[ISN] IT departments must cope with Patriot Act, university CIO says

From: InfoSec News (isn@private)
Date: Wed Aug 04 2004 - 10:47:57 PDT


http://www.nwfusion.com/news/2004/0803patriot.html

By John Cox
Network World Fusion
08/03/04

Nearly three years after its enactment, the USA Patriot Act remains
not just a political but also a technological issue on many college
campuses.

Unprepared or ill-prepared schools can find themselves facing network
problems, service disruptions, and in the worse case FBI agents
driving onto the campus with subpoenas to haul off PCs, servers, and
computer log data.

IT groups can minimize the potential disruptions of Patriot Act 
investigations by taking the lead on campus to pull together legal 
counsel, administration, and faculty to craft a clear process for 
handling investigations that will become more common, says Peter 
Siegel, CIO at University of Illinois at Urbana Champaign. 

Siegel spoke this week at the annual conference of the Association for 
Communications Technology Professionals in Higher Education (ACUTA) 
meeting in Chicago. 

"The status of dealing with the Patriot Act in higher education is 
very mixed," Siegel said. "Some people say, "What does this have to do 
with IT?" Others say, "We have [network] security professionals who 
work closely with law enforcement agencies." There's not much in 
between, where you find people just ramping up [to deal with the Act]. 
For one thing, it's very hard to get people to share information about 
this." 

Siegel pointed out to his audience that while the Patriot Act is new, 
it doesn't actually introduce new legal instruments or actions. 

"Every component of the Patriot Act was present in previous law," he 
said. "But just not often used. Now, it's more likely that a Patriot 
Act incident will start or end or, especially, go through your 
campus." 

Siegel said the act does, however, lower the bar on judicial oversight 
on searches and seizures. But oversight is still required: seizing 
records or doing electronic surveillance requires a subpoena issued by 
a judge. 

"It allows [electronic] searches without requiring the person [under 
investigation] being notified, for an undefined 'reasonable time,'" he 
said. 

Schools may find themselves drawn into a Patriot Act investigation 
even if those being investigated are not actually students or 
employees of the school. The school's network and computers may be 
hijacked by someone halfway around the world to attack a third 
location. "You need a solid policy," Siegel told his audience. "If 
it's 2 a.m. and your network is being used to attack another 
university or a private company, who gets called?" 

Investigations under the act often require a complete information 
blackout. IT groups are forbidden to tell the subjects they're being 
investigated, or even acknowledge that an investigation is under way. 
One result is that you can't call network colleagues at another school 
and ask them how they handled a similar event. 

Law enforcement agencies may direct IT groups to take certain actions 
or to not take actions, either leading to network problems. They may 
be ordered to leave compromised or damaged computers and networks 
untouched while the investigation is under way. "This can disrupt work 
patterns," Siegel warned. "A given subnet could be taken offline or 
required to stay online… and you can't explain why to the [affected] 
users." 

Investigators could require some network or computer log data to be 
preserved up to 180 days. But what if parts or all of that data is, by 
IT policy, automatically deleted every 10 days, Siegel asked. 

Siegel urged his audience to bring together the campus players, such 
as legal counsel, appropriate provosts or deans, campus police, and 
others, who will be involved if any Patriot Act investigation is 
launched. Hammer out solid policies with clear responsibilities, and 
good lines of communication. Identify the personnel who will act as 
the leaders in an incident and train them in "customer relations" - in 
working knowledgeably and cooperatively with both the campus community 
and outside law enforcement. 

Cultivate trust and relationships with local police, state 
investigators, and local FBI offices, Siegel recommends. "If there's a 
new FBI agent that joins the local office, invite him over for coffee 
and talk with him," he says. "The real issues are really not 
technical, but [about] people. And they are solvable." 



_________________________________________
Help InfoSec News with a donation: http://www.c4i.org/donation.html



This archive was generated by hypermail 2.1.3 : Wed Aug 04 2004 - 15:36:49 PDT