Saturday, February 23, 2008

More InfraGard FUD and misinformation

Gary D. Barnett, president of a financial services firm in Montana, has written an article about InfraGard for The Future of Freedom Foundation, apparently inspired by the Progressive article. Thankfully, he avoids the bogus "shoot to kill" claims, but he introduces some erroneous statements of his own. It's apparent that he didn't bother speaking to anyone in InfraGard or doing much research before writing his article, which is another attempt to spread fear, uncertainty, and doubt about the program.

Barnett first goes wrong when he writes:

InfraGard’s stated goal “is to promote ongoing dialogue and timely communications between members and the FBI.” Pay attention to this next part:

Infragard members gain access to information that enables them to protect their assets and in turn give information to government that facilitates its responsibilities to prevent and address terrorism and other crimes.
I take from this statement that there is a distinct tradeoff, a tradeoff not available to the rest of us, whereby InfraGard members are privy to inside information from government to protect themselves and their assets; in return they give the government information it desires. This is done under the auspices of preventing terrorism and other crimes. Of course, as usual, “other crimes” is not defined, leaving us to guess just what information is being transferred.
First, there isn't a "distinct tradeoff." There is no "quid pro quo" required of InfraGard members. All InfraGard members get the same access to bulletins as the others, regardless of whether they share information back. There are some specific sector-oriented subgroups that share information only with each other (and such private groups also exist independently of InfraGard, such as the sector Information Sharing and Analysis Centers, or ISACs). The FBI may come to a company from time to time with specific threat information relevant to them (I've seen this happen once with respect to my own company), but that happens whether a company is a member of InfraGard or not. (Where InfraGard membership might give added benefit is that the FBI knows that the InfraGard member has undergone some rudimentary screening. There are companies that are set up and run by con artists, as well as by foreign intelligence agents, believe it or not, and where there is apparent risk of such a setup, the FBI is obviously going to be less forthcoming than with somebody they already know.)

Second, "not available to the rest of us" suggests that InfraGard membership is difficult to come by. It's not. I suspect Mr. Barnett himself could be approved, as could whoever does IT security for his company.

Third, there's no need to guess about the "other crimes." The FBI's own priority list tells you:

1. Protect the United States from terrorist attack. (Counterterrorism)
2. Protest the United States against foreign intelligence operations and espionage. (Counterintelligence)
3. Protect the United States against cyber-based attacks and high-technology crimes. (Cyber crime)
4. Combat public corruption at all levels.
5. Protect civil rights.
6. Combat transnational/national criminal enterprises.
7. Combat major white collar crime.
8. Combat significant violent crime.
9. Support federal, state, local, and international partners.
10. Upgrade technology to successfully perform the FBI's mission.

Some might question this list, in particular #5, on the basis of the FBI's past record, but my interactions with law enforcement lead me to believe that there are many who do take #5 quite seriously and would challenge and speak out against actions contrary to it. I was at an InfraGard conference in New Mexico yesterday at which an exchange occurred that went something like this:

Me: I work for a global telecommunications company.
He: You're not one of those companies that's been eavesdropping on us, are you?
Me: No.
He: Good.

"He" was a member of New Mexico's InfraGard--and a member of law enforcement. I'll have more to say about warrantless wiretapping in a moment.

The real issue with this list is that the top two are probably misplaced, and 6-8 (and #10!) have been suffering, as I've previously written about.

Barnett goes on:
Since these members of InfraGard are people in positions of power in the “private” sector, people who have access to a massive amount of private information about the rest of us, just what information are they divulging to government? Remember, they are getting valuable consideration in the form of advance warnings and protection for their lives and assets from government. This does not an honest partnership make; quite the contrary.
There are several key ways in which private industry helps the FBI through InfraGard. One is securing their own infrastructure against attacks so that it doesn't create a problem that the FBI needs to devote resources to. Two is by bringing criminal issues that are identified by private companies to the attention of the FBI so that it can investigate and bring prosecutions. Three is by assisting the FBI in its investigations by explaining what evidence that requires technical skills to understand means, and giving them guidance in how to successfully track down criminals.

Barnett goes on to talk about Rep. Jane Harman's bill in Congress, HR1955/S.1959, which I've also briefly commented on at this blog, and makes some significant errors of fact. He writes this this bill "if passed, will literally criminalize thought against government." That's false--the bill doesn't criminalize anything, it just creates a commission that will write a report and make recommendations. That commission has no law enforcement powers of any kind, not even the power of subpoena. Barnett also mistakenly thinks that this bill contains a reference to InfraGard. He writes:
S.1959, if passed, will be attached to the Homeland Security Act and InfraGard is already a part of the Department of Homeland Security. This is not a coincidence. Under section 899b of S.1959 it is stated:
Preventing the potential rise of self radicalized, unaffiliated terrorists domestically cannot be easily accomplished solely through traditional Federal intelligence or law enforcement efforts, and can benefit from the incorporation of State and local efforts.

This appears to be a direct reference to the InfraGard program.

The reference to "the incorporation of State and local efforts" into "traditional Federal intelligence or law enforcement efforts" in counterterrorism contains no reference to private partnerships, only to combining law enforcement efforts at federal, state, and local levels. This is a reference to what are called "fusion centers," like the Arizona Counter-Terrorism Information Center (ACTIC). The people who work in those centers are people from government agencies (at the federal, state, and local levels) with government security clearances. InfraGard in Phoenix does partner with ACTIC, which in practice means that ACTIC representatives give presentations to InfraGard (all of which I believe have also been open to the general public), ACTIC shares threat information with InfraGard much like the FBI does, and that InfraGard members are encouraged to report potential terrorist tip information to ACTIC. (ACTIC also encourages the general public to do this, which I think is far more likely to waste resources than identify any actual terrorists.)

Note that Barnett is mistaken when he writes that InfraGard is part of the Department of Homeland Security. InfraGard is not a government agency or part of a government agency--it is a non-governmental organization, or actually a collection of non-governmental organizations, which are 501(c)(3) nonprofits, with leadership provided by board members who are InfraGard members. Each chapter has a coordinator from the FBI who is not on the board. The FBI provides guidance and suggestions, but the organizations are run by the boards.

Now Barnett goes into Matt Rothschild territory when he writes: "I’m just speculating, of course, but is it possible that InfraGard will be a domestic police and spying arm for the government concerning “thought crime”?" It's not just speculation, it's uninformed speculation. InfraGard is not part of government and has no police powers of any kind. I've previously addressed the degree to which I think the "spying" is a risk--I think it's relatively low, but worth talking about.

Barnett continues in a Rothschild vein when he says "InfraGard, on the other hand, is an organization cloaked in secrecy. It holds secret meetings with the FBI." This talk of InfraGard being "cloaked in secrecy" is grossly exaggerated. The group has fairly open membership and most meetings are open to the public. When there are meetings restricted to membership, those typically wouldn't be accurately described as "secret meetings with the FBI." I and other members of InfraGard have had private meetings with FBI agents with respect to particular investigations, but it would be inaccurate to describe those as "InfraGard meetings." Law enforcement by its very nature requires a high degree of confidentiality for ongoing investigations, but it is a mistake to infer that this means conspiratorial plotting or spying.

Towards the end of his article, Barnett talks about warrantless wiretapping, telecom immunity, and the secrecy of InfraGard membership:
Considering the recent attempts by President Bush and his administration to protect many telecommunications companies and executives from prosecution for releasing private information, how many of the top telecom executives are members of InfraGard? I, for one, would be very interested in this information, but alas, it is not public information; it is secret.
What's the sense in which InfraGard membership is secret? Only in that it's not made available to the general public. Barnett writes that "no one outside InfraGard is to know who is a member unless previous approval has been given," but this is his misinterpretation of a guideline he quotes, not what it says. There's nothing prohibiting an InfraGard member from identifying themselves as such, only from identifying others as such without their consent. And if you're going to speak on behalf of InfraGard, you need to get approval from the organization first. (And note that I'm not speaking on behalf of InfraGard here, and have had no approval from InfraGard for what I've written on my blog.) If you're an InfraGard member, you have access to the online directory of InfraGard members. If Barnett is really interested in knowing who is a member, all he has to do is join.

As for "how many of the top telecom executives are members of InfraGard," I haven't looked, but I would be willing to wager that the answer is none. I know that none of the members of the "Senior Leadership Team" of my company are members of InfraGard, though my boss, our VP of Global Security, heads the Rochester, NY chapter of InfraGard. Senior executives of large corporations don't have time or interest to belong to InfraGard, and it's not really geared to them, as opposed to members of their physical and IT security organizations.

And as for warrantless wiretapping (I said I'd get back to it), InfraGard has nothing to do with that and it's foolish to think that it would. That activity has involved direct relationships between incumbent telecom providers (AT&T certainly, and probably Verizon as well) and the National Security Agency, with information restricted to employees holding government security clearances on a "need to know" basis, as the ACLU and EFF lawsuits have revealed. These relationships also probably include commercial relationships, and have included movement of personnel from one to the other--for example, AT&T has a Director of Government Solutions who came from the NSA. InfraGard members, many if not most of which hold no government security clearances, are not in the loop on that activity. (For that matter, I suspect few FBI personnel are in the loop on that, either.)

I find it discouraging that articles like Barnett's are written and published. Such inaccurate information serves to distract from real issues and real government abuses and to discredit those who repeat it, when they have other things to say that are worth hearing, paying attention to, and acting upon. I hope that Barnett and FFF will strive for greater accuracy in the future.


Jim Lippard said...

In email to me, Gary Barnett stated that he feels my response is deceptive on the basis of alleged errors. For example, he claims that InfraGard is part of the Department of Homeland Security, on the basis of a statement that "The FBI assigned national program responsibility of InfraGard to the former National Infrastructure Protection Center (NIPC)" and the fact that NIPC is now part of DHS. But this statement doesn't say that InfraGard is part of DHS or NIPC, it says that "national program responsibility of InfraGard" has been assigned to DHS. What this means is that DHS pays the bills for InfraGard's national website, VPN, online forums, and so forth--this is why the DNS service is provided by DHS name servers. The actual hosting is provided by Louisiana State University, under DHS contract.

He also makes two claims in response to my statement that HR1955/S.1959 doesn't criminalize anything or create any law enforcement powers for the commission that it orders to solicit testimony and write a report. First is that this bill is part of the Homeland Security Act, and enforcement capability will come from there. Second is that the current administration isn't following the law, anyway. In response to the second, I agree, but that's not evidence that the bill changes the law in the way he claimed. In regard to the first, there's still nothing in the bill that amends the Homeland Security Act to add any new crimes or enforcement capabilities. No doubt the commission will make legislative recommendations (and I've already said I think having such a commission is a bad idea on this blog), but this bill itself doesn't do so.

Taylor Norrish said...

I would just like the basics... how should I vote on this bill?

Jim Lippard said...

Taylor: Looks like your comment is borderline comment spam to promote your site. Are you posting similar comments on any blog posts that mention bills in Congress? I'll let your comment stand because at least your site looks like an interesting idea, though clearly not yet at a critical mass of users to make it work. I think your system, being based on votes with weak user registration and authentication, is likely to be less accurate at gauging opinion than random polling, and less accurate at predicting outcomes than prediction markets like Intrade (based on betting rather than voting).

You have only one vote registered at your site on S.1959, and it's a vote against. I think that's certainly the way the vote *should* go in the actual Senate.

Taylor Norrish said...

Jim... it's an honest comment and promoting the feature of a direct connection to your reps on (no more phone calls, letters, or trying to figure out which reps to contact). Isn't that cool!!!

I am the founder, and would not try to hide that, or spam you. I honestly believe this is a great call to action for this article.

Would be great to talk offline.