[ISN] New Cybersecurity Center To Warn Law Enforcement Of Critical Infrastructure Attacks

InfoSec News isn at c4i.org
Fri Aug 26 04:19:24 EDT 2005


http://informationweek.com/story/showArticle.jhtml?articleID=170000319

By Larry Greenemeier 
InformationWeek 
Aug. 24, 2005   

With about 85% of the nation's critical infrastructure--energy
utilities, manufacturing and transportation facilities,
telecommunication and data networks, and financial services--in the
private sector, it's no wonder there have been so many attempts to
create services that keep these companies apprised of threats to their
IT networks. But there's a problem: Most companies aren't eager to
share their adventures in cybersecurity with each other or the
government.

Keeping this in mind, several Philadelphia-area businesses and
organizations are testing out a new model called the Cyber Incident
Detection & Data Analysis Center, or CIDDAC, which lets private-sector
entities anonymously share cyberthreat and attack data with their
peers and government agencies such as the Homeland Security Department
and the FBI without that data being subject to law-enforcement audits.

CIDDAC arose out of the deficiencies in the different organizations
already working on cybersecurity, says Brad Rawling, a CIDDAC board
member. A major sticking point that has hindered other attempts to
create cyberattack-reporting infrastructures is the concern by
businesses and other organizations that their proprietary information
will be made public. Once information about a company's inner workings
and security issues is documented by the government, that proprietary
information may become fair game for Freedom Of Information Act
requests by the press and public. CIDDAC circumvents this sticky
situation because it's not a government entity and it doesn't provide
specific information to members or law enforcement about the identity
of the organization reporting a cyberattack.

Participation in CIDDAC is voluntary. Since its April debut, the
effort has been funded with about $100,000 in contributions from
members, as well as $200,000 from the Homeland Security Department's
Science and Technology Directorate. CIDDAC is searching for an
additional $400,000 in funding to move it from the pilot stage to a
point where data can be collected and shared and the program can
sustain itself. Membership will cost $10,000 per year and will include
one sensor, a year of monitoring service, and access to CIDDAC
reports.

CIDDAC's services are expected to be fully functional by the end of
the year. The organization is piloting its sensor technology and
reporting system at test locations in Philadelphia, southern New
Jersey, and North Carolina. The next phase of testing, as CIDDAC
receives production models of its network sensors over the next month
and a half, will include as many as 10 large companies and
institutions that have volunteered to participate and to whom CIDDAC
has promised anonymity.

The University of Pennsylvania has donated lab space, E-mail listserv
services, and Internet access via its Institute of Strategy Threat
Analysis and Response for the CIDDAC's pilot phase, although the
initiative may have to look elsewhere for a permanent home.

A company called AdminForce Remote LLC has developed the underlying
real-time cyberattack-detection sensor technology that CIDDAC uses to
gather information from its members' networks, and AdminForce chairman
and CEO Charles Fleming serves as CIDDAC's executive director. Board
members include Liberty Bell Bank chief technology officer Brian
Schaeffer, Federal Reserve Bank of Philadelphia directory of
information security Keith Morales, Air Products and Chemicals Inc.  
computer crime investigator Lance Hawk, and Kema Inc. senior principal
consultant Scott Mix. FBI special agent John Chesson and Homeland
Security Department director of privacy technology Peter Sand have
served as advisers to the CIDDAC effort.

As envisioned, a CIDDAC member connects AdminForce's sensors within
their corporate network. If an intruder attempts to hack or penetrate
the system, this intrusion-monitoring device sends a message to law
enforcement and to other CIDDAC participants but protects the identity
of the reporting entity. CIDDAC's plan is to provide members with
trend-analysis information about specific intrusion activity that they
can use to assess risks to their own networks.

CIDDAC's arrival is timely. This year's FBI Computer Security
Institute computer crime and security survey results, based on the
responses of 700 computer security practitioners in U.S. companies,
government agencies, financial institutions, medical institutions, and
universities, indicates that the percentage of organizations reporting
computer intrusions to law enforcement continues to decline. Only 20%
of organizations reported cyberattacks to law enforcement, while only
12% reported such attacks to legal counsel. The key reason cited for
not reporting intrusions to law enforcement is the concern for
negative publicity.

FBI Director Robert Mueller has acknowledged this reluctance that
organizations have to air their dirty cyber laundry in public, thus
hurting their image and giving rivals an edge. Mueller made these
comments earlier this month at a conference hosted by InfraGard, an
FBI program begun in 1996 in Cleveland as a local effort to gain
support from the IT industry and academia for the FBI's cybersecurity
investigative efforts. The program expanded nationally through the
late 1990s.

At the conference, Mueller likened a malicious command sent over a
network to harm a power station's control computer to being as deadly
as a backpack full of explosives.

The FBI is expected to receive CIDDAC-generated law-enforcement
incident reports when different criminal thresholds are exceeded.  
Homeland Security is likewise expected to be a consumer of CIDDAC
reports. The FBI will use CIDDAC incident reports to initiate
preliminary investigations to determine the magnitude of the
cyberthreat, Rawling says. Such reports could be used as a basis to
justify opening a criminal or intelligence case, for example, but are
not expected to be used as evidence to be presented in a court of law.  
"The FBI must use the tools they have to build a case without
revealing the identity of the source," Rawling adds.

CIDDAC is by no means the only organization established to provide
business-technology managers with information about cyberthreats. The
new effort most closely resembles the SANS Institute's Internet Storm
Center, although that service has no direct link with federal law
enforcement. CIDDAC also is targeting large companies with similar IT
security needs. Internet Storm Center uses the DShield distributed
intrusion-detection system technology to collect data from users'
intrusion-detection logs and disseminate this information to other
users. DShield is a piece of freeware maintained by the SANS
Institute. The Internet Storm Center, a free service, lets users
submit firewall logs anonymously, but they must register with the SANS
Institute to view an archive of firewall logs they submitted to the
DShield database in the past 30 days and get confirmation of log
submissions.





More information about the ISN mailing list