[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Interviews mit NIPC-Chef Ronald Dick und Stanley Jarocki
dieses längere Interview zur Arbeit des National Infrastructure
Protection Center (NIPC) ist sehr interessant, vor allem, weil der
Interviewer wirklich Ahnung hat. Es geht um die Grenze zwischen
Cybercrime und Cyberwar, die bisher nicht stattgefundenen
Cyberterror-Attacken auf die USA, die verschiedenen Kulturen von FBI und
Privatwirtschaft und anderes mehr.
Am Ende findet sich noch ein kurzes Interview mit Stanley Jarocki vom
financial services ISAC (Information Sharing and Analysis Center), der
Dick z.T. widerspricht, aber wohl auch eine Besserung sieht seit dessen
Information Security Magazine
Q&A WITH RONALD DICK
CENTER OF ATTENTION
Career FBI agent Ronald Dick has been given the mission of maturing the
scope and capabilities of the National Infrastructure Protection Center.
INTERVIEWED BY RICHARD THIEME
FBI special agent, investigating violent, white-collar and drug crimes
Supervisor, FBI's Audit Unit of the Inspection Division, Washington,
Coordinator, FBI's Drug, White-Collar Crime and Interstate Theft
Programs for South Carolina
Chief, FBI's Computer/Financial Institution Crimes Unit of the FBI's
Financial Crimes Section, Washington, D.C.
Section chief, FBI's Training, Administration and Outreach Section and
the Computer Investigations and Operations Section, Washington, D.C.
Deputy assistant director of the FBI's National Infrastructure and
Intrusion Program and NIPC director
Q: You recently took over the NIPC directorship from Michael Vatis. I've
heard some people express concern that the NIPC is enmeshed in a tangled
web of competing interests, and that some groups and agencies might not
be totally committed to your success--or to your tenure as director. As
you look out over the landscape, what do you see? What are you up
A: You have to understand where the NIPC came from. We're basically a
startup; we've been in existence for three years. While Presidential
Decision Directive/NSC-63 (PDD-63) defined our missions, goals and
objectives, many in the IT community and the private sector weren't sure
what PDD-63 really meant or what we were really trying to accomplish.
Some people perceived us as a threat to the private sector and the IT
community. A lot of antivirus and consulting companies feared we would
try to become the be-all and end-all for virus information and
consulting. Obviously, we can't do all that, and it was never part of
We've never attempted such a complex effort before. This is the only
place in the government where criminal-intelligence,
counterintelligence, foreign-intelligence and private-sector
information--sometimes proprietary--comes together for strategic
analysis. One of the main reasons the president and attorney general
chose the FBI for this is because it's the only agency with the legal
authority--criminal- and counterintelligence--to work with
Since this had never been done before, both the intelligence community
and the private sector had legitimate concerns about how we were going
to do it. You can talk about how you're going to implement processes and
procedures and information-sharing mechanisms, but the private sector
can't know what's going to happen until you actually do it. At which
point people realize that, no, the NIPC doesn't go public about every
virus or vulnerability. That's the role of the antivirus community and
the IT vendors themselves.
So when do you go public?
Unless we can add value to a warning based on the collection of all
that intelligence, we don't speak. The only exception to that is if a
vulnerability is so significant that it threatens the country's national
security or economic well-being; then the volume needs to be turned up
and we'll get the information out on CNN and to systems administrators.
Over time, working together with the CIA, Department of Defense and
other intelligence components, we've worked out what I think is a very
good partnership. We work very closely with the CIA, National Security
Agency (NSA) and other investigative components within the military
branches. We share information freely with them and they do with us.
There were plenty of bumps along the road, but we've been able to smooth
As for the private sector, we've worked very closely with antivirus
companies. When we learn of a virus, we contact vendors through their
trade association, so we can make the binaries available to everyone at
the same time and not give anyone a competitive advantage. We share our
assessments with them and they've grown more comfortable sharing
information with us.
We're in almost daily contact with the major operating-system
manufacturers about vulnerabilities. Again, we're not trying to intrude
into their product lines or business decisions--we're just sharing
information to our mutual benefit.
You've also worked with industry associations through the
information-sharing and analysis centers (ISACs), which pass along
warnings about possible attacks. How does that work?
Let me give you an example of how that all comes together. In December
2000, as a result of criminal investigations, we saw a number of
intrusions into various dot-com entities emanating from Russia and
Eastern Europe. We issued an assessment through SANS and talked to other
ISACs, but we didn't raise the volume very much. We tried to get the
information to systems administrators because these intrusions came
through known Microsoft NT vulnerabilities, for which there are patches.
Our intention was to get the word out and minimize, if not eliminate,
those vulnerabilities, so that the subjects of our investigations could
not intrude into more NT systems.
But people weren't listening, and the patches weren't implemented. In
March, we saw a significant spike in the number of intrusions through
these known vulnerabilities. So we went back to the financial services
ISAC, among others, and showed them what we were going to say, the
details of our press release and how we were going to raise the volume.
We raised the volume through various media outlets. Because the
financial services ISAC was prepared, it was able to thwart 1,600
attempted intrusions of its member institutions. That's a good example
of how we use criminal intelligence, counterintelligence and public
information to provide a service to various industries about these
vulnerabilities. That's exactly what the NIPC is all about.
A recent GAO report mentioned that industry groups, like the financial
services ISAC, criticized the NIPC for failing to quickly share warnings
Ask them about our relationship with them now. In the beginning, as I
said, there was uncertainty about how we would work with each other, but
ask them about our relationship today (see Banking on Trust).
It sounds as if you have a great deal of confidence about the NIPC's
effectiveness. Would you say that the expectations of these other groups
match your own?
If you're asking, do I believe that the missions, goals and objectives
defined under PDD-63 have been placed in the right entity, my answer is
yes. We're the only entity that has the legal authority to do it all. If
you're asking if the NIPC is providing the kind of strategic analysis of
products, and receiving and passing on the volume of analytic
information that it should, the answer is no. We're not.
The GAO report talks about how we have done a pretty good job
investigating intrusions and beginning a grassroots information-sharing
initiative, called Infra-Guard. We now have InfraGuard chapters in all
56 FBI field offices with about 1,200 members. We're about to have our
first national congress of these chapters to further solidify our goals
The GAO report doesn't criticize our tactical analysis, from which we've
issued more than 93 warnings, some having to do with vulnerabilities or
acts of hactivism associated with the Chinese. The GAO gives us credit
for the tactical analysis we've done. The report also says our
relationships with the ISACs have improved. It quotes Alan Paller of
SANS, who said that our response to the intrusions I just mentioned was
extraordinary. Paller praised our detailed description of the threat and
the way we provided good forensics information to systems
We've done more than 1,200 investigations. During the millennium change
and before MafiaBoy, we were able to issue an assessment saying that the
distributed denial-of-service (DDoS) tools Trinoo and TFN (Tribe Flood
Network) were out there. Through SANS, we also provided a tool to
identify and remove DDoS tools, for which we actually won an award. And
we received an award for InfraGuard from Safe America last month in
recognition of our efforts on behalf of Internet security.
So the GAO report had a lot of positive things in it. But it did say-and
it's right-that we're not producing strategic analysis at the level that
we should. It also suggested a reason for this: our dependence on
interagency participation. The NIPC doesn't have adequate resources to
produce those kinds of products. I agree with that, too.
Do you see that changing?
Yes, I do. We had a change of national leadership recently and Rear
Admiral James B. Plehal was named the NIPC's deputy director in March.
He's working very closely with the DoD to increase our staffing and get
key people in management positions.
One of our problems has been structure. Basically, we have three
sections. One deals with investigations. Obviously, the FBI has done
investigations for many years and, as the GAO report said, we know how
to do that. Another section deals with training, outreach and policy
issues, and the GAO report complimented us for our ability to train more
than 3,500 federal, state and local law enforcement entities through a
well-defined curriculum. We know how to do training and outreach, as
Where GAO faults us is in the analysis and warning section, particularly
strategic analysis. We've had three leaders in strategic analysis in
three years; it's currently headed by a CIA section chief, and the CIA
has committed to leaving him there for at least two years. The warning
unit, which controls information in and out of the NIPC, was earmarked
for a DoD person. We've only had one unit chief there since we started.
The other unit, analysis and information sharing, is an NSA position.
We've had two different people in the analysis and information-sharing
position, but it's currently vacant and NSA is in the process of filling
Obviously, leadership in information sharing and strategic analysis has
not been, for want of a better term, very stable. You can't run a
railroad with leadership changing every year, as Admiral Plehal and I
identified early on. Am I hopeful that we will correct these things?
Yes, I think we will.
Some of my infosecurity colleagues have been frustrated when they've
tried to work with the NIPC. They find that the FBI culture and the more
informal worlds of information security are often in conflict. But the
efforts you describe will only work if they bridge the boundaries of
different subcultures, including those of corporate America.
I agree. Sometimes miscommunications occur not because of maliciousness,
but because in other cultures the words mean something different from
what they mean at the FBI. People misinterpret what you're saying. We've
built a glossary of terms for everyone to go to, to ensure that we're
all on the same page. That's been helpful, but the volume of our work
Companies that have hired gray-hat hackers often use "buffer zone"
people, who move back and forth between subcultures and interpret one
culture to another to ensure cooperation. The FBI is a distinctive
culture. Do you have translators?
That's what we're evolving toward. Many people have now stayed at the
NIPC for three years, so the blending of cultures is less of an issue
than it was at the beginning. It obviously affected our ability to
understand the sensitivities of the private sector.
Which is a large concern. Colleagues in competitive intelligence tell me
that large corporations often come to them with intrusions or attacks
because they're afraid to go to government agencies; they're afraid
information will be leaked. What kinds of bridges are you building to
There are a number of things we're doing--let's start at the grassroots
level with InfraGuard. InfraGuard's whole intent is to try and
demonstrate to the private sector that information shared with law
enforcement is safe. One reason for the program's success is that system
administrators get to meet law enforcement people on a local level. They
get to know the local FBI or Secret Service agents, and begin to share
information about vulnerabilities. That's growing.
On another level, we're helping InfraGuard members share incident
information with other members. The private sector chooses what
information to share and with whom to share it. Through this process of
incident reporting, the private sector controls the information provided
to direct competitors and other business sectors. Is this at the level
of sharing that we would like? No. But, again, it takes time. They have
to learn that shared information won't come back to harm them, and so
far it hasn't.
So they're testing you and seeing how it turns out.
That's right. I don't blame them for that. It can't happen overnight. As
to our growing sensitivity to the needs of the private sector--unless
someone in the private sector says directly to us that it's OK to talk
about an attack, we won't talk about the company. We'll generalize the
attack description so the reporting company is unrecognizable. It does
no one any good for the FBI to be out there reminding people that
certain entities were victims of a DDoS attack. We can make the same
points on television or in a presentation to the public describing the
vulnerability and what we did together with the private sector to solve
How do you awaken a sense of urgency among government agencies and the
private sector short of experiencing an attack?
Going back to those intrusions earlier this year, when we did press
statements, we didn't talk about all of the victims--and there were a
lot. Instead, we went to a couple and asked permission to refer the
media to them about the pain they'd sustained, and they agreed to do
that. This is a learning curve for us. Historically, when the FBI has
talked about incidents or issued press releases, we normally talked
about the victims. We don't do that anymore.
So until there's a major security incident that makes clear what's at
stake, people won't get it?
I hope that's not entirely the case. I hear about "cyber Pearl Harbors,"
which I hope never occur, if only because of the noise so many of us are
making. I hope the level of awareness is being raised.
There has to be a building of partnerships across cultures. The NIPC,
the ISACs, law enforcement, counterintelligence...these aren't the only
mechanisms by which security is going to be provided. It's truly a
partnership because of the global nature of cybercrime and the lack of
boundaries on the Internet. We need to explore whatever we can do to
facilitate that kind of partnership.
One thing about asymmetric warfare is that the parties play by different
rules. Are you partnering with any transnational organizations to enable
the United States to meet foreign cyberthreats on its own terms?
If you mean are we partnering with the Australians or the British or the
Germans or the Japanese, yes. One of the reasons is that it's beneficial
for the NIPC. The FBI has 44 legal attachés assigned to embassies around
the world. The main job of, say, the attaché in the United Kingdom is to
develop a relationship with the various law enforcement and intelligence
communities within that country. Now, when an incident occurs, we don't
send a blind communication; our attaché can talk with the people who can
expedite an investigation.
In investigating the attempted extortion of Michael Bloomberg by two
hackers from Kazakhstan, we got the assistance of U.K. authorities, and
through them got the suspects to reveal themselves. We made an arrest
and the prosecution is pending, so that's as far as I can go with that,
but it's another example of how all the pieces come together.
The word is that you have a conciliatory way of reaching out to and
Partnership is the key. Not ownership.
So what do you see in the next few years? What threats are likely to
emerge? The recent trial of four terrorists who plotted the embassy
bombings in Kenya and Tanzania generated thousands of pages of testimony
that detailed a transnational terrorist network. I was surprised how
little coverage it received.
I was surprised, too.
It didn't sound like crime--it sounded like warfare. At what point does
this cease to be criminal activity and become warfare? The rules of
warfare are very different from the rules of criminal prosecution.
Wouldn't a worldwide religious war invite a response different from an
act of cybercrime?
Absolutely. Let's take your questions one at a time. First, where do I
see the threats of the future? The core of this crime problem deals with
the integrity of information on global networks. Can we provide
integrity for that information? I was involved with creating the first
regional computer-crime squads, and we have seen the problem go from
hacking in whatever forms it existed to hactivism for political agendas
to computers used just like guns for traditional criminal motives:
greed, revenge, etc.
Luckily, we haven't seen any "cyberterrorism" incidents in the United
States so far, but I think we'll see them in the future as the people
involved in state-sponsored terrorist organizations become familiar with
the technology. We're seeing the technology being used for
state-sponsored espionage. I can't go into details, but it's happening,
and some nations are talking about waging information warfare.
So, in time, we'll see this tool used for the full gamut of criminal,
counterintelligence and foreign-intelligence activity. Our job will be
made much more difficult because of the ability to do these things
anonymously over the Internet. It's a real challenge.
The real solution to the integrity of information in all of our networks
isn't up to law enforcement, the intelligence community or government.
Real integrity comes when it's demanded. The problems will begin to
decrease when the public demands computers that aren't only easy to use,
but are also secure. It's not a function of any one operating
system--they all have vulnerabilities. The government is a large
consumer, too, and can make the same demand in our procurement
You say there haven't been any definite acts of cyberterrorism?
Not in this country.
We all hear stories of power outages or the like that may have been
attacks on our infrastructure as demonstration of powers...
When I say we have no known cyberterrorism incidents, I don't mean we
haven't had incidents where that could have been the motive. I mean I
don't have the evidence to put that label on it. There's a huge
difference. I'm not going to talk in speculative terms. In some
countries, there has been evidence of that kind of activity; we just
haven't been able to verify it here.
There are many ways that the U.S. government can respond to a security
incident. One is a law enforcement response, where we prosecute criminal
activity. Another is through counterintelligence or foreign-intelligence
activity. Another is a military response, if it's information warfare.
We also can respond diplomatically through the Department of State.
The response will depend on the facts and circumstances of the
incident. One of the NIPC's main missions is to be able to collect
information from the various sources and provide the facts to the
policymakers, so they can determine the appropriate responses.
BANKING ON TRUST
Stanley Jarocki, treasurer and board member of the financial services
ISAC, speaks about his still-evolving relationship with the NIPC.
Q: How is the National Infrastructure Protection Center (NIPC) doing?
What's your experience?
A: Can I take the Fifth? [Laughs]
Our relationship is developing. It's like a courtship. Back in 1999, a
working committee got together to do something by ourselves. That's key
because it allowed us to define our industry and participants so we can
trust each other. The key word is trust. We needed to create a mechanism
for exchanging information in a trusted format with little outside
nudging. Then we could understand what we needed to share in a way that
enabled us to come out with something useful without violating
competitive boundaries. We said that all information would be voluntary
and anonymous, so it could not be attributed to a particular bank, much
like cooperation during Y2K.
Is it that public companies can't risk even rumors of security
vulnerabilities because of potential for negative exposure?
Yes. The NIPC at first was very aggressive, which conflicted with the
trust principles of the ISACs. We guaranteed confidentiality when
members provided the ISAC with information. Regardless of the source, we
wanted to get out the information that said technically what was going
The problem with the NIPC is that, for all intents and purposes, it's
the FBI. If it's a criminal case, the FBI will put a jacket around it,
and we can't share data if that's going to happen. If I go to the FBI
with a case, they'll get a grand jury subpoena and grab everything. Once
that happens, I can't see my own data.
The computer security community often criticizes the NIPC for working
that way. It all flows in one direction.
Yes, and I want to know what's going to come back. So we courted each
other for a year. With Ron Dick on board, I think we have a different
profile. It's more like our original conversation, which is positive. I
have been lobbying for an exchange of data in a positive sense. I said,
let's pick, say, a dozen concerns--buffer overflows, viruses, hostile IP
addresses--and expand that list, and that's happening.
We can also share the data schema of our databases, so the language we
use across all databases is consistent. That way we mean the same thing
by "incident" or "vulnerability." We'll have the same taxonomy. Then
we'll establish a protocol. If I refuse to allow you to look at my
database, you won't let me look at yours. I have to do it first, because
we need to build trust. We can use these dozen items to get a success
We agreed that all announcements would be simultaneous. Over the past
months, the NIPC has come to us with things like the Microsoft stuff
that affects the financial community. We worked with the NIPC to
publicize those threats in a way that makes sense. That's positive case
number one, and we've had others.
How do you see this relationship evolving? Where will responsibilities
change in order for the NIPC to better align itself with what needs to
be done? How do we balance all of this?
We need to get everyone responsible for data in the room, throw out all
politicians and ruling bodies, and tack our schemas on the wall. Then we
can ask, "What can we really share?" We'll have to say, some information
is judicial, or commercial and sensitive, or intelligence, or public
domain, and map it all. We want to share information, but first you have
to do data definitions. Until we accept that, we ain't going anywhere.
Interviewer RICHARD THIEME (rthieme -!
- thiemeworks -
com) is a contributing
writer for Information Security. He writes, speaks and consults on the
human dimensions of technology and the workplace.
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.