Defending against cyberattack

By DEBORAH RADCLIFF
Network World, 08/23/99

In the midst of Year 2000 chaos, key power grids across the country go dark, telecommunications and data networks crash, and emergency services are crippled.

Even worse, public switched telephone network-based leased lines that carry military communications are toast. Military bases, powered by public gas and electric, are knocked out. And troop movement is disrupted because railway, seaport and airport traffic is at a standstill.

But this is not a Year 2000 problem. It's just a convenient smokescreen that the enemy hides behind when it launches a cyberwar - and America has just lost.

It's a war in which no bombs are dropped, no guns are fired, no blood is shed. But America's infrastructure is nevertheless left in ruins. In this scenario, the weapon of mass destruction is technology; the militia, an army of foreign hackers bent on taking down key services vital to the nation's stability.

Could this really happen? Absolutely, says Deputy Assistant FBI Director Michael Vatis, who heads a new cyberdefense agency, the National Infrastructure Protection Center (NIPC).

"In the information age, our critical infrastructures - services vital to our national economy and stability - are subject to debilitating remote attacks that can shut them down. Already, weapons of mass destruction - computer viruses and attacks that can overflow buffers and shut networks down - are available off the Web. "We have concrete information about several foreign countries that are developing programs to target the U.S. and our critical infrastructure in particular," he continues. "I just can't say publicly what countries those are."

The U.S. government takes this threat so seriously that President Clinton last May ordered a full-scale obilization to defend the nation against cyberattack. Clinton's directive called for the creation of a number of programs ranging from the FBI-managed NIPC to industry-specific centers for the sharing of information between private companies and the government (see story).

However, the creation of these Information Sharing and Analysis Centers (ISAC) and, in fact, the whole effort to develop a public-private partnership on security, is on shaky ground because companies are very reluctant to share network security information with the feds.

Bridging the gap
Two years ago, Nancy Wong took a leave of absence from her job as director of information assets for Pacific Gas and Electric Company in San Francisco to work with government and private industry on security issues.
"When we did focus groups in 1997, the overwhelming issue was lack of awareness," she says.
She tells the story of an electric company that installed intrusion detection and caught more than 100,000 unauthorized intrusions into its network over three months - 10 of which warranted investigation. Another problem she discovered: "Too many companies were running proprietary information over the Internet as if it were secure."
When considering the value of your company's information assets, Wong suggests asking three questions: What impact does a catastrophic event have on business viability? What impact does it have on your ability to deliver service to your customers? What impact does this have on your company's risk, liability and relationship with investors?

The concern about government intrusion into private security matters made the front pages late last month when the Electronic Privacy Information Center (EPIC) in Washington, D.C., sounded alarms concerning potential federal monitoring of private-sector networks.

EPIC went so far as to charge that a newly announced federal intrusion-detection network (FIDNET) will link directly to the private industry sector information sharing groups. That charge was denied by Sally McDonald, spokeswoman for the General Services Administration, which manages information services and information security for the federal government. She says the yet-to-be-defined FIDNET will in no way link to private sector networks.

But EPIC's general concerns are shared by many in the business community, even by those who are on board and working to build this cyberdefense system.

"The government wants to facilitate private industry taking care of itself. This means building trust in the partnership, and government has not done a good job handling this in the past," says Nancy Wong, a Pacific Gas and Electric security expert who has taken a leave of absence to work with federal officials on the cyberwar defense project. "That is the difficulty and challenge that [the government and FBI are] having now." For example, there's already bad blood between the software industry and the FBI over the sticky issue of government controls over encryption exports. And industry leaders are adamant that any information they provide on attempts to hack into their networks or the results of security evaluations be reported anonymously. The goal, from the government's side, is a two-way sharing of information. Federal agencies will share information on threats, vulnerabilities, orchestrated attacks, assessment services and network security products (patches, vendor product recommendations and others) to the private sector through the ISACs. In turn, the feds hope the ISACs will push the same information from the private sector to the appropriate government agencies.

But many issues need to be resolved before that happens. While some private sector groups are answering the call to create these centers, the issue of anonymity remains undecided.

The feds say they need some way to verify the source of the information, and they can't do that if it comes in anonymously, says Guy Copeland, vice president of information infrastructure protection advisory programs for Computer Sciences Corp., an $8 billion technology services company in Washington, D.C. Copeland sits on the National Security Telecommunications Advisory Committee (NSTAC), an 18-year-old presidential advisory board that is positioning itself to become the ISAC for the telecom industry. Therefore, industry leaders are taking a wait-and-see approach to sharing information with the government, he says.

The financial services sector plans to build and maintain an ISAC, says Steve Katz, chief information security officer for CitiGroup in New York. But at this point, the financial services ISAC plans only to receive information, but not send any to the government, he says.

Katz adds that if the industry does agree to send information back to the government, it will do so only with a "tremendous firewall" between government and the private sector.

The FBI and other federal players involved in the project are well aware of industry concerns and are making a concerted effort to overcome them. For example, the FBI, with the help of industry executives, is training 214 field agents to understand business culture and fears of lost privacy. So far, these agents have learned the business ropes from folks in the telecom and energy industries, with more training to come from other vertical industry executives, the FBI's Vatis says.

The federal agencies have also recruited private-sector professionals, such as Pacific Gas and Electric's Wong, to better manage business concerns. Wong says she's had many a conversation with political decision makers who think the solution is to "regulate software makers" or dictate security measures in private industry. Each time, she tells them that the Constitution - and American business leaders - won't stand for it.

To better reach business leaders, she advises the feds to present infrastructure vulnerabilities as a business problem instead of an "information war" - a term at which Wong crinkles her nose. After all, information security is directly tied to a company's bottom line. A breach of infrastructure networks could interrupt the business processes, resulting in lost customer and shareholder confidence, even the company's viability; and that's what is important to the private sector, she says.

In spite of this natural tug-of-war, private sector companies are coming around to help the government protect them against what they feel is a serious threat, Katz, Wong and others say. "I have worked with a great many difficult projects in my life, and this is by far the most difficult," says William Harris, a former member of a federal commission on the topic. "This problem requires a true partnership between government and industry. There's such an enormity of consequences if we don't do the right thing."

Another shaky trust issue: the wording of the presidential directive allows for government intervention should it be deemed necessary. The FBI and the Federal Emergency Management Agency (FEMA) are granted the authority to "coordinate the rapid reconstitution of minimum essential capabilities in the aftermath of an attack."

"If private industry doesn't take care of itself, that's when the government will have to step in," Wong warns. Thus far, FEMA has made it clear that it will keep its distance from the cyberdimension, Wong says. "FEMA only wants to get involved when it sees the physical disruption occur," she adds. That means bombs, debilitating natural disasters or other physical sabotage that would knock out vital services.

In addition, federal and emergency response agencies need to figure out how they will integrate with one another. And the legal system needs to catch up with 21st-century cybercrime.

There's one more giant hitch to the president's program: When Clinton leaves office, all this work could be for naught because his directive, a Presidential Decision, is valid only as long as he's in office. For the infrastructure protection program to live on, Clinton must sign a Presidential Executive Order.