By Brian Krebs
washingtonpost.com Staff Writer
Friday, January 31, 2003;

The Bush administration is quietly assembling an Internet-wide monitoring center to detect and respond to attacks on vital information systems and key e-commerce sites.

The center, which has been in development for the past 15 months, is a key piece of the White House's national cybersecurity strategy and represents a major leap in the federal government's effort to achieve real-time tracking of the Internet's health.

The "Global Early Warning Information System," (GEWIS, pronounced "gee-whiz") is being built by the National Communications System (NCS), a Defense agency established in 1962 to ensure that the government has access to adequate communications systems during national emergencies. It is unrelated to the Total Information Awareness program, a planned Defense Department program that would actively mine databases worldwide to uncover terrorist and other threats.

The NCS started building the GEWIS system shortly after the Sept. 11, 2001, terrorist attacks, when it began asking major Internet and telecommunications providers to sell "real-time" data about the status of their networks, said NCS Deputy Manager Brent Greene.

The NCS has spent an undisclosed sum of money to buy data from the members of the National Coordinating Center for Telecommunications, an NCS information sharing group established during the Clinton administration that includes some the largest telecom and Internet service providers in the world, including WorldCom, Verizon, Sprint, SBC Communications, Qwest and BellSouth.

Greene said the agency now receives data from several key telecom and Internet service providers, and in the next two months hopes to launch the first stage of its pilot project, which will combine the information into a graphical view of the health of the Internet.

The White House believes the monitoring center is necessary because no single entity in the government or private sector has more than a limited view of the global communications network.

"Nowhere do you see everything that is happening on the Internet," said White House cybersecurity adviser Richard Clarke at a recent public appearance in Washington. "Nowhere do you see the big board."

With Clarke's help, the NCS secured $5 million in 2002 for the GEWIS program.

The NCS is co-managed by the White House and the head of the Defense Information Systems Agency, which is responsible for guarding the communications infrastructures of the military and intelligence communities. On March 1, the NCS will be folded into the Department of Homeland Security, along with four other federal cybersecurity divisions.

GEWIS has proven a tough sell for some ISPs, in part because of the way the government initially pitched its request for data. NCS first asked about the possibility of receiving live feeds from ISPs, with few restrictions on the amount or scope of data requested, according to several providers.

"We were led to believe that some contractors [working on GEWIS] may have gotten a little over-enthusiastic about what kinds of information they could get," said Stewart Baker, a former deputy director for the National Security Agency, and currently an attorney representing several ISPs. "Exactly what will be pulled together by GEWIS and what will be the role of companies asked to participate is all still up in the air."

The program has left other ISPs wondering how GEWIS differs from the "network operations center" outlined in the Bush administration's draft cybersecurity plan. The center, which would be run by the private sector, would link the network security operations of numerous telecommunications providers for the purpose of sharing information on specific cyber threats.

Clarke's deputy, Howard Schmidt, said GEWIS is a far less ambitious program than the network operations center. Instead, GEWIS would give the government the ability to spot cyberattacks before they become a worldwide problem and would use aggregate data to model the effects of a virus or cyberattacks on key systems, Schmidt said.

"GEWIS is merely a tool that would be looking at the Internet from the government's perspective," he said. "The effort mentioned in the cyber plan asks what are the bigger things that government may not need to know about but that the private sector should do a better job coordinating on?"

The NCS's Greene said the government is taking steps to ensure that the center does not collect personal information from ISPs. He said ISPs can use "software tools" to limit the amount of information transmitted to NCS while still allowing the agency to spot major problems with the Internet, such as denial-of-service attacks and computer viruses capable of crippling government and commercial activity online.

"We certainly don't want to get into the level of detail where we create the perception of government getting into stuff that a lot of people don't want the government to see," Greene said. "We think this is very doable, but it can only be done in a partnership with industry, and we have to be careful not to do anything to undermine that."

The NCS already receives real-time data from Verisign Corp., which oversees two of the Internet's 12 root servers that tell computers around the world how to reach key Internet domains. The company gave the government a software tool that allows the NCS to monitor the health of all 12 root servers for free.

The NCS also contracted to receive information from Keynote, a company that monitors the performance of major e-commerce Web sites. In addition, Lumeta Corp., a Somerset N.J.-based Bell Labs spinoff, sold the NCS large amounts of data pinpointing thousands of the most crucial routers on the Internet. Lumeta chief scientist Bill Cheswick helped create the first map of the Internet, which has been used to study Internet routing problems and distributed denial-of-service attacks.

One of the first companies successfully approached by the NCS was Boston-based Akamai Technologies, a company that makes software to monitor Web traffic for suspicious events. The company also sells a product that identifies the geographic location and network origin of visitors accessing customers' Web sites. Akamai CEO George Conrades is a board member of the Internet Corporation for Assigned Names and Numbers (ICANN), the company that manages the Internet's worldwide addressing system.

To build on that level of industry cooperation, the NCS has recast its approach and plans to hold a workshop in March to address industry concerns about GEWIS. Greene said that GEWIS's goal is "not to become a secretive place that holds terabytes of data that we're off doing analysis on."

The administration hopes that GEWIS will benefit from the level of trust that the NCS has gained in developing a related project known as the Cyber Warning Information Network (CWIN).

Under construction since early 2001, CWIN will be a separate data network that government and leaders in the telecom and Internet industries can use as a hotline to share information or stay in touch in the event of crisis or attack that takes out the World Wide Web.

Developed under contract by AT&T Corp., CWIN terminals have recently been installed at several major telecom and Internet service providers. NCS hopes to build the network out to small and regional service providers in the coming months.

Many service providers that expressed uneasiness over GEWIS view CWIN as an essential step toward a more cooperative approach between the government and the private sector.

"This boils down to a trust question: How much does the government trust industry to manage these systems effectively, and to what degree does industry trust the government to handle all this data?" said Cristin Flynn, spokeswoman for WorldCom.

"I think there's an inclination on the part of ISPs to participate in that in good faith without setting off the alarm bells that some of the more ambitious proposals set off," Flynn said. "We think CWIN is a good way to build that trust, sort of like dating before we get married."

Mark Rasch, former head of the Justice Department's Computer Crime division, questioned the need for GEWIS. With most Internet attacks, he said, by the time you notice a huge spike in traffic, it's already too late to head off disruptions.

"Slammer made that fact very clear," Rasch said of the Internet worm that infected nearly 200,000 computers within a few short hours early Saturday morning.