Governmentwide security surveillance net takes shape

What DOT is trying to do for a single agency, the FedCIRC hopes to do for government's entire civilian side

What the Transportation Department is trying to do for a single agency, the Federal Computer Incident Response Center (FedCIRC) hopes to do for government's entire civilian side.

FedCIRC is developing a centralized data analysis capability that will collect incident reports from agencies to see what cyberattacks are being made on government computers and, in return, provide agencies with information on how best to defend against them. At some point, the center might even be able to trigger agency defense systems to respond to an attack automatically.

"The bottom line is that this capability will help improve the situational awareness of government," said Mike Smith, director of operations and technical support at FedCIRC. "We may eventually be able to identify trends and make predictions about what the data means, so we can spot things early, even before attacks really begin."

FedCIRC is moving from its longtime home at the General Services

Administration to a more central position at the new Homeland Security Department.

The array of security devices that agencies have now are all good and useful, but they only give a local perspective of what's going on in that agency, said Richard Pethia, director of the CERT Coordination Center at Carnegie Mellon University and an

adviser to FedCIRC on the project. What the devices don't do is say what's happening to the agency's systems in relation to what may be happening elsewhere.

"If you are experiencing a particular kind of attack, it's useful to know if other organizations are also experiencing it or if you are the only agency being attacked that way," Pethia said. "In one instance, it may just be your assets the attacker is after, but a broader attack, such as the Slammer worm [that slowed down the entire Internet in January], will be nondiscriminating."

Also, if some agencies report that they are under a particular kind of attack but others don't, he said, it could indicate that the ones being attacked don't have their firewalls properly configured, and that information could be quickly relayed to the unprotected agencies.

The process could eventually include reporting of some very "fine-grained" agency data, Pethia said. This will require consultation with agencies because each will have its own policies for privacy, confidentiality and what kind of information, such as

originating IP addresses, needs to be

sanitized.

FedCIRC is in the initial stages of pulling this data analysis capability together, Smith said. In February, the center released a request for information calling for industry leaders to join the Internet Engineering Task Force's efforts to develop common incident data formats.

NEXT STORY: About T-bills and the F fund