NIST stumps for federal security team

The National Institute of Standards and Technology will form a new security team to help guard against and respond to Internet break-ins at civilian agency sites, under a plan being considered by the Government Information Technology Services (GITS) Working Group.

The new security group would respond to computer intrusions, provide agencies with guidance and vulnerability "fixes," develop and maintain publicly available tools, perform vulnerability analyses and conduct follow-up studies of incidents. It would also operate a 24-hour emergency hot line.

NIST envisions the team as filling a void that has developed as a result of recent changes to the Office of Management and Budget's Circular A-130. Although the changes require all agencies to maintain a computer security response capability, the majority of civilian agencies do not operate their own security teams.

"We would cover [civilian agencies] who do not have an existing team," said Marianne Swanson, a computer specialist at NIST's Computer Security Division. "And we would work with the other government agency teams that are already in existence. We envision that we will be a pretty big powerhouse."

Under the plan, the Energy Department's Computer Incident Advisory Capability (CIAC) and the Defense Advanced Research Projects Agency-funded Computer Emergency Response Team (CERT) would jointly operate the service at their sites.

"It would be run by both CIAC and CERT's facilities," Swanson said. "There would still be a CIAC team to handle Energy Department issues, but CIAC would also house a big part of the governmentwide capability. And that would work the same way for CERT."

NIST would act as a temporary coordinator while the program is being started.

NIST wants funding of about $8 million over two years to start up the program, which could get the go-ahead as soon as two months from now.

A fully functional incident response capability would be up and running within six months of receiving funding approval, according to NIST. GITS is an inter-agency group that addresses issues related to the National Performance Review and the administration's National Information Infrastructure initiative. The money for the program would come from the GITS Innovation Fund.

Gayle Gordon, head of the GITS Innovation Fund, would not comment on the likelihood of funding for the proposal.

Agencies without their own security response teams now have few options in the event of an intrusion. They can call CERT, the largest and oldest computer security response team in the world, but CERT responds to a constituency that is as large as the Internet itself. As a result, it does not give specialized service.

CIAC does offer specialized security service on a fee basis, and the new team would expand on this concept. It would also make the sharing of vulnerability information easier, supporters said.

Tearing Down the Barriers

Response teams' hesitancy to share information continues to obstruct efforts to develop a central resource for break-in statistics.

"We want this group to cross agency boundaries and augment agencies' [existing] capabilities," Swanson said. "We feel there's a benefit to having similar music that all agencies can follow—recommendations, guidance, tools. It will be a more common set of tools that all can use."

"So many agencies don't have a response capability," said Sandy Sparks, CIAC's director. "If the proposal gets funded, it will be a really proactive step."

Currently, only DOE, NASA, the Defense Department, the Air Force, the Navy, the Veterans Health Administration and the Small Business Administration have their own security response teams.

However, DARPA has signaled that it will stop funding CERT for its emergency response capabilities, though it will continue funding for CERT to conduct research in computer security.

NIST would help set up the security team, but eventually the service would operate from fees paid by member agencies and be self-sustaining. The GITS Innovation Fund gives one-time loans to government technology projects.

"GITS will get it started, but then it will have to live in the cold, hard world," said Tim Grantz, a computer security specialist at NIST.

"It's ambitious in a time of constrained resources, [and] it remains to be seen how willing people are to spend money on security," he said. "It's a good first step toward giving agencies an effective service that helps people meet the regulatory intent of Circular A-130."

"It's ambitious because we're taking on a large, large role, and a lot of the functions we're going to perform require a lot of time, effort and money," NIST's Swanson said.

NIST is taking additional steps to promote more open sharing of security statistics among federal agencies, universities and businesses. NIST will conduct a workshop on data sharing June 10-12.