Sunday, July 16, 2006

Bureaucratic Mindlock: How the war against terrorism is being lost

Today's terrorists and spies are comfortable with high-tech, but in India, at least, senior officials sometimes do not understand technology.Most senior officials are shy of computers and the like, thus making it difficult to get a grip on the problem. This article published in Hindustan Times July 12,2006 seeks to explore this theme.

James Jesus Angelton, a former head of counter-intelligence at the CIA, termed the spy-vs-spy war “a wilderness of mirrors”. What would the somewhat overwrought intelligence officer, who died in 1987, say about the internet era? You have to now contend with millions of computers and mobile phones linked together, with data — text, voice and graphic — moving in billions upon billions of discrete hard-to-track packets. One of the bigger challenges confronting counter-intelligence is not just the burgeoning of new technologies, but also their explosive spread. Take India’s case. Where there were 10 million landline telephones in 2000, today we have 100 million mobiles and 50 million fixed lines, in addition to 50 million internet users. You can be sure that the authorities have not kept up with the criminals and terrorists using hi-tech.

But keeping up is just one aspect of the problem. The bigger problem is comprehending the nature of the problem. In a bureaucratic culture that prizes stasis, try and explain how an internet telephone works and you will tie yourself in knots. But that is what the R&AW traitor, Rabinder Singh, used to evade surveillance and make good his escape in 2004. His watchers were tracking his mobile and landline phones and physical movements. So he used an internet phone to coordinate his escape with his American handlers. That was two years ago, and internet telephones were just on the horizon. They are now still considered impossible to intercept. Senior officials in India are notoriously computer illiterate, and financial controllers of intelligence agencies even more so. So try and convince anyone of the need to obtain specialised interception equipment, and you are likely to run into a brick wall. This is, of course, presuming that the technology exists and will be available for sale.

Knowledge, or the lack of it, of the internet may be overstating the point. There is a simpler example —pen drives. The navy war-room leak, as well as the case of information leakage at the National Security Council Secretariat, bring out the inability of the system to anticipate the dangers of trivial technologies like the pen drive. A 1 GB pen drive inserted in a USB port can hold manuscripts of some 900 average-sized novels. Almost all computers made in the last 10 years have had the provision for a USB port that are being used for printers and other connections. But while security officials easily understood the need to block the standard floppy disk and CD-Rom drives, they failed to comprehend the uses of the pen drive, mainly because they were, in all likelihood, not very savvy about computers themselves.

Earlier this year, a US Department of Justice report put forward an FBI assessment of technologies it felt could have the greatest impact on electronic surveillance in the coming years. Topping the list was voice or text-over-internet, internet telephones and the pre-paid mobiles. Perhaps even more daunting than the technical issues is the sheer volume of emissions. In India, in a single day, there could be anywhere up to one billion phone calls, SMSs, e-mails and faxes at any time by the end of this year. It is not possible to use older techniques for keeping track of them. While the call identifying information of, say, a diplomat, or a suspect rogue intelligence officer, can be individually determined, there is a special challenge in dealing with non-State actors like terrorists.

The trend, therefore, is to trawl the airwaves and cyberspace with so-called dictionary computers that use special algorithms to reveal some pattern of activity that can thereafter be the subject of more intense scrutiny. This requires huge computer banks, as well as groups of highly trained individuals with requisite language or cryptanalysis skills to translate the conversations or messages of interest with some speed. Even more challenging is the use of steganography to hide information. The technique has been known since ancient times. Modified for the modern age, it has become a killer application. A steganographic message is information hidden in a seemingly normal graphic or a music video or audio track. Without changing the graphical image noticeably, a 64-kilobyte message can be incorporated in a 1,024 x 1,024 grey-scale picture. Programs for embedding messages in graphics are available in the public domain. So the innocuous video in YouTube or even a picture posted on Flickr could contain vital instructions for a terrorist cell.

The problem in great measure is our know-it-all general-purpose bureaucracy. It simply lacks the ability to cope with the increasingly complex challenges of today’s world — be it urban management or security systems. And the world of the internet and instant global communications is a very complex one indeed. So intricate that the US, which passed a Communications Assistance for Law Enforcement Act (CALEA) in 1994 — requiring communications companies to modify equipment and provide facilities and services to law enforcement agencies to conduct electronic surveillance — will only fix the requirements for providers of broadband and interconnected Voice over Internet Protocol by May 2007. In the meantime, the Federal Communications Commission, industry and US law enforcement and intelligence agencies are working together to work out standards and requirements that can meet the needs of the situation, as well as ensure that the communications business is not harmed unnecessarily.

Indian computer systems, barring those of banks and airlines, are still primitive with very few networked in any significant way. But this is bound to change over time. The bureaucracy’s inclination will be to block networked systems, just as earlier it sought to block internet telephony, and before that cable TV. But to deny the huge benefits of networking personal computers and work stations would be Luddite. What is needed are technological fixes.

A US navy research lab has, for example, patented a system that can enforce network separation. In other words, in a system with several networks, it can ensure that the less secure network can communicate with the more secure one, even while minimising the ability of the latter to communicate with the former, through a set of network communications protocols. Thus, prevent the leakage of data between interconnected networks.

Large-scale electronic interception of data has become a fact. Yet, it has considerable risks relating to privacy and the rights of individuals. The US, which always considered itself a cut above others on the issue of personal rights, had a rule that its intelligence agencies were not permitted to intercept conversations or data of its own nationals without court authorisation. All that has changed since 9/11. Ideally, a terrorist attack must be stopped before it occurs. The issue of punishment is important, but not more than the need to block the attack. Preemption requires a great deal of information, a lot of it scattered in bits and pieces, some in the communications or banking systems, and some elsewhere. The problem with official agencies is that they tend towards excess. Given an inch, agencies will take a mile.

Their ideal is probably best depicted in the film Minority Report that dealt with technologies of preventing crimes with the use of a ‘future viewing’ technology. Clearly, understanding the problem is one thing; resolving it through exclusively technological fixes, quite another.

1 comment:

divyanshu said...

I Had a chance to work on some computer systems that were supposed to be used for sec agencies of Uncle Sam.There security check and validation criteria is awesome, I was a part of team that did changes in systems to make them qualify for mission critical ops..
It was a 32 processor iron box and had to be made hack proof. A very stringent test criteria is followed like how many user log ins allowed,etc.