Dedication is the best defense

Early one Friday morning in 1997, Air Force Col. Dale Meyerrose turned on his computer at Langley Air Force Base in Virginia and discovered that President Clinton had sent him an e-mail message. Questioning the probability of receiving an e-mail message directly from the commander in chief, Meyerrose ordered an immediate investigation.

Later that afternoon, the telephone rang in the hotel room of Tim Bass, chief executive officer of The Silk Road Group, an information systems security firm. The Air Combat Command at Langley had hired Bass to assist in developing its prototype Base Network Control Center (BNCC). The voice on the other end of the telephone asked Bass if he would mind stopping by the base to look at an "interesting situation." Bass postponed a weekend trip he had planned and seized the opportunity to take part in the burgeoning investigation.

Bass, an electrical engineer with many years of telecommunications and network security consulting experience for industry and government, arrived on the scene eager to learn about what officials had classified as an isolated incident of e-mail spoofing. However, the situation that Bass and a team of security specialists discovered turned out to be something far different than a seemingly innocuous e-mail message.

In fact, the much larger problem turned out to be the equivalent of a cyberhijacking of all of the command's e-mail relays. "After turning up the logging levels on the e-mail relays, we discovered we had a much larger problem," Bass said. "The Air Force's mail relays were being used by hackers to covertly distribute illicit material, spam e-mail and...hate mail."

Unknown to him at the time, Bass was embarking on a project that would help shape the development of defensive information warfare strategy in the Air Force and elsewhere for years to come. The resulting "black-hole strategy," for which Bass and two other Air Force information technology security specialists received credit, became the Air Combat Command's front-line network defense and would be adopted by NATO during Operation Allied Force when an unknown number of hackers launched an e-mail spamming campaign against the organization's World Wide Web server. The same defensive computer code also was used to help combat the recent "Melissa" virus.

"The objective was to deny all feedback [that would give intruders information about the network] to filter, collect and archive all illicit e-mail as potential forensic evidence and to deliver all legitimate base e-mail without delay," Bass said.

The strategy worked thanks in no small measure to Bass' understanding and appreciation of systems and network engineering.

"Mr. Bass brought a unique skill set of network capabilities to our team and was an integral part of helping us solve the issues associated with what we call the Langley Cyberattack," said Meyerrose, who is now a brigadier general. "[He] devised the counter-tool which negated and nullified the spam e-mail attack, and which we still use today in the Air Combat Command network enterprise for combating spam e-mail."

Meyerrose said Bass impressed upon command personnel that an intruder is able to counteract on the fly any steps the command took to defend itself. "No one helped us learn that lesson better than Tim Bass," Meyerrose said.

Bass began his career in telecommunications and network consulting in 1989, trouble-shooting high-speed digital wide-area networks as a member of Contel Federal Systems, Chantilly, Va. Two years later, he started up The Silk Road Group, taking with him experience gained from working as the lead systems engineer for the International Mobile Satellite Organization and other projects.

Bitten by the Security Bug

By 1992, Bass was beginning to dabble in Internet security as a consultant for GE Information Services, Rockville, Md., focusing on Internet Protocol network management, intrusion detection, building firewalls and developing custom Unix security solutions for financial transaction processors.

His firewall development experience as a consultant for GE took place long before commercial firewalls were developed, Bass said. "We built our firewall on Unix platforms in combination with Cisco [Systems Inc.] routers and used packet sniffers on both sides of the firewalls to design and fine-tune our ideas," he said.

Through 1992 and into 1993, Bass continued to build on the electrical engineering degree he received from Tulane University as well as experience gained as a staff member at Johns Hopkins University's Applied Physics Laboratory. He consulted with Sprint on transitioning the National Science Foundation's NSFnet to the commercial Internet. He worked on the team that designed the core network management system and IP backbone for Sprint's IP services, which also focused heavily on network security.

Between 1993 and 1994, Bass received more exposure to the world of government computer security when he began work on the Air Combat Command's BNCC prototype.

At this time, Bass also built and demonstrated the first Web server for the command.

"My entire professional life has been devoted to the art and science of engineering," Bass said. "In my youth, I worked as a construction field engineer in the oil fields of Louisiana and Saudi Arabia, where one mistake in putting a stake in the ground can cost the life of a heavy-equipment operator. It was in those oil fields where I began to develop my sense of engineering responsibility and ethics. In many ways, those early years of life-and-death responsibility have molded my entire career."

For Bass, that career is a work in progress that has changed over the years and continues to take him in new directions. "The opportunity at Langley Air Force Base was a unique and a once-in-a-lifetime [chance] to participate in a real-time cyberattack," Bass said. "These events, and other Air Force experiences, had a tremendous influence on my career and have changed my thinking on network security and information assurance."

Through his consulting practice, Bass continues to be active in professional industry working groups, particularly those focusing on critical infrastructure protection, risk management, process engineering and security policy development.

He said one of the biggest security challenges facing the federal government today "is to educate both the technology user and technical worker that systems are secured by people, resources and processes - not by technology.

"[Neither] hardware, software nor off-the-shelf technology can solve the problem I am trying to articulate here," Bass said. "There is no silver bullet and no low-cost solution to the challenge ahead in the risk management of complex internetworked systems."