RealTime IT News

Fed Plan to Connect Spy Agencies Flawed?

A plan by the U.S. intelligence community to link the thousands of databases run by all 16 U.S. spy agencies may be aiming too high, experts tell InternetNews.com.

According to a story in the Wall Street Journal, those links are being planned so the intelligence agencies can share information and avoid the situation that led to the terrorist attacks on the World Trade Center and other U.S. targets on Sept. 11, 2001.

The first step, already under way, is to link up all the agencies' e-mail systems by 2010.

Eventually, all the databases will be connected, using search engine, social networking and encrypted RSS Web feed technology.

However, the deadlines set by the Office of the Director of National Intelligence (ODNI), which is overseeing the project, may not be realistic.

"The way government moves, the reality of the project's being completed by 2010 is pretty slim," Cynthia West, vice president of Web-based project management system vendor Project Insight, told InternetNews.com. "Just the planning alone will take six months."

Other security industry insiders are similarly skeptical about whether the project will meet its deadlines. "They're underestimating the speed at which it's going to get done and underestimating the conflicting budgets," Jon Callas, CTO of encryption vendor PGP, told InternetNews.com.

"Our own customers in the private sector with 1,000 to 500,000 users take up to 12 to 15 months to do something as simple as encrypt all their laptops."

Because the project is so complex, the ODNI will have to examine it carefully before proceeding. PGP's Callas said that the ODNI will first have to figure out its goals in linking the various agencies' systems, then prioritize them along two axes - how easy they are and what benefits would result. "You want to undertake the projects that give you unambiguous benefits at a relatively low cost," he said.

Once that is done, the ODNI will have to re-assess its goals. "There will be things that change over time, and the number of variables is huge," he said. "The trick is to trim down your project to find what you can do quickly and inexpensively and what you can do effectively, which means projects where you don't have to debate what the pluses and minuses are."

Security issues to be solved

Within the project itself, many security issues will have to be solved. One is the allocation of access rights, "It's going to take a whole team to manage what level of access rights person X at agency Y has, and then you have to change permissions as people move up or move out," Callas said.

The agencies will have to figure out who should have access to what applications or data, and when, then implement a system for access control. Failing to do so could lead to situations such as the one where rogue systems administrator Terry Childs took control of San Francisco's fiber optic wide area network.

One way to cope with this is to implement role based access management combined with data loss prevention technology. Vendors are beginning to offer just such a combination.

The ODNI will also have to deal with managing orphan accounts. These result when users have left a department or been transferred out and their access rights have not been revoked. Failure to manage these orphaned accounts has proved to be a security threat.

For best results, the ODNI should take a risk-based approach, Callas said. "If you want to make sure that all of the people who need to have the information have it, and those who don't need to have it don't, you have to presume some of it would go to at least one of the wrong people," he said.

"The flip side is, if you don't want it to go to any of the wrong people, it would miss at least one of the right people, so they'll have to figure out how to navigate between these two issues."

An ODNI spokesperson confirmed that the office is working on a project to link the various agencies' databases together, but declined further comment.

Update corrects name of U.S. agency overseeing the project.