Behind ‘Project 12’

But the notion of extending the government's network monitoring to the nation's critical infrastructure has raised hackles. Privacy advocates, fearing government intrusion on private networks, have already compared the project to the NSA's warrantless wiretapping program. In a congressional hearing last Thursday, Rep. Paul Broun, R-Ga., said the program seemed "a little like the fox guarding the henhouse."

The information sharing strategy revealed in the DHS report may be a compromise. For now, the government is avoiding the controversy of monitoring commercial networks, and instead trading its cyber-threat information for data about intrusions that private companies have detected on their own computers, says the SANS Institute's Alan Paller. "To find the bad guys, we'll need huge analytic engines, with all the right data," he says. "The government can't force these companies to let it watch traffic in commercial networks, so this is one way to get [the private sector] involved."

That doesn't mean the data-sharing project is a guarantee that government monitoring won't eventually be expanded to some parts of private industry, Paller says. He sees the project as the first step in convincing critical infrastructure companies to allow some government surveillance of their networks. Companies possessing classified government data, such as defense contractors, are especially likely to be brought under the initiative's umbrella of surveillance, according to some former government officials. (See "Bush's Double-Edged Cyber Plan."

Jim Dempsey, the vice president of the Center for Democracy and Technology, takes the opposite interpretation: He says the information-sharing project may be a reassuring sign that the cyber initiative will respect the barriers between the private sector and government. But he still sees the project as giving too much power to the NSA, an agency he says "operates in secret and is bent on stealing information."

"The administration has already crossed the line in giving the NSA too much power to monitor its unclassified system," says Dempsey. "If that monitoring were extended to the private sector, that would be an even greater concern."

Jim Lewis, a former Commerce Department official focused on cyber security, argues that the data-sharing meetings don't foreshadow anything so nefarious. Instead, he says, they're intended to rebuild personal relationships between cyber-security gurus in the government and private industry.