- By Diane Frank
- Oct 02, 2000
Five civilian agencies separately notice repeated attempts from an unauthorized
user to access their e-mail systems. Each of the agencies' information administrators,
unaware that other agencies are under attack, blocks the security hole the
attacker has exploited, successfully shutting out the hacker. The administrators
log the incidents, and satisfied that they have foiled the attack, they
move on to other business. They give no warning to other agencies about
Hours later, the hacker attacks another agency's e-mail system, exploiting
the same hole that the first five agencies blocked. But this time, the hacker
gains entry, cripples the system and steals hundreds of passwords, possibly
gaining access to sensitive information.
This cyberattack, although fictitious, could easily occur. This scenario — hackers jumping from one agency to another until they successfully break
through a system's firewall — is what federal security officials are trying
to prevent. To do so, security groups — including the General Services Administration's
Federal Computer Incident Response Capability (FedCIRC), the National Security
Council and the Critical Infrastructure Assurance Office (CIAO) — want to
develop a federal program that provides systems administrators with a picture
of security breaches, such as unauthorized use, and intrusions across government.
By quickly showing the cyberattacks that other agencies are encountering,
security officials say they can block more attacks on federal systems and
thereby protect personal and agency information residing in databases.
What's at stake is the security of Americans' private information — such as Social Security numbers and health records — sensitive and classified
information for national defense, and other material stored in thousands
of databases governmentwide. "This [monitoring system] is needed; we cannot
expect agencies to truly be able to secure their systems without the understanding
of the vulnerabilities and risk that this system will bring," said John
Tritak, director of the Clinton administration's CIAO.
But for more than a year, GSA, the CIAO and other security groups have
run into major obstacles in their effort to build a monitoring system. The
program faces technical hurdles in assembling a governmentwide system that
not only shares information within agencies but also among agencies. In
addition, proponents of the system face the tough job of persuading agencies,
which may not want to broadcast their security weaknesses, to share cyberattack
The security groups must also negotiate a political minefield, in which
the system has been viewed as a Big Brother approach that may put private
information at risk, and some members of Congress have vowed to never fund
it. The thorniest problem could be the basic issue of deciding what information
will be collected, who will collect it and how it will be used.
Many fear that unless a system is put in place before the change in
administration this year, the program could die.
From FIDNet to AIDC
For more than a year, under the guidance of GSA's FedCIRC, the Clinton
administration has been working on building a system called the Federal
Intrusion Detection Network (FIDNet), which would monitor federal systems
for cyberattacks, analyze where the attacks are coming from, determine if
there is any pattern and then send out warnings to agencies if necessary.
But in comments submitted to GSA in June, security contractors said
the best way to develop such a monitoring system was to use so-called managed
security services rather than a governmentwide system such as FIDNet.
Under the managed security services model, a con-tractor would analyze
the data that individual agency intrusion- detection systems generate and
look for patterns or possible holes in systems. When a potential problem
is found, the vendor would follow procedures outlined by the agency for
alerting agencies' system administrators and helping them respond.
GSA and other security groups have modified the request for proposals
for FIDNet and originally renamed the system the Enhanced Intrusion Detection
Capability, which was later changed to Automated Intrusion Detection Capability
(AIDC). Based on commercial products, this solution will take the managed
security services concept one step further and establish a central point
for correlating the information that each agency chooses to provide to FedCIRC.
According to the new draft RFP issued last month, "The intended [AIDC]
solution(s) will improve computer security across U.S. government agencies
and in the process will provide the federal civilian government its first
line of defense against computer intrusions."
Pushing the Technology Envelope
When GSA started working on FIDNet, it wanted more than the typical
intrusion-detection technology, which, for the most part, only detects known
security vulnerabilities. GSA wanted technology that could determine patterns
in a cyberattack so that security experts could detect and block attacks
that had never been seen before.
The initial draft RFP for FIDNet released in June included aspects of
both a solution developed specifically for government and one based on commercial
products. Now with AIDC, GSA is focusing on the commercial market's hottest
offering, managed security services, which vendors said should be much easier
"We still have some technical questions, but there are not any showstoppers,"
said Richard Smith, vice president of federal operations at Internet Security
But some are still concerned about getting data from many different
agencies and systems to come together in a single picture that tells security
analysts what they need to know in a way they can understand.
Each agency is using different commercial intrusion-detection systems,
with sensors that use different reporting protocols. This makes it almost
impossible for sensors from one system to be read by the management console
of another. The problem is multiplied by the fact that even within a single
agency or department, individual offices may be using their own intrusion-detection
systems. So there may be many different data formats within just one agency,
which all must be brought together. "Getting that data in a compatible format
is a nontrivial technical issue," said David Nelson, deputy CIO at NASA
and the official overseeing the agency's security issues. "It can be done,
but it is very difficult."
"No Good Unless You Share It'
But a technical solution doesn't work if agencies don't use it. FedCIRC
has been working to persuade all agencies to report incidents. Some already
report security breaches and work closely with GSA when problems occur.
NASA is one of them. "We already share information manually at an abstract
level with FedCIRC, and it goes both ways," Nelson said.
But other officials must be convinced of the benefits of reporting their
security problems and vulnerabilities to people outside their agencies,
security experts say. Unless agencies share information about newly discovered
security holes and attacks, agencies that are not aware of the problems
cannot patch their systems and learn how to successfully ward off those
"Information does no good unless you share it," said a GSA official
involved with the AIDC program.
The new direction of the intrusion-detection program outlined under
AIDC should make the prospect more appealing, agency officials say. According
to the draft RFP for AIDC, if an agency's managed security vendor detects
a potential attack, the vendor would notify the agency and FedCIRC. However,
the draft leaves open the possibility that agencies could determine what
information is passed on to FedCIRC. That would make it possible for agencies
to work with the vendor before raw security data is turned over to FedCIRC.
"I believe that the revised plan for assisting the agencies by providing
a managed service for intrusion detection and other optional security services
will be received positively by agencies," said John Gilligan, co-chairman
of the CIO Council's security committee. "In particular, I would suspect
that smaller agencies that do not have a large in-house [security] capability
will be most interested."
Agencies have been wary of handing over their security to a vendor
that would monitor its systems. But that attitude may be changing. The Navy
has proposed using managed security services for its $16 billion Navy/Marine
Corps Intranet, which will tie together ships and bases on one network.
And NASA is working with several vendors to include managed security services
in its Outsourcing Desktop Initiative for NASA.
Still, agencies are worried about what security information goes to
whom, Nelson said. "The real question is what's the level of data sharing
that's most useful," he said.
What happens to the data after it is submitted to FedCIRC concerns privacy
advocates and some members of Congress. Since the Clinton administration
announced its intent to develop a security monitoring system in May 1999,
the plan has been to inform the FBI's National Infrastructure Protection
Center's warnings and analysis center about security incidents. The center,
which is not part of the law enforcement side of the FBI, would provide
additional analysis expertise to help FedCIRC identify attacks across government.
But some privacy advocates, members of Congress and others misinterpreted
the relationship and believed that the FBI would take part in the analysis.
Agencies, by law, are required to report any suspected criminal incidents
to the FBI. But privacy advocates worried about involving the FBI for attempted
intrusions that are not successful. If an attack is successful, privacy
advocates want to know whether the intrusion-detection system's log data
on the attack would be turned over to the FBI and what would happen to the
alleged hackers if they are caught.
"There are still questions of what happens if they do turn up what they
are calling "anomalies,'" said David Sobel, general counsel at the Electronic
Privacy Information Center. "It raises all kinds of Wen Ho Lee questions."
Lee, a scientist at the Energy Department's Los Alamos National Laboratory,
was imprisoned for nine months under suspicion of espionage. He was released
last month after pleading guilty to one of 59 counts — a single charge of
downloading sensitive nuclear data — and receiving an apology from a federal
Privacy groups and Congress became concerned about FIDNet because of
the potential for opening up the public's private information that is stored
and transmitted by agencies. Even when it became clear that the FBI would
not be in charge of the system, many still worried that the government would
tap the Internet "line" and "watch" transactions pass into and out of agencies.
CIAO has overcome some skepticism by holding discussions with members
of Congress and their staffs, Tritak said. But the CIAO staff has met with
only a few members of Congress.
Recently, the Office of Management and Budget publicly castigated Congress
for not funding the system and other cross-agency security initiatives.
Richard Clarke, national coordinator for security, infrastructure protection
and counterterrorism at the National Security Council, said Congress deserves
an F for failing to fund proposed initiatives. He was responding to Rep.
Steph-en Horn's (R-Calif.) system of grading agencies on their efforts to
fully secure their information systems. Horn's system gave the entire government
a D-minus, and he issued Fs to seven agencies ["Fed cybersecurity doesn't
hack it," FCW, Sept. 18].
The congressional appropriations committees did not return calls for
this article, and GSA would not comment until the fiscal 2001 budget is
passed. But many government officials are working on plans for continuing
to move AIDC forward even if no funding comes through.
The draft for the program is part of the existing GSA Safeguard security
contract, which means agencies will be paying for the service. This way,
GSA just needs money to launch the program and then maintain the central
warnings and analysis center.
"Some of the concepts [for FIDNet] were maybe a bit ahead of their time,"
Gilligan said. "But the general concepts are staying the same [under AIDC],
and this will definitely help increase agencies' abilities to protect themselves
and their services."