Tag Archives: National Data Exchange

Social networking websites: the next cyber war zone?

WASHINGTON — The Government Accountability Office reported April 12 that federal agencies remain vulnerable to cyber attacks and security breaches because they’ve failed to take the required steps to secure Internet connections and computer systems. Experts say cyber attack could come from anywhere—an individual American or someone overseas, a terrorist group, or a country. But the number of ways a cyber attack could infiltrate American systems is growing—and the ever-expanding web of social networking sites could prove problematic for national cyber security.

Social networking technologies are creating potential new challenges for government transparency and security As more agency employees use Twitter, Facebook and similar external sites, officials at all levels of government are reviewing their policies.

Elayne Starkey, chief security officer of Delaware and FOIA coordinator for the state’s Department of Technology and Information, said her organization is cracking down on the problem from the inside.

“Websites like Facebook are blocked from our computers,” Starkey said. “It’s too great a risk and who or what actually gets that information is still quite unknown.”

Starkey said there is a long list of precautions that need to be taken at all levels of government and the private sector to prevent a cyber attack. She said she is working with other groups and agencies in Delaware to raise awareness and educate others on the “very real” dangers that a cyber attack could cause.

“We do a lot of trainings to drill and simulate with other state and federal employees on their IT resources,” said Starkey. “Using the right technical tools is important to have the top level of security we need.”

Among the many things that can help in thwart future cyber terror, Starkey said, would be new legislation. She said that the right legislation would take time though. “There is a gap that needs to be filled—but the proper legislation with the proper partners would need a multi-year window.”

“As more people move into the Web 2.0 phase, they become more comfortable with the websites like Facebook and Twitter,” Starkey said. “There is a false sense of security people have once they enter their password. They feel comfortable that they do things they might not have done elsewhere.”

Targeted ads are drawing more clicks by naïve social media users, increasing the potential for scammers and hackers.  “People are much more likely to click some ad that is tailored to them, and then who knows what is behind that ad.”

Starkey said viruses from social networking sites could work in a similar way that an e-mail virus works, sometimes immediately attacking user’s system­ at other times lurking for months before any damage is noticeable.

“That’s why at our offices, those sites are pretty much blocked,” she said.

Patrick Wells, a participant in the U.S. Cyber Challenge, a competition to find individuals who could be future cyber security practitioners and researchers, said he thinks it is unlikely that social networks will become a target of cyber terror is unlikely.

Wells said the information technology teams at the major social networking sites are more prepared than the government simply because they are individual sites, and as such only to worry about hardening their own target.

“Government websites are more interconnected, yet with different security systems and levels which allow for overlooked loopholes,” said Wells. “Sites like Facebook, although they have a huge amount of traffic, are more secure.”

Wells said Facebook, for one example, was a victim of cyber attacks through its applications, add-ons that could contain games, quizzes or other attractions. Applications are made by outside groups, and in the past anyone could create one. Wells said that was the most common way a hacker could hack through the website. “Now, Facebook has a stronger identification process for those creating applications to prevent that.”

For legal and tracking purposes, there is no sound way to currently archive communication done in social networking site, Starkey said. “The problem is that agencies don’t know how to archive the many forms of communications made on those popular websites.”

As citizens become increasingly accustomed to accessing more types of communication archives, Starkey says that social network archives will be a logical expectation.

Wells said that he doesn’t foresee social networking sites being a target of cyber terrorists, but more of a jumping off point. “Social networking sites are mainly used for information… as a tool to find an employee of a company, to get as much information about the person, and then hack into their system.”

Wells said the more security measures the better, but that social network users should be careful of every bit of information they list, not just inappropriate pictures.

Tagged , , , , , , , , ,

Involving local authorities, privacy experts in the quest to share criminal information

WASHINGTON – Law enforcement authorities are using a new program aimed at “connecting the dots” in crime-fighting by streamlining and sharing information across a broad network of states, counties and local jurisdictions. And unlike many other federal data sharing and mining programs, this one enlisted civil liberties experts to ensure privacy protection.

Rolled out in three increments in 2008, National Data Exchange – or N-DEx – was designed to bring the FBI into the national incident-based reporting system, a long-established program in which all data collected on a single crime goes to one repository.

But the Justice Department program has become more than just reporting a bank robbery in California that may be of interest in Texas, said David Larson, chief privacy officer in the FBI. It is a vehicle through which the FBI and law enforcement agencies across the country can share case documents that contain incident, arrest, booking, incarceration, and, coming in October, parole and probation data. Investigators can trace identifying clues like aliases, height, weight and tattoos, detect hidden relationships among suspects and pinpoint geographically where and to whom they are linked.

“It takes information already in existence and brings it to one place in a way that cuts down the amount of effort and search time required,” said Jeff Lindsey, National Data Exchange unit chief. “Each increment is designed to add different capacities, different access points and higher, more efficient levels of capability to the folks that use searches.”

Those that can access these searches include authorities within the Department of Justice like the Drug Enforcement Administration and Bureau of Prisons, along with the FBI and local law enforcement agencies, as long as they have all been properly vetted. Analysts from the National Counterterrorism Center also can access information from N-DEx if necessary.

About 1,300 law enforcement agencies currently contribute data to N-DEx, and that number is expected to “increase significantly” in the next year, Lindsey said.

Taking a novel approach

With the number of people who can access and contribute to this system potentially doubling within the next several months, privacy is a real concern, officials say. But the FBI privacy officers behind N-DEx tried not to leave too much room for unanswered questions. They were among the first privacy officials in a federal agency to directly engage the American Civil Liberties Union before the program was implemented.

“We’ve got nothing to conceal. We want to show it to them,” said Damon Villella, supervisory special agent with N-DEx.

Christopher Calabrese, legislative counsel at the ACLU, said he had first heard of N-DEx in 2004 when it was still an idea swirling around the Justice Department. He said because it was a law enforcement tool as opposed to a general surveillance system, it was a “reasonable investigative method.”

“We appreciated the fact that it was not going to contain intelligence information, and instead, it was going to be a compilation of information that law enforcement was already collecting,” he said.

But while the information itself does not pose a threat, Calabrese said, how the information is analyzed can be cause for alarm. In many cases, the FBI is relying on local privacy laws to safeguard the information provided by and used by state and local jurisdictions.

“The real solution is a national data privacy law that controls how much information is collected on people who aren’t suspected of any crime and what’s done with that information,” he said.

He said analysis that tries to predict criminal behavior based on patterns before any crime happens is a new worry that comes with advanced technology.

“There are analytic tools that help you visualize already-existing data that can be very useful,” Calabrese said. “There are also data mining tools that can essentially purport to find crimes before they take place; in other words, they look for patterns based on innocent behavior that can lead a person to commit a crime – that is a concern.”

Working with forces on the ground

Though the first two increments of N-DEx have been deployed over the last two years, there has been no formal auditing process or feedback from local law enforcement agencies. Officials said individual agencies using the program probably will be audited after the final increment is implemented in October.

While there are some police departments like Virginia Beach, Va., which is in the process of getting connected to N-DEx, others like Tucson, Ariz., have been using a data mining program called Coplink for years.

And officials say that, while the advanced technology has made their jobs go faster, it is also building much-needed collaboration between local and federal authorities to root out crime and terrorist threats.

“At the state level, it’s basically the first time it’s been done – where the feds are having information going bi-directionally instead of just going to the feds,” said Tucson detective and Coplink administrator Cindy Butierez. “We’re starting to work really well with them.”

But while the ability to share additional information is helpful and can generate new leads for officers across the nation, Butierez added that the system is only as good as what agents collect.

“I think the biggest thing is just making sure that we maintain our ability to communicate and talk one-on-one,” she said. “You’re supposed to follow up and call the agency and get a formal report, because nothing in that system calls for probable cause.”

In other words, officers are not allowed to make an arrest or act upon criminal data until formal procedure is followed. And technology like N-DEx cannot completely replace the need for communication between police units, several officials said.

“The ultimate tool is still the analyst or investigator,” Lindsey said. “They still have to put together and interpret the data delivered to them in a way that is going to make them successful.”

Tagged , , , ,