House panel pitches U.S. center to fight cybercrime

In a report peppered with vivid accounts of break-ins into government computers, a Senate subcommittee is pushing the creation of a new national center to guard vital government and industry systems from attack.

The minority staff of the Senate Governmental Affairs Permanent Subcommittee on Investigations is calling for a "National Information Infrastructure Threat Center," staffed with experts from law enforcement, intelligence and the military in coordination with the private sector, to respond to the growing number of hacker attacks affecting agencies.

This and other recommendations appear in a 63-page report on security in cyberspace, released at a subcommittee hearing last week. Citing the "lack of a security culture within government and private industry" and a "failure of most government agencies to detect intrusions [and] to report intrusions that are detected," the panel recommended making reports of break-ins to federal sites mandatory.

A major obstacle to investigating computer attacks, according to the report, is that most federal agencies do not require users to report computer intrusions. Even if they did report them, most agencies do not have the technology to detect more than the most reckless and sloppy intruders, the subcommittee concluded.

Another obstacle lies in the web of jurisdictional lines drawn by the intelligence, civilian, defense and law enforcement communities. Because a computer intruder often reaches his victim by connecting through a chain of globally linked sites, gaining the appropriate warrants, authority and expertise to follow a typical intruder can be virtually impossible, staff members said.

The proposed threat center would attempt to solve this problem, allowing a coordinated force of experts throughout government and industry to gather information and react to attacks on major systems, such as government agency networks, power grids and telephone lines.

It would also "serve as a clearinghouse for intrusion reports," the report said.

Individual agencies would still be able to react to intrusions into their own systems, but the center would provide a way to coordinate investigations into attacks that affect more than one agency or company.

The idea of a central investigative body for cybercrime is not new. Several interagency organizations exist to share data and to develop policy related to information security.

But the center the committee recommended would be "a free-standing entity that can conduct operational responses to computer attacks and task different agencies within our government," 24 hours a day.

Current government efforts to coordinate agencies and industry to respond in real time to attacks is "pretty fragmented," according to Stephen Smaha, president of Haystack Labs Inc., a security software company in Austin, Texas.

"Historically, it's been very difficult for classified entities to share threat information with anyone else, even among themselves, so the idea that there would be one single government repository would require significant top-down political commitment," Smaha said.

"The big issue here is, Who is going to trust whom to collect the information" about computer break-ins, he said.

Strong opinions exist in the federal government about centralized security policy and government computer systems.

While it is unclear how much jurisdiction this center would have over setting policy throughout government, it would surely maintain a strong defense and intelligence presence.

Sen. Sam Nunn (D-Ga.), ranking minority member of the committee, said that the Computer Security Act "has to be revisited" in light of the information security threats.

"Some of these agencies have big problems," Nunn said. "I think the Defense Department is more sophisticated and further ahead than anyone else - both in terms of awareness and in terms of its actions - and therefore can be of help."

But, Nunn added, "To give the [Defense Department] legal jurisdiction over all of this; I'm not prepared to take that step."

Jim Christy, a special agent in the Air Force Office of Special Investigations who worked on the report, suggested that the Federal Emergency Management Agency might be the agency best suited to lead the center.

"The Defense Department understands that the general public will not accept [DOD] being responsible for the security of the infrastructure," he said. FEMA "deals with physical infrastructure problems already. Maybe there's an [NII] security role there also."

Federal intelligence entities "agreed that the threat posed to our information infrastructure was substantial," the report said. "Yet when pushed to reveal the level of resources dedicated to assessing the threat, each agency admitted that few personnel were working on developing such an assessment."

To illustrate the federal government's vulnerabilities, the report noted the following:

A recent State Department inspector general audit of Defense unclassified mainframe security systems "found that the department basically had no security plan. As a result, the IG found that the department was not in a position to even reliably know if information has been compromised."

IG officials also told the staff that a major threat "could be from outsourcing computer systems administration to foreign national employees."

Piqued by the feature film, "The Net," which portrays a hacker altering the electronic medical records of the secretary of Defense, the staff contacted the Bethesda Naval Medical Center. The responding official said that after conducting a vulnerability assessment, she found that she "and virtually anyone else could break into BNMC and access and change the medical records of our government's leaders." The BNMC has since addressed this vulnerability.

The staff interviewed the Federal Aviation Administration, which explained that the FAA's computer systems were "relatively safe from intrusion" because "their aircraft control systems are so antiquated and consist of so many separate and incompatible systems that they are more resistant to modern hacking tools."

In addition, air traffic controllers are prepared to work without computers, the FAA said.