice, Chief Privacy Officer Nancy Libin raised concerns, as did Mary Ellen Callahan, the former chief privacy officer of the Department of Homeland Security, according to The Wall Street Journal article.

"This is a sea change in the way that the government interacts with the general public," Callahan reportedly said.

But NCTC officials have argued that the monitoring system and analysis is not about creating a time machine to look for future crime, but to virtually go into the past and connect past actions that may have been overlooked. If an individual names a friend on a visa application, for example, and is later connected to a terrorism organization, counterterrorism officials want to be able to look back at that connection -- even it happened years ago -- and add it to the analysis, Matthew Olsen, director of the National Counterterrorism Center, told the American Bar Association (ABA) in May.

"In other words, certain data sets needed to be retained for a longer period of time in order to ensure that terrorism information was not deleted simply because its significance was not immediately apparent," he told the ABA's Standing Committee on Law and National Security in prepared remarks (PDF).

[Companies and universities look for specific algorithms that will help identify malicious insiders and compromised systems that are acting as insiders. See Analyzing Data To Pinpoint Rogue Insiders.]

The near success of Umar Farouk Abdulmutallab, popularly known as "the Underwear Bomber," in December 2009 was a wake-up call for counterterrorism intelligence analysts, Olsen said in May. While Olsen did not give examples of data points that could have been connected to catch the bomber, he stressed that the NCTC needed the ability to retain information for analysis.

Using monitoring systems to hunt down rogue actors, and even predict when employee may go rogue, has become a major initiative for the U.S. government. Following the leak of diplomatic memos from the U.S. State Department, the Pentagon created the Anomaly Detections at Multiple Scales (ADAMS) project to fund ways of detecting rogue behavior that could indicate a malicious insider.

Such projects may have an easier time pinpointing suspicious activity than network-security monitoring systems used by companies to identify potential rogue insiders by their online behavior, says Mike Lloyd, chief technology officer for RedSeal Networks.

"There is a big difference between the hackers and the terrorists," he says. "The terrorists ... would have to buy an awful lot of fertilizer, for example, to make a bomb, and that's something you can track. So it is plausible, I think, that the data mining will be more effective in counterterrorism than it is with hackers."

Today's network security monitoring systems focus on detecting anomalies that indicate a compromise of a company's systems or that hackers has access to those systems; in other words, they are looking for signs of an event that has already happened. Yet, by combining the analysis of big data with intelligence on the threats affecting an industry or community, companies are increasingly looking to detect potential attacks.

Such systems, however, require that companies and the federal government use them responsibly. Of the two, companies may be the more responsible, says Lloyd, because they are required to follow the privacy laws of the countries in which they operate. Some nations, such as those in Europe, are much stricter than the United States, he says.

In developing its monitoring system for detecting signs of terrorism, the U.S. government should look at strong safeguards, he says.

"Having this technology and having the ability to use it safely are really two different things," says Lloyd. "I think these systems work, but that is both the good news and the bad news."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Larry Seltzer - UBM Tech
50%
50%
Larry Seltzer - UBM Tech,
User Rank: Apprentice
12/19/2012 | 4:51:16 PM
re: U.S. Creates System To Look For 'Future Crimes'
I understand the concern, but privacy advocates get tunnel vision a lot. Many security experts will say that the real answer to terrorist threats is better intelligence rather than having us throw out nail clippers and take off our shoes.-á

And what kind of data are we talking about here? I'm actually less concerned about the government having data like this than I am about the possibility that it will leak or be sold by insiders.
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
12/17/2012 | 4:15:51 PM
re: U.S. Creates System To Look For 'Future Crimes'
This type of surveillance on individuals makes me nervous. Readers, what do you think?
--Tim Wilson, editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.