01 June 2007

Theoretical security and the more, unpleasant, reality

Well, with the inanity of the Illegal Alien Amnesty Bill comes those who do put forth that it would actually *help* find and stop terrorists! A h/t to Curt at Flopping Aces for pointing out this post at Big Lizards by Dafydd ab Hugh responding to Hugh Hewitt's worries about terrorists getting a parole Z-Visa and being here legally in: Where's Walid? In this exercise we will posit that the bill actually passes! From there we will pass into the theoretical projection and see where it leads us. So lets take it from the mid-way point:

Suppose the bill passes, and a bunch of illegal immigrants apply for Parole Cards (the provisional Z visas -- at least, that's what Sen. Jon Kyl, R-AZ, 92%, calls them). Hugh's worry is that among all the Gonzaleses and Ramirezes and Garcias will be hidden a few Mohammeds and Zarqawis... or even a Padilla or two.

Hugh is terrified that these terrorists could also apply for Parole Cards, and then be able to move around the country, get work, and even exit and reenter the United States at will. Of course, they can do that today... but Hugh seems to believe that they're more likely to be caught and deported today, with no bill, than they would be next year with a bill and Z visas and Parole Cards. (I have no idea what current mechanism for capturing and deporting them Hugh sees; it certainly eludes my sight.)

Let's carefully break down what it means to exit and reenter the country and to work: The border-crosser must show a passport and a SmartVisa. Specifically, he must swipe the card through a reader; this necessarily creates a record of leaving and reentering. Too, moving from place to place within the U.S. and working also creates a phosphor trail. But so what? How does that help capture terrorists?

Enter the CIA's old computer connection-tracking program, Total Information Awareness. Congress got hysterical in 2003, defunding it -- or so they thought; but it's widely believed still to be in existence, just shifted under the umbrella of black-ops programs and funded by secret accounts.
Ah, such a lovely trust of the Federal procurement system and the ability of the CIA and other organizations to create an interconnect database system that will do its very own dot connections and spew out the leads and such as it goes.

Now, here is the deal with this bill: it requires scanty evidence to apply for a Z-Visa and the automatic grant of such. Let us see about this in section 601 of the online markup page at NZ Bear's site. For once I will try and spare the dear reader of large amounts of quoted text and cite important page and refernces! I am sure there will still be lots of quoted text, however.

Starting with Section 601 on p. 260 we get who, being here illegally, can apply. Now far be it from me to point out the conundrum of being here illegally being a violation of not only National Law but any number of Treaties as I already did that with this post and this post. Yes someone applying must now demonstrate that they were here illegally for at *least* 180 days prior to 01 JAN 2007 or for 90 continuous days before that date! And what do they need to get in? Here is 601 (2)(g)(2)(A):

(A) In General.--The application form shall request such information as the Secretary deems necessary and appropriate, including but not limited to, information concerning the alien's physical and mental health; complete criminal history, including all arrests and dispositions; gang membership, renunciation of gang affiliation; immigration history; employment history; and claims to United States citizenship.
And in (3) is fingerprints added to that. All of this fully documented and cross-checked! And in 601(2)(h)(1):

(1) IN GENERAL- An alien who files an application for Z nonimmigrant status shall, upon submission of any evidence required under paragraphs (f) and (g) and after the Secretary has conducted appropriate background checks, to include name and fingerprint checks, that have not by the end of the next business day produced information rendering the applicant ineligible -

(A) be granted probationary benefits in the form of employment authorization pending final adjudication of the alien's application;

(B) may in the Secretary's discretion receive advance permission to re-enter the United States pursuant to existing regulations governing advance parole;

(C) may not be detained for immigration purposes, determined inadmissible or deportable, or removed pending final adjudication of the alien's application, unless the alien is determined to be ineligible for Z nonimmigrant status; and

(D) may not be considered an unauthorized alien (as defined in section 274A(h)(3) of the Immigration and Nationality Act (8 U.S.C. 1324a(h)(3))) unless employment authorization under subparagraph (A) is denied.

(2) Timing of Probationary Benefits."No probationary benefits shall be issued to an alien until the alien has passed all appropriate background checks or the end of the next business day, whichever is sooner.
Yes, you have read that right in 24 hours! In just one business day you have the full and complete backing of the ACLU and, no doubt, various lawyers working for such notables as the American Muslim Union, on your side!

Mind you, even if your papers don't pan out in the long run, the burden of proof is upon the government to 'show cause' why you should be deported, and as you have all the legal rights under the Constitution, you can then tie up the system for months or years in getting any prosecutions done. Show up at 5 pm one day, and 5 pm the next and every Local, State and Federal criminal database, plus database of known terrorists, plus checking out your actual documents to see if you actually are who you say you are, and the fingerprint database (has that finally been reconciled with the rest of the FBI's databases? I mean those folks spent 10 years trying to get a few databases to all operate together and billions of dollars and failed to do so. Twice.), verified your background fully and completely as can be done for someone coming from, most likely, a Nation with scanty computer resources, personnel and other capabilities....

The idea of background checks is that they are: lengthy, thorough and act as a screen BEFORE you give someone goodies to make sure they are who they say they are and are deserving of same. This system is based upon the supposition that they DO DESERVE THEM and that little effort can be put into actually *checking them out*. One is now in the exact position which Dafydd has posited: we cannot screen out bad actors because of the limitations of time placed upon such verification. And since so much falls upon the documentary evidence here, a bit later on, is the sweetened, condensed listing of what is acceptable: anything that establishes their presence, employment, or study, bank records, business records, employment records, labor union or day labor center, remittance records, sworn affidavits from nonrelatives who have direct knowledge of the alien's work, that contain (name, address, phone number, nature of relationship), or anything else the Secretary finds acceptable.

I call this aspect of it: the forger's full employment act.

If memory serves DHS and State had to weed out over 6 million incomplete, invalid, false or forged documents and try to verify a good number of them when looking at Visa applicants. That was *only* for Visa applicants, as Citizenship takes some time to go through the processing and weeds out its own bad papers. If the 7 million number for illegal aliens is correct, the absolute minimum number of pieces of bad paperwork to be checked out will be astronomical.

When I looked at the person-to-person banking and business systems that operate for money laundering, the number of connections to organized crime and terrorism are readily apparent. It is now possible wherever any of these informal systems operate to get bank, business, presence, employment, or, indeed, any of the records listed via the person-to-person contact system and have them delivered to you for a cash payment in your Nation of origin. Dafydd does believe that the TIA concept can actually *cover this*:
The reason it was so effective is that it was simply an object-oriented database data-matching application. It was not programmed with any pre-existing biases for one type of connection above the others; it noted and kept track of any and all connections between datapoints -- between Walid the terrorist and Guido the Mafioso, for example. Then it allowed for queries at any level of complexity.

The operators looked for connections where they would not expect to find any. Of course you could find a connection between the Secretary of State and various unsavory political leaders; that's the secretary's job. Nobody thinks Condoleezza Rice is in league with Bashar Assad simply because she met with him during a trip to Syria.

But suppose some dentist in Minneapolis calls Zarqawi in Iraq, then is called by a known terrorist in Pakistan, then is spotted by the FBI having lunch with an arms dealer in Minneapolis, then shows up as a co-signer on a loan to buy an airplane, when the other co-signer is a radical imam operating at a mosque out of Idaho.

Those connections are completely unexpected; why would one lousy dentist know all these people? In fact, that pattern is so suspicious that we should initiate surveillance to see what our "dentist" is up to.

But without TIA, the authorities would never have stumbled across the connections because they cross jurisdictional boundaries: The CIA identifies the terrorists abroad; the NSA records the calls; the FBI is tracking the arms dealer; and nobody is paying any attention to the imam. Without a single, unified database to bring all these observations together, nobody would notice the previously unknown dentist at the center of the web.

Now we take the TIA database... and we add to it the Parole Card and Z visa. Suppose we're looking for Walid Achmed Mohammed, a suspected jihadist who is thought to have sneaked into the United States in 2006 under an unknown alias. Today, we would have no idea where Walid could be found; because he is underground, he could be anywhere, under any name, working for anyone.

We make some educated guesses; let's suppose, just as Hugh fears, that Walid gets himself a Parole Card so he can move about and in and out.

CIA informants report that Walid was spotted at a "terrorism convention" in Pakistan in January of 2008; then another source believes Walid was at a training and planning session at a safehouse somewhere in Madrid in July. But that's all we know.

Under today's rules, that doesn't help us at all. But under the rules established by this bill, the very first thing we should do is query the TIA database to see which holders of Z visas traveled to Pakistan in January 2008 and to Madrid in July of 2008... I'd bet there were not that many. (Check not only direct routes but the roundabout routes that terrorists tend to use; the CIA is actually pretty good at that nowadays.)

Then you take that list of Social-Security numbers, winnow out the obvious non-targets, and plug that into the Z-visa employment database. This will tell you where the eight or nine potential "Walids" have worked in the past year. Since the real Walid has no reason to believe he has been outed, he will probably follow the same pattern... criss-crossing the country carrying messages and money and working for the same set of employers along the way.

By staking out each of those employers around the times he usually shows up, we suddenly have a very good plan for grabbing Walid Achmed Mohammed and hustling him off to Gitmo. And the best part is, neither he nor anybody in his cell would have the slightest idea how we did it!
I have some bad news for this lovely, object oriented system: when things are done at a distance with no record of intermediaries, you will, indeed start to stumble upon irregularities and you will have no idea what they mean. There is this lovely conception that data falls neatly together when it is properly tagged, entered and categorized. I have some bad news for anyone believing this on the Federal side: to cross the number of databases and their networks and security classification levels to do this is impossible.

The DoD, to get some better connectivity, spent 3 years to try and get from 7 different networks, each with their own classification and security constraints down to 5. The number of organizations involved included: NSA, CIA, DoD (Pentagon level), NRO, NGA, DISA, Dept. of State. When I last saw that project it was 2 years behind schedule, over budget and not working to segregate data streams like it should. That was some years back, but points to the Turf War problem and the inability of these actors to all play in the same sandbox.

To get this splendiferous TIA working, which was never Total in any way, shape or form nor designed to receive such large amounts of data but utilize clean data sets that had relatively rigorous metadata standards applied to them. To do *that* to this immigration bill will require all of the following to cooperate closely: DHS (including ICE, Border Patrol, and various other offices), FBI, Justice (Hoover building level, and no it isn't ALL FBI), IRS, HHS, CIA, NSA, DoD, DISA, State, Treasury, All of the State Criminal Databases, various international databases that the US has entree to via Treaty (like that Canadian one that put out bad information on an individual and the Canadian system was so CF'd that they could not even figure out if he was a citizen). Each of these groups comes with multiple databases, with multiple different and often non-agreeing metadata standards, each with their own sign-offs on who can and cannot use the system and at least 3 or 4 different and incompatible security classifications. Excuse me while I apply my background to this and state, definitively, that if you want this system up and working in less than 10 years, you are pipe dreaming.

We will have Quantum Computing before this massive database project gets *started*. People love to wave the magic wand of CIA around and make it out to be some splendid Agency that can work absolute miracles. They cannot even stop National Security leaks from their own Agency and the volume of those and number of operations and agents put at risk from those leaks makes a number of folks wonder exactly *who* they are working for. I would set the funding for this massive computer system in at around $3-5 billion, because of the amount of work and standardization that needs to go on up front before it can even be tested. This will require cross-working database standards, metadata standards, coming up with agreed upon internetworking capability, figuring out what the classification standards will be for the inflowing and outflowing data, finding out which networks need to get some inter-connectivity to them and working *those* issues, and that is before you even decide who can be allowed to have access to the actual, resultant data. That is the glory of object oriented databases: they like to know what the objects actually ARE and have good and clean definitions of them before you start. Meanwhile, for the next decade, you are stuck with multiple, incompatible databases, differing security standards, different computer networks and limited access to the resulting work product and all numbers of Agencies throwing hissy-fits that their turf is being invaded.

Mind you, a decade and $3-5 billion is OPTIMISTIC. I have personally seen more reported on other projects with higher amounts for less result in the recent past in the Federal Government because the lovely folks trying to put a neat and spiffy capability together do not understand the very basics of what it takes to actually get all of those lovely different parts of the government to work together. For something this size the Technical Working Group meeting will be at least 5-15 individuals from each of those groups I mentioned, including separate entourages for the sub-groups as they all are 'stakeholders' in the various systems and will have their work impacted by anything that fiddles with them. To get one relatively minor project going in one Agency, I have held working group meetings that consisted of over 30 individuals. And that was for a project that had high level blessing, which only means the back room knife fights are kept to a minimum.

We will get this splendid system that Dafydd posits the exact same day the HAL 9000 is put online.

Remember: each of those lovely documents needs some sort of tie-back, cross-check and such. These person-to-person banking and transaction systems have wide reach and scope, so the ability to find the disparate datapoints is damned difficult when someone from Syria contacts a peso exchange operator via a local hawala to get documents from, say, Denver, to show that someone has *lived there* and all you need are some relatively minor and obscure residency and employment records. These people are not *fools* who have been outwitting the FBI, CIA and other Federal Agencies for decades: they know how to leave a damned near impossible to find trail that leaves everyone looking legitimate and yet transacts and launders funds on a global basis.

This is before we even factor in the problem that Dafydd's 'Walid' can walk over to Mexico, jet out to Pakistan for a month, be spotted, come back, and have documents that PROVE he has been in the US all this time because he did not go through the border controls and picked up a different passport and visa for Pakistan from a contact on the other side of the border. By circumventing those lovely inputs, the CIA would *prove* that he was in Pakistan but have nowhere else to go because he had used the Transnational Terrorist and International Organized Crime internetworks to his advantage for cash advances, spending, visas, passports and such. And because he is utilizing the criminal side of things and getting false employment records for 'day labor' work that is minimal income it would be extremely difficult to demonstrate that he had *not* been here.

In this, even if the system works, the structural deficiencies of the actual, physical border and transport across it makes the entire concept irrelevent. In point of fact without physical barriers that are impassible and some way of checking for things like light aircraft and ultralights, there is *no way* to make individuals go through the actual ports of entry. And, because of Moore's Law, I will believe in a 'virtual wall' the exact same time that we get a 'virtual bathroom'. No real toilet paper allowed.

I place an actual, real, physical wall *with* sensors at around $5 billion and it would go up a damned sight faster than any data warehouse interconnection concept inside the Federal Government and have the great and good benefit of being armed, stopping illegal flights and having deep pilings to stop tunneling. If we had one of THOSE we could then have good, controlled ports of entry and actually consider this lovely data scheme, or just make enforceable and trackable Z-visas via it. But then if we had an actual, real, physical wall with deterrents of the lethal sort on them we would not have this problem in the first place now, would we?

No comments: