[ISN] UNL officials pondering computer security overhaul

From: InfoSec News (isn@private)
Date: Thu Oct 27 2005 - 23:33:19 PDT


http://www.dailynebraskan.com/vnews/display.v/ART/2005/10/28/4361b2d9d7b13

JOHNNY PEREZ
October 28, 2005 

University of Nebraska-Lincoln officials are cautiously preparing to
comply with a controversial federal law that may require colleges and
universities to overhaul their computer networks to make it easier for
law enforcement agencies to monitor electronic communications.

The mandate is an expansion of the 11-year-old Communications
Assistance for Law Enforcement Act (CALEA), which requires telephone
service providers to fund updates of their systems in order to assist
law enforcement with electronic surveillance.

The FCC began implementing the act in 1997 but has since made several
orders concerning CALEA's rules.

The FCC's most recent changes, which will go into effect Nov. 14,
included conclusions that expanded the original definition of a
``telecommunications carrier'' and suggested that facilities-based
providers of broadband Internet access - including universities - were
subject to CALEA's rules, a prospect that has many university
officials worried.

``The fear is that CALEA somehow is going to require colleges and
universities to redesign their entire computer networks ... and
telephone networks to accommodate law enforcement,'' said Michael
Carr, information security officer for the University of Nebraska.

The FCC has yet to announce specific changes that universities must
make to their networks, although all changes must be implemented by
June 2007.But these future changes could raise concerns among
university officials about invasion of privacy.

Colleges and universities already hand over information to law
enforcement concerning network traffic - such as e-mails sent by
faculty and students and Internet searches - to comply with
court-ordered subpoenas or warrants. The FCC's changes will aim to
speed up this process by providing easier access to the information.

Because universities and colleges already partially comply with this
regulation, Carr said some officials are questioning their inclusion
in the new changes.

But Carr said criminals are using Internet networks to communicate in
new ways, increasing the need for government action.

``We have an obligation to make sure digital resources aren't being
used for bad things,'' he said. ``You have to change the way you do
business if you're an investigative agency.''

But many organizations representing universities are expressing
concerns about the possibility that such updates could cost
educational institutions billions of dollars.

But Rick Haugerud, assistant director for Information Services at the
University of Nebraska-Lincoln, said these potential costs could be
inflated because the federal government has yet to specify what
changes universities need to have in place by 2007.

The changes came in response to a March 2004 petition by the
Department of Justice, FBI and Drug Enforcement Administration to the
FCC to include broadband Internet access services and
voice-over-Internet providers, which allow phone calls to be made over
the Internet.

The American Council on Education, a coordinating body for educational
institutions around the country, filed a lawsuit Monday challenging
the new requirements.

EDUCAUSE, a nonprofit educational information technology organization,
also has filed comments with the FCC requesting that the proposed
changes be modified.

``Our posture has been to kind of sit back and communicate with our
user groups,'' Haugerud said. ``They're putting up the money to fight
this thing, and we'll see where it goes.''

With current discussion generated by the issue, Haugerud said UNL is
looking into ways they could comply with new mandates.

``We don't want to do anything that would inhibit our ability to do
this down the road,'' he said. ``We're looking at if this were to
happen, what would we do. ... We're not making fixed decisions, we're
just having conversations.''

As educational institutions wait on detailed instructions from the
federal government, Carr said it is still early to become too worried
since the FCC has only said something needs to be done - not what must
be done.

``But it's not bad to think about it,'' he said.



_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Oct 27 2005 - 23:58:45 PDT