I, personally, think that the federal government is biting off ALOT more than it can chew. This isn't so much from the standpoint of *who* will perform this task (probably have a third-party agency performing the task), but is a matter of *how*.

One question that comes up is the accuracy of the attestation. Of the 3 criteria for security that the federal government deems are "critical", those criteria are: (1) confidentiality, (2) integrity, and (3) accuracy. Attestation is the ability to accurately and consistently produce the same evidential fact every time, without tampering of any nature. Obviously, in this scenario, the elements affected are "integrity" and "accuracy".

The element "accuracy" so much from the perspective of asking the question: "Will the information be initially accurate for level of evidential fact?", and "Will the evidential fact be consistent each time that it is called upon?", and last "Will the data 'age' after a period of time?" The last one, ties in with the level of "integrity", which asks the following questions of: "Will the data be the exact same data each and every time?", and "What measure will be put into place to ensure that the validity of the data, since it will be called into a court of law, is fair and just, and not unfairly to the advantage of either the criminal *nor* the government charging the possible crimial?"

All of these questions will need to be addressed.

Then comes the BIG part: *who* is going to pay for all of this? If you say the taxpayers, think again. If say the ISPs, *definitely* think again. Unless the federal government is willing to foot for the bill, there may be some resistance from individuals and corporations alike about *who* will pay for this.

Then comes the third and most finaly effort behind all of this: *how* will the technology be implemented? Obviously, this technology will work similarly to that of an intrusion detection system, logging each and every valid packet. But, *who* will look at the data? Are you simply keeping the data in large log repositories? Think again. The average log size for most ISPs is in the TERABYTES PER DAY. Which comes *back* to the original question of *how* they plan on doing it?

There are several methods by which this can be done, but you are looking at a VERY large price tag for the taxpayers and corporations to cough up.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/406/33722#33722