The FBI is spearheading a new effort to defend against the ravages of information warfare. But are you ready to trust security to the feds?The U.S. government established the National Infrastructure Protection Centre (NIPC) last February to detect, prevent and respond to physical and electronic attacks against government facilities, public utilities and private businesses.
Read this story to learn:
Why corporate information systems are vulnerable to attack How businesses can learn from the NIPC How NIPC officials plan to overcome businesses' resistance to the government's national security efforts In California, two thrill-seeking teenagers penetrated supposedly secure computer systems at Lawrence Livermore National Laboratory and the U.S. Air Force. In southern Florida, 911 emergency networks were jammed by a trouble-making programmer in Sweden. In New York, an infamous band of Internet hackers is alleged to have vandalised the New York Times Web site-twice in two days.
And in Washington, D.C., deep within the fortified corridors of FBI headquarters, the nation's newest law enforcement entity takes aim against these and other threats to the nation's critical information assets.
The National Infrastructure Protection Centre (NIPC) is the federal government's new, first line of defence against those who would wage what has been termed "information warfare" - attacks against strategic computer systems by terrorists armed not with explosives and firearms but with PCs and modems.
For years, the nation's defence and intelligence leaders have feared such attacks were possible. But now, with the ubiquity of inexpensive consumer electronics - and a noted increase in intrusions such as those mentioned above - these same leaders fear that such attacks are probable. Established by a presidential directive in February, the NIPC is led by the FBI and directed to detect, prevent and respond to any physical or cyber threats against the country's critical government installations, public utilities and private industry.
The NIPC doesn't want to go it alone. Part of its mission is to partner with the business community - to help IT executives protect their critical information systems, while at the same time leveraging their knowledge in bleeding-edge technologies. But to do this, the NIPC first must forge relationships with sceptical business leaders who are suspicious of what the NIPC's helping hand might help itself to later.
The Invisible Threat
Michael A. Vatis is the NIPC's chief, occupying a modest office in a sparsely decorated wing of the FBI's J. Edgar Hoover Building. With a view of Pennsylvania Avenue, the 35-year-old attorney could be forgiven for an occasional glance at the goings-on at Independent Counsel Kenneth Starr's office across the street. But even if Vatis had time to stare out the window, he wouldn't see a political battlefield - he'd see the menace of information warriors.
"The threat is absolutely real," Vatis says, listing three guises of potential terrorists. Intelligence reports identify some foreign nations (you can guess which ones) as plotting full-scale electronic attacks against the United States. Less-sophisticated groups - organised crime rings, spies and the ilk - are scheming to extract sensitive data from our private networks.
And thousands of hackers test their skills at the expense of security systems.
How serious are the intrusions? The Defence Information Systems Agency reports that in 1995 some 250,000 attempted electronic attacks targeted the Department of Defence alone - a number that is expected to grow each year.
Meanwhile in the business world, the third annual Computer Crime and Security Survey by the Computer Security Institute, a San Francisco-based membership association, found that 64 percent of responding companies reported at least one unauthorised use of a system in the past 12 months. And these are just the intrusions that are reported. Like assault cases, incidents go unreported because the victims are embarrassed.
The private sector is particularly vulnerable to attack - not just by hackers but by viruses. The International Computer Security Association Inc.
(ICSA), a global security information and resource company based in Reston, Va., recently surveyed 200 medium- to large-size companies willing to respond and found that 70 percent were susceptible to hackers. These same companies encounter up to 314 different computer viruses every month and spend $800,000 to $900,000 per year fighting them.
Unfortunately, businesses don't see themselves as targets of information warriors, says Vatis. "In the old days, businesses would take steps to protect themselves against criminals who would want to steal their money or sensitive information, and some of them might have had to protect themselves against physical sabotage," he notes. But few private sector companies worry about a terrorist attack that is aimed not at theft but at shutting them down.
The NIPC has three primary objectives:
Warn of threats
The NIPC includes staff from the departments of Defence and Treasury as well as from the CIA and FBI, and it has access to scads of data about potential threats inside and outside the United States. By developing a robust warning system (currently being designed), the NIPC will tap all these information sources, analyse the data and establish a secure link by which it can warn business leaders in advance of likely threats.
The NIPC is also designing a new database to analyse information collected from all cyberintrusions and identify links in cases that might be related. "What's different about cybercrime from physical crime [an attack or a break-in at a single site] is that multiple things can happen in many jurisdictions and still be part of one attack," Vatis says. "[Cybercrime] requires a much greater degree of coordination." Pull the plug on perpetrators.
Because the NIPC is run by the FBI, it can arrest criminals. If enough perpetrators are jailed, Vatis says, then the deterrent factor should reduce the ranks of potential intruders. And victims will see that there is a reward for reporting these intrusions - that violators will be caught and punished.
Challenges Facing The NIPC
Yet to build these state-of-the art systems and fill them with the desired data, the NIPC must convince businesses to share their secrets. Here's where the plan hits a snag.
First, businesses don't want to share their dirty laundry. CSI's latest computer crime and security survey shows that of the 64 percent of organisations that did willingly acknowledge security breaches last year, only 17 percent reported the incidents to law enforcement agencies. The top two reasons why the attacks weren't reported are fear of negative publicity (83 percent) and worry that competitors would use the information to their own advantage (74 percent).
Now, Vatis assures business leaders that the NIPC can and will keep its investigations under wraps until the cases hit the courts - which can be months, even years after the actual crimes. At that point, the businesses can spin the story as "We saw a problem, and we addressed it." But public perception isn't the NIPC's only challenge. Encryption is an ongoing sore spot.
For years the FBI has resisted businesses' efforts to ease U.S. restrictions on encryption software, which allows users discretionary access to proprietary data. The FBI considers encryption software a national security risk (state secrets could be smuggled to foreign spies) and has steadfastly fought business lobbyists who see encryption tools as a means of competitive advantage. "To be so antiencryption and then say they're going to 'save' us from cybercrime - people in business, especially in high-tech, just don't buy it," says Peter S. Tippett, president of ICSA.
Tippett doesn't dispute the validity of the threat the NIPC has identified.
"No doubt these [intrusions] are happening," he says. "But a lot of people are asking, 'Do I really want to turn over the keys to my private stuff to the government?'" And that's another problem: The NIPC represents the government, and many businesspeople equate government with slow and unresponsive. James Adams, author of The Next World War: Computers Are the Weapons and the Front Line Is Everywhere (Simon & Schuster, 1998), posits that for the first time since World War II, government and military technology now trails, rather than leads, civilian technology. The NIPC, therefore, will have a hard time getting the attention of high-tech business leaders wary of government intrusion. The NIPC "has a technological credibility problem," Adams says. "Nobody I've ever met has said the FBI is a technologically sophisticated organisation as compared with companies in the private sector." So far, CSI Director Patrice Rapalus doesn't sense outright resistance from business leaders. But she also doesn't sense awareness of the NIPC. In fact, most executives know little more than the NIPC's existence. "I don't think there's been enough outreach, really," Rapalus says. "People are receptive [to the concept of the NIPC], but they're also taking a wait-and-see attitude.
And indeed in cities such as Cleveland, where local FBI agents have made a concerted effort to preach the NIPC's gospel, the response from business executives has been encouraging. Dave Strothcamp, a computer security professional at a Cleveland emergency services organisation, is a charter member of the NIPC's InfraGard project, which essentially is an information-sharing support group for computer security professionals (see "Partners in Crime"). Initially, "there was some level of discomfort among executives when they heard FBI," Strothcamp says. But because FBI agents took time to explain the NIPC agenda, to listen to businesspeople's concerns and show how businesses and the FBI can work together, suspicion has turned to cooperation. "It's not like the FBI is going to come in and take over your organisation," Strothcamp says. "They just have to explain exactly what it is they're trying to do - build a long-term relationship with businesses." The FutureSince February, the NIPC has been funded to the tune of $64 million for fiscal 1999, and staffing is almost complete. The NIPC will have 125 full-time employees with 85 from the FBI and 40 from other governmental agencies and the private sector. The centre has 500 investigations pending so far, ranging from small security breaches to a major defence intrusion that resulted in the convictions of the two California teenagers responsible for the military intrusions referenced earlier (see "A Close Call,"). Likewise, the Swedish programmer was caught and punished for his 911 disruption, while the suspected Times hackers have at least been identified, if not (as of press time) caught.
To be successful, Vatis and his critics agree, the NIPC must show results soon: build its indications and warning system, catch some criminals and - most important - forge a collaborative relationship with business. Toward this end, Vatis regularly attends computer security conferences and speaks to groups of IT professionals, and he plans to schedule a series of one-on-one meetings with key business leaders. "We're prepared to hear from private industry about what they would like to receive from us," Vatis stresses.
And they aren't alone. Adams, the former CEO of United Press International, started his own private-sector version of the NIPC, Infrastructure Defence Inc., based in Reston, Va. Adams hopes his organisation can help facilitate the NIPC's outreach to private industry. But already he sees a huge obstacle ahead of both groups. "The level of ignorance is very high," Adams says. "Only a limited number of people even understand what critical infrastructures are, never mind what the vulnerabilities are." The primary challenge for the NIPC and its supporters is to demonstrate that teenage hackers and prankster programmers are but the first wave in what could be an all-out assault against critical information systems.
The message to business leaders is clear. "We're going into a different era of war," Adams says, "and we've got to prepare our defences carefully if we don't want to be casualties." Senior Writer Tom Field can be reached at firstname.lastname@example.org.
Partners in Crime
Who says the public and private sectors can't play well together? In Cleveland, the FBI and local leaders teamed up to create InfraGard, a cooperative effort to share security expertise and information about threats to the region's critical infrastructure.
Fully operational since this past summer, InfraGard represents a partnership among local FBI agents and business leaders, who set aside partisan issues to share tips about security threats. Their link is the Alert Network, an encrypted software application created by AT&T Corp. that allows the FBI and InfraGard members to communicate securely via e-mail. Whenever an intrusion occurs at an InfraGard member organisation, the onsite security representative sends two notices to the local FBI office. The first notice is a detailed incident report of everything the FBI needs to investigate the incident; the second is a sanitised version that excludes any details that could identify or embarrass the company. The sanitised report is shared with all InfraGard members.
Currently, 44 companies belong to InfraGard in Cleveland with another 160 in Columbus, Ohio, and Indianapolis, and the pilot program is considered such a hit that the FBI's National Infrastructure Protection Centre (NIPC) is planning to build a national InfraGard network.
Brian Vigneaux, a special agent in the FBI's Cleveland office, helped get the InfraGard ball rolling in 1996, and he is surprised at how quickly the initiative was embraced. "I thought I'd hear, 'Yeah, this is just your typical government thing,' and then [business leaders] would walk away," Vigneaux says.
"But people have really taken this project and kept it moving." The big success, according to Vigneaux, is the new relationship between the FBI and local security experts. "During the recent Iraqi tensions, HQ asked all the FBI field offices to identify the key cybersecurity people in their regions," Vigneaux says. "Every other field office was scrambling; we already had identified those people. We already had good relationships started." Dave Strothcamp, computer security professional at a Cleveland emergency services facility, was a charter InfraGard member and gives whole-hearted support to the project. "Hackers have their own support groups to share information. But up until now there's been no environment for people with good intentions about security to share advice and work together," Strothcamp says.
- T. Field
A Close Call
In February, the U.S. government got a scare. As tensions in the Middle East heightened, federal law enforcement officials suddenly noticed that an Air Force military computer had been hacked. Ditto at the Lawrence Livermore National Laboratory. Before long investigators discovered that several military computer systems had been breached. The intruders gained entry via the computers' domain name servers, which are used to route information within secure networks. Potentially, these intrusions could have disrupted U.S. military communications worldwide.
Together, the FBI, the Department of Defence and NASA undertook a sweeping investigation called "Solar Sunrise" (don't ask; sources either don't know or won't reveal the origin of the cryptic code name), which quickly uncovered the assailants: two California juveniles.
In July the two pleaded guilty in federal court to charges of juvenile delinquency. Although the youths could have been remanded to custody until their 21st birthdays, prosecutors obtained plea bargains and recommended probation. Sentences were to be handed down privately on Nov. 4.
Coincidentally, this case exploded at the same time the National Infrastructure Protection Centre (NIPC) was established, and current NIPC officials were part of what turned out to be the first major conviction under the NIPC's watch. Michael A. Vatis, chief of the NIPC, calls Solar Sunrise a prime example of the cases his organisation identifies: seemingly small intrusions that could have major national defence implications. "When you have an ongoing computer intrusion into somebody's system, you don't know [initially] whether it's just somebody's kid engaged in hacking for the fun of it or whether it's a precursor to a much more sophisticated, destructive attack," Vatis says. "You have to investigate them all as though they're potentially the most serious case possible." And then pray they're not.
- T Field
Data Warehouse Research Centre
Government Research Centre
Computer Security Institute
International Computer Security Association Inc (http://www.icsa.net/) Lawrence Livermore National Laboratory (http://www.llnl.gov/) National Infrastructure Protection Centre (http://www.fbi.gov/nipc/) The NewYork Times (http://www.nytimes.com/)
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.