Balancing act

Five civilian agencies separately notice repeated attempts from an unauthorized

user to access their e-mail systems. Each of the agencies' information administrators,

unaware that other agencies are under attack, blocks the security hole the

attacker has exploited, successfully shutting out the hacker. The administrators

log the incidents, and satisfied that they have foiled the attack, they

move on to other business. They give no warning to other agencies about

the incidents.

Hours later, the hacker attacks another agency's e-mail system, exploiting

the same hole that the first five agencies blocked. But this time, the hacker

gains entry, cripples the system and steals hundreds of passwords, possibly

gaining access to sensitive information.

This cyberattack, although fictitious, could easily occur. This scenario — hackers jumping from one agency to another until they successfully break

through a system's firewall — is what federal security officials are trying

to prevent. To do so, security groups — including the General Services Administration's

Federal Computer Incident Response Capability (FedCIRC), the National Security

Council and the Critical Infrastructure Assurance Office (CIAO) — want to

develop a federal program that provides systems administrators with a picture

of security breaches, such as unauthorized use, and intrusions across government.

By quickly showing the cyberattacks that other agencies are encountering,

security officials say they can block more attacks on federal systems and

thereby protect personal and agency information residing in databases.

What's at stake is the security of Americans' private information — such as Social Security numbers and health records — sensitive and classified

information for national defense, and other material stored in thousands

of databases governmentwide. "This [monitoring system] is needed; we cannot

expect agencies to truly be able to secure their systems without the understanding

of the vulnerabilities and risk that this system will bring," said John

Tritak, director of the Clinton administration's CIAO.

But for more than a year, GSA, the CIAO and other security groups have

run into major obstacles in their effort to build a monitoring system. The

program faces technical hurdles in assembling a governmentwide system that

not only shares information within agencies but also among agencies. In

addition, proponents of the system face the tough job of persuading agencies,

which may not want to broadcast their security weaknesses, to share cyberattack

information.

The security groups must also negotiate a political minefield, in which

the system has been viewed as a Big Brother approach that may put private

information at risk, and some members of Congress have vowed to never fund

it. The thorniest problem could be the basic issue of deciding what information

will be collected, who will collect it and how it will be used.

Many fear that unless a system is put in place before the change in

administration this year, the program could die.

From FIDNet to AIDC

For more than a year, under the guidance of GSA's FedCIRC, the Clinton

administration has been working on building a system called the Federal

Intrusion Detection Network (FIDNet), which would monitor federal systems

for cyberattacks, analyze where the attacks are coming from, determine if

there is any pattern and then send out warnings to agencies if necessary.

But in comments submitted to GSA in June, security contractors said

the best way to develop such a monitoring system was to use so-called managed

security services rather than a governmentwide system such as FIDNet.

Under the managed security services model, a con-tractor would analyze

the data that individual agency intrusion- detection systems generate and

look for patterns or possible holes in systems. When a potential problem

is found, the vendor would follow procedures outlined by the agency for

alerting agencies' system administrators and helping them respond.

GSA and other security groups have modified the request for proposals

for FIDNet and originally renamed the system the Enhanced Intrusion Detection

Capability, which was later changed to Automated Intrusion Detection Capability

(AIDC). Based on commercial products, this solution will take the managed

security services concept one step further and establish a central point

for correlating the information that each agency chooses to provide to FedCIRC.

According to the new draft RFP issued last month, "The intended [AIDC]

solution(s) will improve computer security across U.S. government agencies

and in the process will provide the federal civilian government its first

line of defense against computer intrusions."

Pushing the Technology Envelope

When GSA started working on FIDNet, it wanted more than the typical

intrusion-detection technology, which, for the most part, only detects known

security vulnerabilities. GSA wanted technology that could determine patterns

in a cyberattack so that security experts could detect and block attacks

that had never been seen before.

The initial draft RFP for FIDNet released in June included aspects of

both a solution developed specifically for government and one based on commercial

products. Now with AIDC, GSA is focusing on the commercial market's hottest

offering, managed security services, which vendors said should be much easier

to assemble.

"We still have some technical questions, but there are not any showstoppers,"

said Richard Smith, vice president of federal operations at Internet Security

Systems Inc.

But some are still concerned about getting data from many different

agencies and systems to come together in a single picture that tells security

analysts what they need to know in a way they can understand.

Each agency is using different commercial intrusion-detection systems,

with sensors that use different reporting protocols. This makes it almost

impossible for sensors from one system to be read by the management console

of another. The problem is multiplied by the fact that even within a single

agency or department, individual offices may be using their own intrusion-detection

systems. So there may be many different data formats within just one agency,

which all must be brought together. "Getting that data in a compatible format

is a nontrivial technical issue," said David Nelson, deputy CIO at NASA

and the official overseeing the agency's security issues. "It can be done,

but it is very difficult."

"No Good Unless You Share It'

But a technical solution doesn't work if agencies don't use it. FedCIRC

has been working to persuade all agencies to report incidents. Some already

report security breaches and work closely with GSA when problems occur.

NASA is one of them. "We already share information manually at an abstract

level with FedCIRC, and it goes both ways," Nelson said.

But other officials must be convinced of the benefits of reporting their

security problems and vulnerabilities to people outside their agencies,

security experts say. Unless agencies share information about newly discovered

security holes and attacks, agencies that are not aware of the problems

cannot patch their systems and learn how to successfully ward off those

attacks.

"Information does no good unless you share it," said a GSA official

involved with the AIDC program.

The new direction of the intrusion-detection program outlined under

AIDC should make the prospect more appealing, agency officials say. According

to the draft RFP for AIDC, if an agency's managed security vendor detects

a potential attack, the vendor would notify the agency and FedCIRC. However,

the draft leaves open the possibility that agencies could determine what

information is passed on to FedCIRC. That would make it possible for agencies

to work with the vendor before raw security data is turned over to FedCIRC.

"I believe that the revised plan for assisting the agencies by providing

a managed service for intrusion detection and other optional security services

will be received positively by agencies," said John Gilligan, co-chairman

of the CIO Council's security committee. "In particular, I would suspect

that smaller agencies that do not have a large in-house [security] capability

will be most interested."

Agencies have been wary of handing over their security to a vendor

that would monitor its systems. But that attitude may be changing. The Navy

has proposed using managed security services for its $16 billion Navy/Marine

Corps Intranet, which will tie together ships and bases on one network.

And NASA is working with several vendors to include managed security services

in its Outsourcing Desktop Initiative for NASA.

Still, agencies are worried about what security information goes to

whom, Nelson said. "The real question is what's the level of data sharing

that's most useful," he said.

Playing Politics

What happens to the data after it is submitted to FedCIRC concerns privacy

advocates and some members of Congress. Since the Clinton administration

announced its intent to develop a security monitoring system in May 1999,

the plan has been to inform the FBI's National Infrastructure Protection

Center's warnings and analysis center about security incidents. The center,

which is not part of the law enforcement side of the FBI, would provide

additional analysis expertise to help FedCIRC identify attacks across government.

But some privacy advocates, members of Congress and others misinterpreted

the relationship and believed that the FBI would take part in the analysis.

Agencies, by law, are required to report any suspected criminal incidents

to the FBI. But privacy advocates worried about involving the FBI for attempted

intrusions that are not successful. If an attack is successful, privacy

advocates want to know whether the intrusion-detection system's log data

on the attack would be turned over to the FBI and what would happen to the

alleged hackers if they are caught.

"There are still questions of what happens if they do turn up what they

are calling "anomalies,'" said David Sobel, general counsel at the Electronic

Privacy Information Center. "It raises all kinds of Wen Ho Lee questions."

Lee, a scientist at the Energy Department's Los Alamos National Laboratory,

was imprisoned for nine months under suspicion of espionage. He was released

last month after pleading guilty to one of 59 counts — a single charge of

downloading sensitive nuclear data — and receiving an apology from a federal

judge.

Privacy groups and Congress became concerned about FIDNet because of

the potential for opening up the public's private information that is stored

and transmitted by agencies. Even when it became clear that the FBI would

not be in charge of the system, many still worried that the government would

tap the Internet "line" and "watch" transactions pass into and out of agencies.

CIAO has overcome some skepticism by holding discussions with members

of Congress and their staffs, Tritak said. But the CIAO staff has met with

only a few members of Congress.

Recently, the Office of Management and Budget publicly castigated Congress

for not funding the system and other cross-agency security initiatives.

Richard Clarke, national coordinator for security, infrastructure protection

and counterterrorism at the National Security Council, said Congress deserves

an F for failing to fund proposed initiatives. He was responding to Rep.

Steph-en Horn's (R-Calif.) system of grading agencies on their efforts to

fully secure their information systems. Horn's system gave the entire government

a D-minus, and he issued Fs to seven agencies ["Fed cybersecurity doesn't

hack it," FCW, Sept. 18].

The congressional appropriations committees did not return calls for

this article, and GSA would not comment until the fiscal 2001 budget is

passed. But many government officials are working on plans for continuing

to move AIDC forward even if no funding comes through.

The draft for the program is part of the existing GSA Safeguard security

contract, which means agencies will be paying for the service. This way,

GSA just needs money to launch the program and then maintain the central

warnings and analysis center.

"Some of the concepts [for FIDNet] were maybe a bit ahead of their time,"

Gilligan said. "But the general concepts are staying the same [under AIDC],

and this will definitely help increase agencies' abilities to protect themselves

and their services."