Looking for trouble

The good thing about a national cybersecurity early warning system — called for by the Bush administration and finally on the drawing board — is that just about everyone now agrees it's necessary. Deciding exactly how it will be built and operated, however, could take a lot longer. Nevertheless, the rough outlines of the system and the technical and policy challenges it presents are coming into focus.

Here's how the system, which the private sector will run, is expected to work: Intrusion-detection systems and other security devices already in place in government and across industry would send out alerts at the first signs of possible cyberattacks. The alerts would be collected at a central point and compared to known dangers. If the threat is considered significant, the system would send a warning to appropriate authorities so they could respond with measures to limit potential damage.

A first early warning system might do nothing more than issue e-mail messages to selected network officials. A later, more sophisticated system would include the ability to automatically turn off or throttle down various parts of the Internet to contain a threat.

Bush administration officials first called for such a national early warning system in their Cyber Security Plan issued in September 2002. More than a year later, industry and government representatives finally met to thrash out a plan. The National Cyber Security Summit, held in Santa Clara, Calif., in December 2003, made an early warning system one of the five pillars of a cybersecurity strategy and instructed a task force to publish plans for developing such a system by next month.

Whatever that document may contain, it's unlikely to include precise details of how such an early warning system would be constituted.

"There are some concrete things we are trying to put some substance to," said Guy Copeland, vice president for information infrastructure advisory programs at Computer Sciences Corp. and co-chairman of the early warning task force. "For example, if you have an early detection system [and] you know [an attack] is unfurling and you need to let various groups know about it, then you need an intelligent call list so you can get the information quickly to the right people."

But even that basic requirement

isn't in place yet. Warnings about possible security events now are spread through informal links among people, he said, and this can move swiftly when it needs to. However, such efforts must be more formally organized if they are to be part of an automated notification system, he said.

"Just don't expect this to be in place by March," Copeland warned. "We could pull it together pretty quickly, but first the method and means of calling need to be identified."

The March document will mainly mark "a first stake in the ground" for a cybersecurity early warning system, he said. It will do no more than identify possible early payoffs, longer-term goals and a process that will help people become "smarter about early

warning."

To a large extent, putting together an early warning system is not really a technical issue, because much of the technology required already exists, said Col. Daniel Ragsdale, director of the U.S. Military Academy's information and technology operations center and a member of the early warning task force.

For example, there is a "widespread consensus" that the necessary data-sharing technology is in place, Ragsdale said. The main challenges are more policy oriented, such as how that data will be shared.

Open research issues concern the correlation of large volumes of data from a number of geographical locations, he said, along with such issues as data mining and information fusion. Those issues "are not fully formed yet," he said.

Ragsdale expects the March document to provide "measurable milestones" needed to come up with solutions, but as for an early warning system, "that's still several years away," he said.

One thing a national early warning system will need is speed, well beyond even what more focused systems are capable of now. As was apparent when the SQL Slammer worm hit the Internet at the beginning of 2003, future cyberattacks may give very little time for detection and response.

The Slammer worm infected only a couple of servers at first — perhaps just one. Then millions of database calls were sent randomly to servers all over the world. Within minutes, the worm had spread globally, eventually causing more than $1 billion in damage. The full extent of the assault may never be known.

"It took hours for people then to get a situational awareness of things," said Robert Gray, a senior research engineer with the Institute for Security Technology Studies (ISTS), a federally funded organization located at Dartmouth College. "Any early warning system would have to be able to detect within just a few seconds that [an attack] is taking place."

ISTS managed the first nationwide simulation of a cyberattack on both public and private organizations in October 2003. The findings of the simulation, called Livewire, are expected to form a major part of the planning for any cybersecurity early warning system.

There are already multiple projects under way to look at network latencies, routing stability, intrusion detection and other tools that would indicate that something out of the ordinary is happening on the network. But, once again, the problem is in making sense of all the information.

"We need better fusion algorithms to separate the noise from the real information" about those events, Gray said. "That's probably the most important thing and also one of the hardest to implement."

After detection comes response, which many experts see as an equally vital part of an early warning system. But it is not an easier problem to solve.

For one thing, according to Rob Clyde, chief technology officer for security firm Symantec Corp. and a task force member, there are literally thousands of attacks hitting the Internet at any one time, so there must be a way to rate the seriousness of each attack.

He suggests that a rating system similar to the Homeland Security Department's color-coded terrorist threat level might be in order. "We need to know whether high-level attacks are occurring or not, and therefore which should be paid the closest attention," he said.

This will require the development of more consistent frameworks and models for deciding which attacks are the most serious, he said. Once a threat rating is made, a response has to be dictated almost instantly to stop or slow the attacks, suggesting the need for an automated response system, according to Gray.

However, deciding how to deploy network devices to automatically turn various systems off or throttle traffic down — often in the face of resistance from administrators who have traditionally fought against any automated changes to their networks — will be difficult.

"It's a big challenge," Gray said.

Whatever warning system is eventually implemented, few believe it will have any permanent form.

For one thing, said J.F. Mergen, chief scientist for Verizon's Federal Network Systems group, such a static infrastructure would have to be designed to cover the threat situation this year and inevitably would have to be rebuilt to meet future threats. Also, adversaries looking for potential holes could examine a permanent infrastructure at their leisure over time, he said.

Instead, Mergen advocates a system that could be quickly built up and brought down as needs dictate.

"The degree of connectivity you would like to cover all eventualities may not be continuously available," he said. "If there are indicators and warnings of an event that need to be shared in certain areas and among certain people, then a system can be quickly brought up to cater for that."

The technology, through tools such as virtual private networks, already exists to do that, he said.

"The network shouldn't be a huge flywheel that tears [this early warning system] apart," Mergen said.

With the changing nature of threats to cybersecurity, where one attack never looks exactly the same as another, an early warning system has to be an incremental and evolving capability from Day One, according to Amit Yoran, director of DHS' National Cyber Security Division.

"Our goal would be to have a very flexible, adaptive network" to carry the early warning system, he said.

Determining how quickly this system comes together depends on several factors, and technology is probably the least of it, said John Pescatore, and an analyst with Gartner Inc.

"There are rapid ways to put a meaningful early warning system together using the big Internet backbone providers such as AT&T or [MCI's] UUNet," he said. "They see early all of the things that happen on the network."

But the federal government wants the early warning system to have a direct tie-in to other entities, such as banks and utilities, he said, and that's where issues greater than technology come into play. That leads to concerns over security, public access to shared data and so on.

"That means decisions will have to be made about how data is collected and sanitized, and while it can be done, it will take a lot longer to decide those things than people realize," Pescatore said. "An early warning system that adds value to what we have now is probably several years away."