Reprinted with permission from Information
Security Magazine , Interview by Richard Thieme, August 2001,
pp 62-70. Copyright 2001 by Information Security Magazine
Q&A WITH RONALD DICK
CENTER OF ATTENTION
Career FBI agent Ronald Dick has been
given the mission of maturing the scope and capabilities of the National
Infrastructure Protection Center.
INTERVIEWED BY RICHARD THIEME
Also in this Article . . .
Banking on Trust
FBI special agent, investigating
violent, white-collar and
Supervisor, FBI's Audit
Unit of the Inspection
Division, Washington, D.C.
Coordinator, FBI's Drug,
White-Collar Crime and
Interstate Theft Programs
for South Carolina
Chief, FBI's Computer/Financial
Institution Crimes Unit
of the FBI's Financial
Crimes Section, Washington,
Section chief, FBI's
and Outreach Section
and the Computer Investigations
and Operations Section,
Deputy assistant director
of the FBI's National
Infrastructure and Computer
Intrusion Program and
You recently took over the NIPC
directorship from Michael Vatis. I've heard some people express concern
that the NIPC is enmeshed in a tangled web of competing interests,
and that some groups and agencies might not be totally committed to
your success--or to your tenure as director. As you look out over
the landscape, what do you see? What are you up against?
have to understand where the NIPC came
from. We're basically a startup; we've been in existence for three
years. While Presidential Decision Directive/NSC-63 (PDD-63) defined
our missions, goals and objectives, many in the IT community and
the private sector weren't sure what PDD-63 really meant or what
we were really trying to accomplish.
Some people perceived us as a threat
to the private sector and the
IT community. A lot of antivirus
and consulting companies feared we would try to become the be-all
and end-all for virus information and consulting. Obviously, we
can't do all that, and it was never part of our mission.
We've never attempted such a complex
effort before. This is the only place in the government where criminal-intelligence,
counterintelligence, foreign-intelligence and private-sector information--sometimes
proprietary--comes together for strategic analysis. One of the main
reasons the president and attorney general chose the FBI for this
is because it's the only agency with the legal authority--criminal-
and counterintelligence--to work with foreign-intelligence agencies.
Since this had never been done before,
both the intelligence community and the private sector had legitimate
concerns about how we were going to do it. You can talk about how
you're going to implement processes and procedures and information-sharing
mechanisms, but the private sector can't know what's going to happen
until you actually do it. At which point people realize that, no,
the NIPC doesn't go public about every virus or vulnerability. That's
the role of the antivirus community and the IT vendors themselves.
So when do you go public?
Unless we can add value to a warning
based on the collection of all that intelligence, we don't speak.
The only exception to that is if a vulnerability is so significant
that it threatens the country's national security or economic well-being;
then the volume needs to be turned up and we'll get the information
out on CNN and to systems administrators.
Over time, working together with
the CIA, Department of Defense and other intelligence components,
we've worked out what I think is a very good partnership. We work
very closely with the CIA, National Security Agency (NSA) and other
investigative components within the military branches. We share
information freely with them and they do with us. There were plenty
of bumps along the road, but we've been able to smooth them out.
As for the private sector, we've
worked very closely with antivirus companies. When we learn of a
virus, we contact vendors through their trade association, so we
can make the binaries available to everyone at the same time and
not give anyone a competitive advantage. We share our assessments
with them and they've grown more comfortable sharing information
We're in almost daily contact with
the major operating-system manufacturers about vulnerabilities.
Again, we're not trying to intrude into their product lines or business
decisions--we're just sharing information to our mutual benefit.
You've also worked with
industry associations through the information-sharing and analysis
centers (ISACs), which pass along warnings about possible attacks.
How does that work?
Let me give you an example of how
that all comes together. In December 2000, as a result of criminal
investigations, we saw a number of intrusions into various dot-com
entities emanating from Russia and Eastern Europe. We issued an
assessment through SANS and talked to other ISACs, but we didn't
raise the volume very much. We tried to get the information to systems
administrators because these intrusions came through known Microsoft
NT vulnerabilities, for which there are patches. Our intention was
to get the word out and minimize, if not eliminate, those vulnerabilities,
so that the subjects of our investigations could not intrude into
more NT systems.
But people weren't listening, and
the patches weren't implemented. In March, we saw a significant
spike in the number of intrusions through these known vulnerabilities.
So we went back to the financial services ISAC, among others, and
showed them what we were going to say, the details of our press
release and how we were going to raise the volume. We raised the
volume through various media outlets. Because the financial services
ISAC was prepared, it was able to thwart 1,600 attempted intrusions
of its member institutions. That's a good example of how we use
criminal intelligence, counterintelligence and public information
to provide a service to various industries about these vulnerabilities.
That's exactly what the NIPC is all about.
A recent GAO report mentioned
that industry groups, like the financial services ISAC, criticized
the NIPC for failing to quickly share warnings with businesses.
Ask them about our relationship with
them now. In the beginning, as I said, there was uncertainty about
how we would work with each other, but ask them about our relationship
today (see Banking on Trust).
It sounds as if you have a great deal of confidence about the NIPC's
effectiveness. Would you say that the expectations of these other
groups match your own?
If you're asking, do I believe that
the missions, goals and objectives defined under PDD-63 have been
placed in the right entity, my answer is yes. We're the only entity
that has the legal authority to do it all. If you're asking if the
NIPC is providing the kind of strategic analysis of products, and
receiving and passing on the volume of analytic information that
it should, the answer is no. We're not.
The GAO report talks about how we
have done a pretty good job investigating intrusions and beginning
a grassroots information-sharing initiative, called Infra-Guard.
We now have InfraGuard chapters in all 56 FBI field offices with
about 1,200 members. We're about to have our first national congress
of these chapters to further solidify our goals and objectives.
The GAO report doesn't criticize
our tactical analysis, from which we've issued more than 93 warnings,
some having to do with vulnerabilities or acts of hactivism associated
with the Chinese. The GAO gives us credit for the tactical analysis
we've done. The report also says our relationships with the ISACs
have improved. It quotes Alan Paller of SANS, who said that our
response to the intrusions I just mentioned was extraordinary. Paller
praised our detailed description of the threat and the way we provided
good forensics information to systems administrators.
We've done more than 1,200 investigations.
During the millennium change and before MafiaBoy, we were able to
issue an assessment saying that the distributed denial-of-service
(DDoS) tools Trinoo and TFN (Tribe Flood Network) were out there.
Through SANS, we also provided a tool to identify and remove DDoS
tools, for which we actually won an award. And we received an award
for InfraGuard from Safe America last month in recognition of our
efforts on behalf of Internet security.
So the GAO report had a lot of positive
things in it. But it did say-and it's right-that we're not producing
strategic analysis at the level that we should. It also suggested
a reason for this: our dependence on interagency participation.
The NIPC doesn't have adequate resources to produce those kinds
of products. I agree with that, too.
Do you see that changing?
Yes, I do. We had a change of national
leadership recently and Rear Admiral James B. Plehal was named the
NIPC's deputy director in March. He's working very closely with
the DoD to increase our staffing and get key people in management
One of our problems has been structure.
Basically, we have three sections. One deals with investigations.
Obviously, the FBI has done investigations for many years and, as
the GAO report said, we know how to do that. Another section deals
with training, outreach and policy issues, and the GAO report complimented
us for our ability to train more than 3,500 federal, state and local
law enforcement entities through a well-defined curriculum. We know
how to do training and outreach, as InfraGuard indicates.
Where GAO faults us is in the analysis
and warning section, particularly strategic analysis. We've had
three leaders in strategic analysis in three years; it's currently
headed by a CIA section chief, and the CIA has committed to leaving
him there for at least two years. The warning unit, which controls
information in and out of the NIPC, was earmarked for a DoD person.
We've only had one unit chief there since we started. The other
unit, analysis and information sharing, is an NSA position. We've
had two different people in the analysis and information-sharing
position, but it's currently vacant and NSA is in the process of
Obviously, leadership in information
sharing and strategic analysis has not been, for want of a better
term, very stable. You can't run a railroad with leadership changing
every year, as Admiral Plehal and I identified early on. Am I hopeful
that we will correct these things? Yes, I think we will.
Some of my infosecurity
colleagues have been frustrated when they've tried to work with
the NIPC. They find that the FBI culture and the more informal worlds
of information security are often in conflict. But the efforts you
describe will only work if they bridge the boundaries of different
subcultures, including those of corporate America.
I agree. Sometimes miscommunications
occur not because of maliciousness, but because in other cultures
the words mean something different from what they mean at the FBI.
People misinterpret what you're saying. We've built a glossary of
terms for everyone to go to, to ensure that we're all on the same
page. That's been helpful, but the volume of our work keeps growing.
Companies that have hired
gray-hat hackers often use "buffer zone" people, who move
back and forth between subcultures and interpret one culture to
another to ensure cooperation. The FBI is a distinctive culture.
Do you have translators?
That's what we're evolving toward.
Many people have now stayed at the NIPC for three years, so the
blending of cultures is less of an issue than it was at the beginning.
It obviously affected our ability to understand the sensitivities
of the private sector.
Which is a large concern.
Colleagues in competitive intelligence tell me that large corporations
often come to them with intrusions or attacks because they're afraid
to go to government agencies; they're afraid information will be
leaked. What kinds of bridges are you building to corporations?
There are a number of things we're
doing--let's start at the grassroots level with InfraGuard. InfraGuard's
whole intent is to try and demonstrate to the private sector that
information shared with law enforcement is safe. One reason for
the program's success is that system administrators get to meet
law enforcement people on a local level. They get to know the local
FBI or Secret Service agents, and begin to share information about
vulnerabilities. That's growing.
On another level, we're helping InfraGuard
members share incident information with other members. The private
sector chooses what information to share and
with whom to share it. Through this process of incident reporting,
the private sector controls the information provided to direct competitors
and other business sectors. Is this at the level of sharing that
we would like? No. But, again, it takes time. They have to learn
that shared information won't come back to harm them, and so far
So they're testing you and
seeing how it turns out.
That's right. I don't blame them
for that. It can't happen overnight. As to our growing sensitivity
to the needs of the private sector--unless someone in the private
sector says directly to us that it's OK to talk about an attack,
we won't talk about the company. We'll generalize the attack description
so the reporting company is unrecognizable. It does no one any good
for the FBI to be out there reminding people that certain entities
were victims of a DDoS attack. We can make the same points on television
or in a presentation to the public describing the vulnerability
and what we did together with the private sector to solve it.
How do you awaken a sense
of urgency among government agencies and the private sector short
of experiencing an attack?
Going back to those intrusions earlier
this year, when we did press statements, we didn't talk about all
of the victims--and there were a lot. Instead, we went to a couple
and asked permission to refer the media to them about the pain they'd
sustained, and they agreed to do that. This is a learning curve
for us. Historically, when the FBI has talked about incidents or
issued press releases, we normally talked about the victims. We
don't do that anymore.
So until there's a major
security incident that makes clear what's at stake, people won't
I hope that's not entirely the case.
I hear about "cyber Pearl Harbors," which I hope never
occur, if only because of the noise so many of us are making. I
hope the level of awareness is being raised.
There has to be a building of partnerships
across cultures. The NIPC, the ISACs, law enforcement, counterintelligence...these
aren't the only mechanisms by which security is going to be provided.
It's truly a partnership because of the global
nature of cybercrime and the lack of boundaries on the Internet.
We need to explore whatever we can do to facilitate that kind of
One thing about asymmetric
warfare is that the parties play by different rules. Are you partnering
with any transnational organizations to enable the United States
to meet foreign cyberthreats on its own terms?
If you mean are we partnering with
the Australians or the British or the Germans or the Japanese, yes.
One of the reasons is that
it's beneficial for the NIPC. The FBI has 44 legal attachés
assigned to embassies around
the world. The main job of, say, the attaché in the United
Kingdom is to develop a relationship with the various law enforcement
and intelligence communities within that country. Now, when an incident
occurs, we don't send a blind communication; our attaché
can talk with the people who can expedite an investigation.
In investigating the attempted extortion
of Michael Bloomberg by two hackers from Kazakhstan, we got the
assistance of U.K. authorities, and through them got the suspects
to reveal themselves. We made an arrest and the prosecution is pending,
so that's as far as I can go with that, but it's another example
of how all the pieces come together.
The word is that you have
a conciliatory way of reaching out to and including people.
Partnership is the key.
So what do you see in the
next few years? What threats are likely to emerge? The recent trial
of four terrorists who plotted the embassy bombings in Kenya and
Tanzania generated thousands of pages of testimony that detailed
a transnational terrorist network. I was surprised how little coverage
I was surprised, too.
It didn't sound like crime--it
sounded like warfare. At what point does this cease to be criminal
activity and become warfare? The rules of warfare are very different
from the rules of criminal prosecution. Wouldn't a worldwide religious
war invite a response different from an act of cybercrime?
Absolutely. Let's take your questions
one at a time. First, where do I see the threats of the future?
The core of this crime problem deals with the integrity of information
on global networks. Can we provide integrity for that information?
I was involved with creating the first regional computer-crime squads,
and we have seen the problem go from hacking in whatever forms it
existed to hactivism for political agendas to computers used just
like guns for traditional criminal motives: greed, revenge,
Luckily, we haven't seen any "cyberterrorism"
incidents in the United States so far, but I think we'll see them
in the future as the people involved in state-sponsored terrorist
organizations become familiar with the technology. We're seeing
the technology being used for state-sponsored espionage. I can't
go into details, but it's happening, and some nations are talking
about waging information warfare.
So, in time, we'll see this tool
used for the full gamut of criminal, counterintelligence and foreign-intelligence
activity. Our job will be made much more difficult because of the
ability to do these things anonymously over the Internet. It's a
The real solution to the integrity
of information in all of our networks isn't up to law enforcement,
the intelligence community or government. Real integrity comes when
it's demanded. The problems will begin to decrease when the public
demands computers that aren't only easy to use, but are also secure.
It's not a function of any one operating system--they all have vulnerabilities.
The government is a large consumer, too, and can make the same demand
in our procurement processes.
You say there haven't been
any definite acts of cyberterrorism?
Not in this country.
We all hear stories of power
outages or the like that may have been attacks on our infrastructure
as demonstration of powers...
When I say we have no known cyberterrorism
incidents, I don't mean we haven't had incidents where that could
have been the motive. I mean I don't have the evidence to put that
label on it. There's a huge difference. I'm not going to talk in
speculative terms. In some countries, there has been evidence of
that kind of activity; we just haven't been able to verify it here.
There are many ways that the U.S.
government can respond to a security incident. One is a law enforcement
response, where we prosecute criminal activity. Another is through
counterintelligence or foreign-intelligence activity. Another is
a military response, if it's information warfare. We also can respond
diplomatically through the Department of State.
The response will depend on the facts
and circumstances of the incident. One of the NIPC's main missions
is to be able to collect information from the various sources and
provide the facts to the policymakers, so they can determine the
BANKING ON TRUST
Stanley Jarocki, treasurer
and board member of the financial services ISAC, speaks about his
still-evolving relationship with the
is the National Infrastructure Protection Center (NIPC) doing? What's
I take the Fifth? [Laughs]
Our relationship is developing. It's
like a courtship. Back in 1999, a working committee got together
to do something by ourselves. That's key because it allowed us to
define our industry and participants so we can trust each other.
The key word is trust. We needed to create a mechanism for exchanging
information in a trusted format with little outside nudging. Then
we could understand what we needed to share in a way that enabled
us to come out with something useful without violating competitive
boundaries. We said that all information would be voluntary and
anonymous, so it could not be attributed to a particular bank, much
like cooperation during Y2K.
Is it that public companies can't
risk even rumors of security vulnerabilities because of potential
for negative exposure?
Yes. The NIPC at first was very aggressive,
which conflicted with the trust principles of the ISACs. We guaranteed
confidentiality when members provided the ISAC with information.
Regardless of the source, we wanted to get out the information that
said technically what was going on.
The problem with the NIPC is that,
for all intents and purposes, it's the FBI. If it's a criminal case,
the FBI will put a jacket around it, and we can't share data if
that's going to happen. If I go to the FBI with a case, they'll
get a grand jury subpoena and grab everything. Once that happens,
I can't see my own data.
The computer security community
often criticizes the NIPC for working that way. It all flows in
Yes, and I want to know what's going
to come back. So we courted each other for a year. With Ron Dick
on board, I think we have a different profile. It's more like our
original conversation, which is positive. I have been lobbying for
an exchange of data in a positive sense. I said, let's pick, say,
a dozen concerns--buffer overflows, viruses, hostile IP addresses--and
expand that list, and that's happening.
We can also share the data schema
of our databases, so the language we use across all databases is
consistent. That way we mean the same thing by "incident"
or "vulnerability." We'll have the same taxonomy. Then
we'll establish a protocol. If I refuse to allow you to look at
my database, you won't let me look at yours. I have to do it first,
because we need to build trust. We can use these dozen items to
get a success story going.
We agreed that all announcements
would be simultaneous. Over the past months, the NIPC has come to
us with things like the Microsoft stuff that affects the financial
community. We worked with the NIPC to publicize those threats in
a way that makes sense. That's positive case number one, and we've
How do you see this relationship
evolving? Where will responsibilities change in order for the NIPC
to better align itself with what needs to be done? How do we balance
all of this?
We need to get everyone
responsible for data in the room, throw out all politicians and
ruling bodies, and tack our schemas on the wall. Then we can ask,
"What can we really share?" We'll have to say, some information
is judicial, or commercial and sensitive, or intelligence, or public
domain, and map it all. We want to share information, but first
you have to do data definitions. Until we accept that, we ain't
Interviewer RICHARD THIEME
is a contributing writer for Information Security. He writes,
speaks and consults on the human dimensions of technology and the
For more visit the Information
permission from Information
Security Magazine , Interview by Richard Thieme, August 2001,
pp 62-70. Copyright 2001 by Information Security Magazine