• United States



by Dave Gradijan

Sept. 11 Attacks Spur Security Changes Worldwide

Sep 08, 20065 mins
CSO and CISOData and Information Security

In the five years since terrorists attacked the United States, Europe has been the target of extremist attacks, as has India. Bombings in London and Madrid and a recent failed attempt to blow up passenger trains in Germany have prompted a security clampdown never seen on the continent.

Throughout the European Union, governments are grappling with how to guard against terrorist attacks. Meanwhile, Indian IT services companies have beefed up efforts to protect data.

The discovery of bombs in two German trains in July pushed up several security measures on the political agenda there. In September, the German government agreed to a new antiterror database, which will be available to authorities across the country and contain information such as a person’s religion, travel history, telephone number and Internet data and bank details. It also approved increased use of video surveillance in public areas.

These measures reflect a gigantic shift in thinking about privacy in Germany, which has been highly sensitive about data protection and surveillance because of its Nazi history and, more recently, the Stasi secret police in the former communist-run East Germany.

The need to tighten security has created demand for new technologies to help authorities combat terrorism. The German subsidiary of IBM, for instance, is working on new technology that will enable computers—not human beings—to filter information from the cameras monitoring public areas and other locations.

Two German companies have developed a new biometric system for identifying airline passengers. Lufthansa Systems Group, the IT services arm of German airline Lufthansa, and high-security document producer Bundesdruckerei have developed the SecBoard system. The companies hope that the system, designed to conduct biometric checks on passengers prior to boarding an aircraft, will play a significant role in “trusted passenger” programs planned by the airline industry to increase security.

In the United Kingdom, the government is close to activating part of the Regulation of Investigatory Powers Act (RIPA) of 2000 that deals with encrypted data, one in a set of powers covering electronic surveillance and wiretapping. Authorities say the increased use of encryption is hampering their access to information on suspects’ computers.

RIPA would allow police to demand that a suspect decrypt data or face up to two years in jail. The encryption measure in RIPA has remained dormant since the techniques weren’t widely used when the law was passed, according to the U.K. Home Office.

Terrorist suspects already face up to five years for failing to decrypt data or provide an encryption key. But critics contend the law, which would apply in more than terrorism-related investigations, gives too much power to law enforcement and has the potential for abuse.

High-ranking officials could demand the decryption of data without a court order, and the law binds to secrecy those served with a request. Experts say the law could increase the chance that, if seized, a company’s mission-critical data could be mishandled.

Elsewhere in Europe, heads of state met to discuss 57 antiterrorism measures two weeks after the March 11, 2004 bombings of four crowded commuter trains in Madrid. Among the measures discussed were the surveillance of telecommunications, Internet communications and air transportation.

Civil liberties groups accused them of using the fight against terrorism as an excuse to increase police powers.

European Union legislation was slow to follow, but starting in September 2007, telecom carriers and ISPs must keep data on all mobile and fixed-line calls for between six months and two years. Starting in March 2009, they must keep data on voice-over-IP calls, Internet connections and e-mail messages. Law enforcement officials will be able to demand the date and time of calls and messages, but not their content, and identifying information of the calling or sending and receiving parties.

In India, the Sept. 11 attacks were not a watershed event because the country experienced frequent attacks by Kashmiri separatist groups demanding independence.

Even before Sept. 11, some of the large Indian IT services companies had hardened data centers supporting their offshore businesses, said T.R. Madan Mohan, an analyst at Frost and Sullivan. After websites of a ministry of the Indian government and an Indian atomic energy agency were hacked, and anti-India messages posted on these sites, Indian businesses showed increased concern about the need for intrusion detection and related security measures, he added.

Infosys Technologies, India’s second-largest outsourcer, already had disaster recovery and business continuity plans in place before Sept. 11, said a spokeswoman for the company in Bangalore.

However, those attacks brought the threat of terrorism into sharp focus for India’s export-oriented industries, such as software outsourcing, because U.S. and European customers began worrying about the preparedness of their Indian suppliers for terrorist attacks.

(Reported and written by John Blau in Dusseldorf, Germany; Peter Sayer in Paris; Jeremy Kirk in London; and John Ribeiro in Bangalore, India, and assembled by Grant Gross in Washington, D.C.)

By IDG News Service staff (Dusseldorf Bureau)

Keep checking in at our Security Feed for updated news coverage.