BioLines

A: You have to understand where the NIPC came from. We're basically a startup; we've been in existence for three years. While Presidential Decision Directive/NSC-63 (PDD-63) defined our missions, goals and objectives, many in the IT community and the private sector weren't sure what PDD-63 really meant or what we were really trying to accomplish.

Some people perceived us as a threat to the private sector and the IT community. A lot of antivirus and consulting companies feared we would try to become the be-all and end-all for virus information and consulting. Obviously, we can't do all that, and it was never part of our mission.

We've never attempted such a complex effort before. This is the only place in the government where criminal-intelligence, counterintelligence, foreign-intelligence and private-sector information--sometimes proprietary--comes together for strategic analysis. One of the main reasons the president and attorney general chose the FBI for this is because it's the only agency with the legal authority--criminal- and counterintelligence--to work with foreign-intelligence agencies.

Since this had never been done before, both the intelligence community and the private sector had legitimate concerns about how we were going to do it. You can talk about how you're going to implement processes and procedures and information-sharing mechanisms, but the private sector can't know what's going to happen until you actually do it. At which point people realize that, no, the NIPC doesn't go public about every virus or vulnerability. That's the role of the antivirus community and the IT vendors themselves.

So when do you go public?

Unless we can add value to a warning based on the collection of all that intelligence, we don't speak. The only exception to that is if a vulnerability is so significant that it threatens the country's national security or economic well-being; then the volume needs to be turned up and we'll get the information out on CNN and to systems administrators.

Over time, working together with the CIA, Department of Defense and other intelligence components, we've worked out what I think is a very good partnership. We work very closely with the CIA, National Security Agency (NSA) and other investigative components within the military branches. We share information freely with them and they do with us. There were plenty of bumps along the road, but we've been able to smooth them out.

As for the private sector, we've worked very closely with antivirus companies. When we learn of a virus, we contact vendors through their trade association, so we can make the binaries available to everyone at the same time and not give anyone a competitive advantage. We share our assessments with them and they've grown more comfortable sharing information with us.

We're in almost daily contact with the major operating-system manufacturers about vulnerabilities. Again, we're not trying to intrude into their product lines or business decisions--we're just sharing information to our mutual benefit.

You've also worked with industry associations through the information-sharing and analysis centers (ISACs), which pass along warnings about possible attacks. How does that work?

Let me give you an example of how that all comes together. In December 2000, as a result of criminal investigations, we saw a number of intrusions into various dot-com entities emanating from Russia and Eastern Europe. We issued an assessment through SANS and talked to other ISACs, but we didn't raise the volume very much. We tried to get the information to systems administrators because these intrusions came through known Microsoft NT vulnerabilities, for which there are patches. Our intention was to get the word out and minimize, if not eliminate, those vulnerabilities, so that the subjects of our investigations could not intrude into more NT systems.

But people weren't listening, and the patches weren't implemented. In March, we saw a significant spike in the number of intrusions through these known vulnerabilities. So we went back to the financial services ISAC, among others, and showed them what we were going to say, the details of our press release and how we were going to raise the volume. We raised the volume through various media outlets. Because the financial services ISAC was prepared, it was able to thwart 1,600 attempted intrusions of its member institutions. That's a good example of how we use criminal intelligence, counterintelligence and public information to provide a service to various industries about these vulnerabilities. That's exactly what the NIPC is all about.

A recent GAO report mentioned that industry groups, like the financial services ISAC, criticized the NIPC for failing to quickly share warnings with businesses.

Ask them about our relationship with them now. In the beginning, as I said, there was uncertainty about how we would work with each other, but ask them about our relationship today (see Banking on Trust).

It sounds as if you have a great deal of confidence about the NIPC's effectiveness. Would you say that the expectations of these other groups match your own?

If you're asking, do I believe that the missions, goals and objectives defined under PDD-63 have been placed in the right entity, my answer is yes. We're the only entity that has the legal authority to do it all. If you're asking if the NIPC is providing the kind of strategic analysis of products, and receiving and passing on the volume of analytic information that it should, the answer is no. We're not.

The GAO report talks about how we have done a pretty good job investigating intrusions and beginning a grassroots information-sharing initiative, called Infra-Guard. We now have InfraGuard chapters in all 56 FBI field offices with about 1,200 members. We're about to have our first national congress of these chapters to further solidify our goals and objectives.

The GAO report doesn't criticize our tactical analysis, from which we've issued more than 93 warnings, some having to do with vulnerabilities or acts of hactivism associated with the Chinese. The GAO gives us credit for the tactical analysis we've done. The report also says our relationships with the ISACs have improved. It quotes Alan Paller of SANS, who said that our response to the intrusions I just mentioned was extraordinary. Paller praised our detailed description of the threat and the way we provided good forensics information to systems administrators.

We've done more than 1,200 investigations. During the millennium change and before MafiaBoy, we were able to issue an assessment saying that the distributed denial-of-service (DDoS) tools Trinoo and TFN (Tribe Flood Network) were out there. Through SANS, we also provided a tool to identify and remove DDoS tools, for which we actually won an award. And we received an award for InfraGuard from Safe America last month in recognition of our efforts on behalf of Internet security.

So the GAO report had a lot of positive things in it. But it did say-and it's right-that we're not producing strategic analysis at the level that we should. It also suggested a reason for this: our dependence on interagency participation. The NIPC doesn't have adequate resources to produce those kinds of products. I agree with that, too.

Do you see that changing?

Yes, I do. We had a change of national leadership recently and Rear Admiral James B. Plehal was named the NIPC's deputy director in March. He's working very closely with the DoD to increase our staffing and get key people in management positions.

One of our problems has been structure. Basically, we have three sections. One deals with investigations. Obviously, the FBI has done investigations for many years and, as the GAO report said, we know how to do that. Another section deals with training, outreach and policy issues, and the GAO report complimented us for our ability to train more than 3,500 federal, state and local law enforcement entities through a well-defined curriculum. We know how to do training and outreach, as InfraGuard indicates.

Where GAO faults us is in the analysis and warning section, particularly strategic analysis. We've had three leaders in strategic analysis in three years; it's currently headed by a CIA section chief, and the CIA has committed to leaving him there for at least two years. The warning unit, which controls information in and out of the NIPC, was earmarked for a DoD person. We've only had one unit chief there since we started. The other unit, analysis and information sharing, is an NSA position. We've had two different people in the analysis and information-sharing position, but it's currently vacant and NSA is in the process of filling it.

Obviously, leadership in information sharing and strategic analysis has not been, for want of a better term, very stable. You can't run a railroad with leadership changing every year, as Admiral Plehal and I identified early on. Am I hopeful that we will correct these things? Yes, I think we will.

Some of my infosecurity colleagues have been frustrated when they've tried to work with the NIPC. They find that the FBI culture and the more informal worlds of information security are often in conflict. But the efforts you describe will only work if they bridge the boundaries of different subcultures, including those of corporate America.

I agree. Sometimes miscommunications occur not because of maliciousness, but because in other cultures the words mean something different from what they mean at the FBI. People misinterpret what you're saying. We've built a glossary of terms for everyone to go to, to ensure that we're all on the same page. That's been helpful, but the volume of our work keeps growing.

Companies that have hired gray-hat hackers often use "buffer zone" people, who move back and forth between subcultures and interpret one culture to another to ensure cooperation. The FBI is a distinctive culture. Do you have translators?

That's what we're evolving toward. Many people have now stayed at the NIPC for three years, so the blending of cultures is less of an issue than it was at the beginning. It obviously affected our ability to understand the sensitivities of the private sector.

Which is a large concern. Colleagues in competitive intelligence tell me that large corporations often come to them with intrusions or attacks because they're afraid to go to government agencies; they're afraid information will be leaked. What kinds of bridges are you building to corporations?

There are a number of things we're doing--let's start at the grassroots level with InfraGuard. InfraGuard's whole intent is to try and demonstrate to the private sector that information shared with law enforcement is safe. One reason for the program's success is that system administrators get to meet law enforcement people on a local level. They get to know the local FBI or Secret Service agents, and begin to share information about vulnerabilities. That's growing.

On another level, we're helping InfraGuard members share incident information with other members. The private sector chooses what information to share and with whom to share it. Through this process of incident reporting, the private sector controls the information provided to direct competitors and other business sectors. Is this at the level of sharing that we would like? No. But, again, it takes time. They have to learn that shared information won't come back to harm them, and so far it hasn't.

So they're testing you and seeing how it turns out.

That's right. I don't blame them for that. It can't happen overnight. As to our growing sensitivity to the needs of the private sector--unless someone in the private sector says directly to us that it's OK to talk about an attack, we won't talk about the company. We'll generalize the attack description so the reporting company is unrecognizable. It does no one any good for the FBI to be out there reminding people that certain entities were victims of a DDoS attack. We can make the same points on television or in a presentation to the public describing the vulnerability and what we did together with the private sector to solve it.

How do you awaken a sense of urgency among government agencies and the private sector short of experiencing an attack?

Going back to those intrusions earlier this year, when we did press statements, we didn't talk about all of the victims--and there were a lot. Instead, we went to a couple and asked permission to refer the media to them about the pain they'd sustained, and they agreed to do that. This is a learning curve for us. Historically, when the FBI has talked about incidents or issued press releases, we normally talked about the victims. We don't do that anymore.

So until there's a major security incident that makes clear what's at stake, people won't get it?

I hope that's not entirely the case. I hear about "cyber Pearl Harbors," which I hope never occur, if only because of the noise so many of us are making. I hope the level of awareness is being raised.

There has to be a building of partnerships across cultures. The NIPC, the ISACs, law enforcement, counterintelligence...these aren't the only mechanisms by which security is going to be provided. It's truly a partnership because of the global nature of cybercrime and the lack of boundaries on the Internet. We need to explore whatever we can do to facilitate that kind of partnership.

One thing about asymmetric warfare is that the parties play by different rules. Are you partnering with any transnational organizations to enable the United States to meet foreign cyberthreats on its own terms?

If you mean are we partnering with the Australians or the British or the Germans or the Japanese, yes. One of the reasons is that it's beneficial for the NIPC. The FBI has 44 legal attachés assigned to embassies around the world. The main job of, say, the attaché in the United Kingdom is to develop a relationship with the various law enforcement and intelligence communities within that country. Now, when an incident occurs, we don't send a blind communication; our attaché can talk with the people who can expedite an investigation.

In investigating the attempted extortion of Michael Bloomberg by two hackers from Kazakhstan, we got the assistance of U.K. authorities, and through them got the suspects to reveal themselves. We made an arrest and the prosecution is pending, so that's as far as I can go with that, but it's another example of how all the pieces come together.

The word is that you have a conciliatory way of reaching out to and including people.

Partnership is the key. Not ownership.

So what do you see in the next few years? What threats are likely to emerge? The recent trial of four terrorists who plotted the embassy bombings in Kenya and Tanzania generated thousands of pages of testimony that detailed a transnational terrorist network. I was surprised how little coverage it received.

I was surprised, too.

It didn't sound like crime--it sounded like warfare. At what point does this cease to be criminal activity and become warfare? The rules of warfare are very different from the rules of criminal prosecution. Wouldn't a worldwide religious war invite a response different from an act of cybercrime?

Absolutely. Let's take your questions one at a time. First, where do I see the threats of the future? The core of this crime problem deals with the integrity of information on global networks. Can we provide integrity for that information? I was involved with creating the first regional computer-crime squads, and we have seen the problem go from hacking in whatever forms it existed to hactivism for political agendas to computers used just like guns for traditional criminal motives: greed, revenge, etc.

Luckily, we haven't seen any "cyberterrorism" incidents in the United States so far, but I think we'll see them in the future as the people involved in state-sponsored terrorist organizations become familiar with the technology. We're seeing the technology being used for state-sponsored espionage. I can't go into details, but it's happening, and some nations are talking about waging information warfare.

So, in time, we'll see this tool used for the full gamut of criminal, counterintelligence and foreign-intelligence activity. Our job will be made much more difficult because of the ability to do these things anonymously over the Internet. It's a real challenge.

The real solution to the integrity of information in all of our networks isn't up to law enforcement, the intelligence community or government. Real integrity comes when it's demanded. The problems will begin to decrease when the public demands computers that aren't only easy to use, but are also secure. It's not a function of any one operating system--they all have vulnerabilities. The government is a large consumer, too, and can make the same demand in our procurement processes.

You say there haven't been any definite acts of cyberterrorism?

Not in this country.

We all hear stories of power outages or the like that may have been attacks on our infrastructure as demonstration of powers...

When I say we have no known cyberterrorism incidents, I don't mean we haven't had incidents where that could have been the motive. I mean I don't have the evidence to put that label on it. There's a huge difference. I'm not going to talk in speculative terms. In some countries, there has been evidence of that kind of activity; we just haven't been able to verify it here.

There are many ways that the U.S. government can respond to a security incident. One is a law enforcement response, where we prosecute criminal activity. Another is through counterintelligence or foreign-intelligence activity. Another is a military response, if it's information warfare. We also can respond diplomatically through the Department of State.

The response will depend on the facts and circumstances of the incident. One of the NIPC's main missions is to be able to collect information from the various sources and provide the facts to the policymakers, so they can determine the appropriate responses.


BANKING ON TRUST

Stanley Jarocki, treasurer and board member of the financial services ISAC, speaks about his still-evolving relationship with the NIPC.

Q: How is the National Infrastructure Protection Center (NIPC) doing? What's your experience?

A: Can I take the Fifth? [Laughs]

Our relationship is developing. It's like a courtship. Back in 1999, a working committee got together to do something by ourselves. That's key because it allowed us to define our industry and participants so we can trust each other. The key word is trust. We needed to create a mechanism for exchanging information in a trusted format with little outside nudging. Then we could understand what we needed to share in a way that enabled us to come out with something useful without violating competitive boundaries. We said that all information would be voluntary and anonymous, so it could not be attributed to a particular bank, much like cooperation during Y2K.

Is it that public companies can't risk even rumors of security vulnerabilities because of potential for negative exposure?

Yes. The NIPC at first was very aggressive, which conflicted with the trust principles of the ISACs. We guaranteed confidentiality when members provided the ISAC with information. Regardless of the source, we wanted to get out the information that said technically what was going on.

The problem with the NIPC is that, for all intents and purposes, it's the FBI. If it's a criminal case, the FBI will put a jacket around it, and we can't share data if that's going to happen. If I go to the FBI with a case, they'll get a grand jury subpoena and grab everything. Once that happens, I can't see my own data.

The computer security community often criticizes the NIPC for working that way. It all flows in one direction.

Yes, and I want to know what's going to come back. So we courted each other for a year. With Ron Dick on board, I think we have a different profile. It's more like our original conversation, which is positive. I have been lobbying for an exchange of data in a positive sense. I said, let's pick, say, a dozen concerns--buffer overflows, viruses, hostile IP addresses--and expand that list, and that's happening.

We can also share the data schema of our databases, so the language we use across all databases is consistent. That way we mean the same thing by "incident" or "vulnerability." We'll have the same taxonomy. Then we'll establish a protocol. If I refuse to allow you to look at my database, you won't let me look at yours. I have to do it first, because we need to build trust. We can use these dozen items to get a success story going.

We agreed that all announcements would be simultaneous. Over the past months, the NIPC has come to us with things like the Microsoft stuff that affects the financial community. We worked with the NIPC to publicize those threats in a way that makes sense. That's positive case number one, and we've had others.

How do you see this relationship evolving? Where will responsibilities change in order for the NIPC to better align itself with what needs to be done? How do we balance all of this?

We need to get everyone responsible for data in the room, throw out all politicians and ruling bodies, and tack our schemas on the wall. Then we can ask, "What can we really share?" We'll have to say, some information is judicial, or commercial and sensitive, or intelligence, or public domain, and map it all. We want to share information, but first you have to do data definitions. Until we accept that, we ain't going anywhere.

Interviewer RICHARD THIEME (rthieme@thiemeworks.com) is a contributing writer for Information Security. He writes, speaks and consults on the human dimensions of technology and the workplace.

For more visit the Information Security Magazine

Reprinted with permission from Information Security Magazine , Interview by Richard Thieme, August 2001, pp 62-70. Copyright 2001 by Information Security Magazine