Thursday, November 05, 2009

What Data Mining Detects

Cato-At-Liberty correctly notes that Data Mining is not effective at catching terrorism. What it is able to catch are organized attacks aimed directly at disrupting the communication infrastructure.

It is also able to catch organized criminal activity including organized identity theft.

To have a working data infrastructure, the infrastructure has to have ways to protect itself from threats relevant to its nature. Crashing a data infrastruture, after all, is matters of percents. If one creates an attack that gains a given percent of computer at any given time, then the people attacking the system can bring the system down.

Unfortunately, I think there has to be data mining efforts in the communication system aimed at protecting the communication system. The problem is that FISA model for regulation this activity forces this activity into the criminal investigation model. The better model is to have the datamining efforts separated from the criminal investigation process entirely. The aim of the data mining should not be about seeking criminal prosecution of anyone, but should be about assuring the integrity of the communication system. The court oversight shouldn't be driven by the search warrant model used in criminal investigation, but should be something new aimed at analysis, understanding and prevention of cyber attacks.

For example, one of the biggest threats we face is with spyware. Spyware is a program installed on a computer than reports on the computer activity of the user to the person who installed the program. Spyware programs use the data communication infracture to communicate back to the host. The programs have discernable patterns. It would be possible for a dataminer to identify these patterns and create counter measures to help identify people engaged in spyware, and help protect people's privacy.

IMHO, the FISA court model is not working because it was a court created through political motivations in the Nixon years. As such it tries to stuff the paradigm used in criminal investigations on a field that needs to be investigating a different kind of threat.

I agree that there should be court oversight of the intelligence community. The court oversight needs to be designed to address the specific security needs of the intelligence community and must be designed so that it evolves and changes as communication technology evolves.

The warrant process used in criminal investigations is not the right model for overseeing the security aparatus for a robust and changing communication system. International security is about identifying threats and figuring out how to protect things. When the oversight is geared toward criminal prosecution, it forces the community in the wrong direction.

No comments: