FedCIRC emerges to halt leaks

To help stem an exploding number of computer security breaches the first government-wide computer security response team begins offering this week services to civilian agencies.

The Federal Computer Incident Response Capability (FedCIRC) part of the National Institute of Standards and Technology will evaluate agencies' systems to pinpoint potential threats and weaknesses. FedCIRC also will offer technical support to recover from unauthorized intrusions customize its services to meet particular agency security needs and offer training and provide guidelines for agencies to improve security controls.

FedCIRC will attempt to turn around an accelerating number of computer security breaches. The number of reported security incidents in the public and private sector has skyrocketed from six in 1988 to 2 412 in 1995 according to the Computer Emergency Response Team (CERT) which is supported by the Defense Advanced Research Projects Agency and is based at the Software Engineering Institute at Carnegie Mellon University. These statistics however underestimate by tens of thousands the actual number of security breaches because agencies and corporations are reluctant or unable to report computer break-ins according to security officials.

In addition the General Accounting Office recently reported that 10 of the largest agencies have serious information security weaknesses some of which have existed for years.

"We've seen a greater exploitation of various holes" in computer systems said Pam Kotlenz information technology security manager for NASA's Louis Research Center and chairwoman of a NASA task force on computer security.

"The hacker community has become much more connected " she continued. "The attacks are becoming more sophisticated. We need a capability that allows us to be able to detect when we have a problem. I'm not sure we're doing a good job of that now."

Indeed civilian agencies have had few options to look for help in the event of a computer intrusion. Only a handful of agencies have in-house security response teams including the Energy Department's Computer Incident Advisory Capability (CIAC) and teams at NASA the Defense Department the Air Force the Navy the Veterans Health Administration and the Small Business Administration.

CERT offers services to all of government and the private sector but as the oldest and largest computer response team in the world CERT responds to a mammoth constituency and unlike FedCIRC does not provide specialized services.

FedCIRC has contracted with CIAC and CERT to operate the new service from their existing sites.FedCIRC will offer three levels of services to agencies for varying fees. For 250 hours of services per calendar year the fee is $250 000. The price tag for 160 hours is $110 000 per calendar year and 50 hours will cost $50 000.

FedCIRC will take emergency calls from agencies that do not subscribe but subscribers' requests will be handled first said Marianne Swanson a computer specialist at NIST's Computer Security Division.

FedCIRC will publish quarterly reports documenting security vulnerability trends at all civilian agencies and biannual reports that outline the reality of threats to government systems.