Cybersecurity One Year After Sept. 11 Attacks
Guest: Alan Paller, Director of Research for the SANS Institute
Wednesday, Sept. 18, 2002
Alan Paller runs research programs for the SysAdmin, Audit, Network, Security Institute, a leading information security and education organization. Commonly referred to as SANS, the organization was founded in 1989 to support research and information sharing into IT security and to provide training for security experts worldwide. Its members include government officials, academic experts and corporate officers.
Paller was online on Wednesday, Sept. 18, to discuss the Bush administration's cybersecurity efforts and the continuing threats to America's critical IT infrastructure. Washingtonpost.com staff writer Brian Krebs moderated the discussion. Read continuing coverage of the cybersecurity plan.
Background on Paller: Alan Paller was one of the Internet leaders who met with President Clinton in the aftermath of the February 2000 denial of service attack that disabled Yahoo, eBay, and Dell, and was the expert witness in the trial of MafiaBoy, the hacker who admitted launching those attacks. Alan is also the director of Internet Storm Center, the Internet's early warning system for worms, and led the creation of consensus documents ranging from the SANS/FBI Top Twenty Internet Security Vulnerabilities to step-by-step guides to securing many of the most popular operating systems.
An Edited Transcript Follows:
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
Brian Krebs: Welcome, Alan, and thank you for joining us today. As you might expect, the majority of the questions we've received relate to the national strategy for securing cyberspace that the Bush administration released today. The White House has received a lot of criticism for making this another draft and from those who say it capitulated to business interests by removing some of the toughest recommendations for the private sector. Do you think this is a fair criticism? What, if anything, would you like to see included in the final version of the report?
Alan Paller: Thanks for the opportunity. Brian. And I don't want to rain on the parade of criticism, but it is awfully easy to criticize strategies, especially when they are trying to balance competing interests from good people. Many of the criticisms are fair, but I think our job as informed citizens right now is to find the good things in the strategy, celebrate, them and implement them. And while we are doing that we should be looking for ways to improve the strategy.
For me the overarching achievement of this strategy is that it changes the national policy from a focus on threats and risk analysis to a policy of vulnerability elimination – they call it vulnerability remediation. And they provide at least two key programs – one in government and one in the private sector to make that happen.
We have hard evidence that the only effective technical approach to reducing the threats from cyber attacks lie along the vulnerability elimination path. So this one shift, alone, is worth our strong support.
One other aspect of this same strategy change is a coming shift in what government contractors do to make money in security. Too many contractors have been making money writing reports for Government Information Systems Reform Act (GISRA) that point out vulnerabilities and problems. Unless we ask those same people to be responsible for actually fixing the problems they see, rather than just pointing them out, our defenses will never match the offensive weapons of the attackers.
Arlington, Va.: How much capability does a terrorist organization such as al-Qaeda, which is based in a technologically unadvanced county, have to dismantle American systems? How much damage do you think they could do, and what systems are in place to prevent that?
Alan Paller: One of the greatest threats is a combination of a physical attack and a cyber attack. For example bombs that create a huge demand for emergency services along with a denial of service attack on the computers and networks used to gather and respond to emergency calls. No advanced technological skills are required to do either part of that attack. Hence any terrorist group could do it – even those coming from less technologically advanced societies.
The only defense against that type of attack is to remove the systems that are used for denial of services -- and that requires vulnerability elimination on all systems, not just the very important ones.
Frostburg, Md.: Richard Clarke is not being entirely truthful when he contradicts reporters who quote people talking about what tanked this plan - or at least set it back a good deal - there was a big breakdown in this process. If he's such an outspoken guy, why does he insist on hewing to the industry line now? Is he sniffing around for a bigger job in the homeland security agency if one ever gets approved?
Alan Paller: Your presumption is not correct in my opinion. To leave out some ideas and put in others is not selling out. But you are correct that industry is pressing the government to "leave them alone." They claim that they can fix this problem without government intervention. Industry has completely failed to fix the problem and big computer companies take advantage of government inaction to allow them to make the problem worse every day that they deliver more vulnerable systems.
It isn't Dick Clarke who makes the policy of non-intervention. It is the President. And it is not a Republican vs. Democrat issue. Some of the first words out of President Clinton's mouth when he met with industry and us after the Yahoo and eBay attacks were, "We believe the answer lies in voluntary action and do not intend to try to solve the problem through regulation." So it has been the policy of the United States for at least two administrations.
I think the world has learned that the policy is wrong and ought to be changed, but the authors of this new Cyber Security strategy are not in a position to make the change.
Montreal, Quebec: Greetings from Canada!
I noticed that a Canadian defense official is showing up at today's events (at least, she's scheduled to). What's the international angle on this "national" cybersecurity plan?
Alan Paller: The fundamental international imperative is that attacks emanating anywhere on the Internet can affect people all over the world. There are no effective national boundaries in cyberspace. In other words, if we were to do a good job of protecting all the systems in Maryland, unprotected systems in Virginia can still be used by attackers to take Maryland systems off line. The same holds true for countries. It is important that the innovations discovered in other countries are used here and I would hope that innovations discovered here can be of value to other countries.
Arlington Va.: Much is made of the fact that virtually all of the critical infrastructure that we are so intent on protecting is in the hands of private entities. Despite all the hoopla about the national plan, how much can the Bush administration do to safeguard our electronic borders?
Alan Paller: I was in a fascinating meeting two weeks ago in New York at which representatives of the insurance companies that are offering cyber insurance said to government officials, "Please develop benchmarks for safe configuration of systems. We'll adopt them." They went around the room and representatives of every insurance company nodded or expressed their support for the ides.
On July 18, the government and about 100 commercial user organizations announced the first such benchmarks – in this case for Windows 2000 professional. My understanding is that standards for Cisco IOS, Sun Solaris, and many other operating systems are nearly complete. You can download preliminary versions of the benchmarks from the not-for-profit Center for Internet Security site (www.cisecurity.org) and they also have free tools that you can use to test your machines. Benchmarks without testing tools are impotent. But with testing tools they are a lever that management and security staff can use to improve security rapidly and inexpensively.
So the answer to your question is that government –- under the leadership of NIST, GSA, NIPC, the National Security Agency, and DISA -- is already doing what is needed to get industry to act. Industry is thirsty for benchmarks. Just delivering them will have a profound effect. And very soon after they are delivered insurance companies and consumers will simply say no to organizations that do not meet minimum standards of care reflected in the benchmarks.
Washington, D.C.: I went to the Internet Storm Warning site linked to from this Web chat page, and for the life of me I couldn't figure out what the site does. Can you break it down in English for this tech-challenged reader? thanks.
Alan Paller: Sure. Storm Center (not Storm Warning) is the Internet's Early Warning System. It was Storm Center that found the Lion worm and stopped thousand of password files from being sent to china.com. It was Storm Center that found the Leaves worm and helped lead to the capture of its author. And it was Storm Center that provided much of the data you saw reported in the press for Code Red last summer.
It works a little like the old fashioned weather reporting where people had rain gauges in their yards and called the radio and TV stations to tell them how much rain was falling. Storm Center gathers data electronically from thousands of systems around the world and searches for patterns that signify new attacks. Everyone involved is a volunteer – we pay for the computers and analysis staff and individual companies and home users around the world supply the data. The best thing that has happened to Storm Center happened last night when Check Point (the company that supplies over 60% of all firewalls and VPNs in large organizations) announced that all 230,000 of its customers' systems would have a Storm Center data gathering tool and Check Point customersF can supply data if and when they choose. That will radically improve the sensitivity of Storm Center and lead to much better early warnings.
The page you see at isc.incidents.org shows the summary data. It is easy for advanced intrusion detection analysts to understand but is a little arcane for normal folks. On the other hand Storm Center does provide easy to understand, private data about who is attack everyone who supplies information and has a fight back system that informs ISPs when one of their clients is attacking lots of people on the Internet. It is responsible for getting thousands of infected (and dangerous) systems removed from the Internet.
Washington, D.C.: What about industry's argument that it's impossible for the government to write IT security regulations in a timely manner, and esp. impossible to write regulations that would remain applicable as the security threat continues to evolve?
Alan Paller: Balderdash. That is about as true as saying that the FAA cannot write safety regulations for airplanes. Of course they can and do. The next time you find someone saying that, ask them if they want the FAA to be put out of business and leave the manufacturers and airlines to decide day by day, based on their current economic strength, how much safety to build into airplanes and how many maintenance checks to do.
Silver Spring, Md.: Who in Congress "gets it" when it comes to cybersecurity, in your opinion?
Alan Paller: Many of the members of both houses understand the issues as soon as they are explained to them, but too many of the people in a position to make a difference seem to be championing the interests outlined by commercial IT vendors and their trade associations. There are two members from Virginia, Senator George Allen and Representative Tom Davis who are in unique positions to be real leaders in protecting the internet and moving us into a safer posture. I really hope they do.
Washington, D.C.: Follow-up on the regulations question. I'm sympathetic to your response, but the technology of airplanes doesn't change much month-to-month or even year-to-year. But computer and network technology changes drastically in those time frames. Wouldn't it be too difficult for government to set policy in an environment that is so speeded-up?
Alan Paller: Good point, but it turns out that the vast majority of vulnerabilities that need to be fixed (well over 90%) are stable. If we can get rid of those we make a huge step forward. And I think you will be surprised at how easy it is to keep the benchmarks and testing systems up to date.
Brian Krebs: You work with and train many people on the front lines of defending the nation's cybersecurity infrastructure. Do you think harsher criminal penalties would serve as an effective deterrent against malicious hackers?
Alan Paller: I think the available penalties are sufficient. What we need is to do a better job of catching the criminals (and the FBI has been wonderful in this regard, but they cannot do it alone), and we need to have judges take a harder line when the criminals are caught.
Brian Krebs: The administration's plan asks a lot from home users, urging them to install and configure firewall software and update the their PCs with the latest vendor patches. But these tasks are often more complicated than they sound. Do you think the average user is up to the challenge?
Alan Paller: Although installing firewalls is really easy, sometimes the firewall gets in the way of loading other programs and getting around that problem is a killer for many people. At the same time, patches and updates are easy but demand a discipline on the part of home users that won't be easy to generate. The bottom line is that vendors are going to have to deliver systems that are safe on delivery and that are automatically updated (like AOL does for 35 million people). Sure, very savvy security folks will turn off the automatic updates and have a right to, but the rest of the world would be well served if the vendors and ISPs take responsibility. Moreover, it is far more cost effective for the nation for the vendors and ISPs to have that responsibility.
Mill Valley, Calif.: How much effort is being put into stopping cyberattacks before they happen, as opposed to simply reporting in quickly after the fact?
Alan Paller: That's the key.
To come back to the most important part of the national strategy -- you stop cyber attacks before they happen by eliminating vulnerabilities. You eliminate vulnerabilities by establishing benchmarks for safety and making automated tools available to test systems. And then you use procurement dollars to make sure that systems that are delivered are safe on delivery.
Brian Krebs: That's all the time we've got today. Thank you Alan for your thoughtful and thorough answers. Thanks also to everyone who submitted questions.