[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[wg-c] FW: Infosecurity @ White House



FWIW: MHSC has been maintainig for years that there are security aspects to
domain names and TLDs. But, most of you have heard my views by now.

This is something I thought might be pertinent.

> -----Original Message-----
> From: Windows NTBugtraq Mailing List
> [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Shattered
> Promotions
> Sent: Wednesday, February 23, 2000 10:05 AM
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: Infosecurity @ White House
>
>
> [Note: you may post this account or forward it to mailing lists, provided
> you pass the account and this notice in its entirety.]
>
> Infosecurity at the White House
> Gene Spafford
>
> Prolog
>
> Last week (ca. 2/8/00), a massive distributed denial of service attack was
> committed against a number of Internet businesses, including e-Bay, Yahoo,
> Amazon.com, and others. This was accomplished by breaking into hundreds
> (thousands?) of poorly-secured machines around the net and
> installing packet
> generation "slave" programs. These programs respond by remote control to
> send packets of various types to target hosts on the network. The
> resulting
> flood effectively shut those target systems out of normal operation for
> periods ranging up to several hours.
>
> The press jumped all over this as if it was something terribly
> new (it isn't
> -- experienced security researchers have known about this kind of problem
> for many years) and awful (it can be, but wasn't as bad as they
> make it out
> to be). One estimate in one news source speculated that over a billion
> dollars had been lost in lost revenue, downtime, and preventative
> measures.
> I'm skeptical of that, but it certainly is the case that a
> significant loss
> occurred.
>
> Friday, Feb 11, I got a call from someone I know at OSTP (Office
> of Science
> and Technology Policy) inquiring if I would be available to meet with the
> President as part of a special meeting on Internet security. I
> said "yes." I
> was not provided with a list of attendees or an agenda. Initially, I was
> told it would be a meeting of security experts, major company
> CEOs, and some
> members of the Security Council, but that was subject to change.
>
> The Meeting
>
> I arrived at the Old Executive Office Building prior to the
> meeting to talk
> with some staff from OSTP. These are the people who have been
> working on the
> Critical Infrastructure issues for some time, along with some in the
> National Security Council. They really "get it" about the
> complexity of the
> problem, and about academia's role and needs, and this may be one
> reason why
> this was the first Presidential-level meeting on information security that
> included academic faculty.
>
> After a few minutes, I was ushered into Dr. Neal Lane's office where we
> spent about 15 minutes talking. (As a scientist and polymath, I think Lane
> has one of the more fascinating jobs in the Executive Branch: that of
> Assistant to the President for Science and Technology and
> Director of OSTP .
> For instance, on his table he had some great photos of the Eros asteroid
> that had been taken the day before.) We then decided to walk over to the
> White House (next door) where we joined the other attendees who
> were waiting
> in a lobby area.
>
> Eventually, we were all escorted upstairs to the Cabinet Room. It was a
> tight fit, as there were over 30 of us, staff and guests (invitee list at
> the end). We then spent a half hour mingling and chatting. There
> were a lot
> of people I didn't know, but that's because normally I don't get
> to talk to
> CEOs. Most notably, there were people present from several CERIAS sponsor
> organizations (AT&T, Veridian/Trident, Microsoft, Sun, HP, Intel,
> Cisco). I
> also (finally!) got to meet Prof. David Farber in person. We've
> "known" each
> other electronically for a long time, but this was our first in-person
> meeting.
>
> After a while, some more of the government folk joined the group: Attorney
> General Reno; Commerce Secretary Daley; Richard Clarke, the National
> Coordinator for Security, Infrastructure Protection and Counter-terrorism;
> and others. After some more mingling, I deduced the President was about to
> arrive -- several Secret Service agents walked through the room giving
> everyone a once-over. Then, without any announcement or fanfare, the
> President came into the room along with John Podesta, his chief of staff.
>
> President Clinton worked his way around the room, shaking everyone's hand
> and saying "hello." He has a firm handshake. In person, he looks thinner
> than I expected, and is not quite as tall as I expected, either.
>
> We all then sat down at assigned places. I had the chair directly opposite
> the President. Normally, it is the chair of the Secretary of State. To my
> left was Whit Diffie of Sun, and to my right was John Podesta. I was
> actually surprised that I had a seat at the table instead of in the
> "overflow" seats around the room.
>
> The press was then let into the room. It was quite a mass. The President
> made a statement, as did Peter Solvik of Cisco. The press then
> asked several
> questions (including one about oil prices that had nothing to do with the
> meeting). Then, they were ushered out and the meeting began.
>
> The President asked a few individuals (Podesta, Daley, Reno,
> Pethia, Noonan)
> to make statements on behalf of a particular segment of industry of
> government, and then opened it up for discussion. The next hour went by
> pretty quickly. Throughout, the President listened carefully, and seemed
> really involved in the discussion. He asked several follow-up questions to
> things, and steered the discussion back on course a few times. He followed
> the issues quite well, and asked some good follow-up questions.
>
> During the discussion, I made two short comments. The first was
> about how it
> was important that business and government get past using cost as the
> primary deciding factor in acquiring computer systems, because quality and
> safety were important. I went on to say that it was important to start
> holding managers and owners accountable when their systems failed
> because of
> well-known problems. I observed that if the government could set a good
> example in these regards, others might well follow.
>
> My second comment was on the fact that everyone was talking about
> "business
> and government" at the meeting but that there were other players, and that
> academia in particular could play an important part in this whole
> situation
> in cooperation with everyone else. After all, academia is where
> much of the
> research gets done, and where the next generation of leaders, researchers,
> and businesspeople are coming from!
>
> Overall, the bulk of the comments and interchange were reasoned
> and polite.
> I only remember two people making extreme comments (to which the
> rest of us
> gave polite silence or objections); I won't identify the people here, but
> neither were CERIAS sponsors :-). One person claimed that we were in a
> crisis and more restrictions should be placed on publishing vulnerability
> information, and the other was about how the government should fund
> "hackers" to do more offensive experimentation to help protect systems. My
> summary of the major comments and conclusions is included below.
>
> After considerable discussion, the meeting concluded with Dick Clarke
> reminding everyone that the President had submitted a budget to Congress
> with a number of new and continuing initiatives in information
> security and
> cybercrime investigation, and it would be up to Congress to provide the
> follow-through on these items.
>
> We then broke up the meeting, and the President spent a little more time
> shaking hands and talking with people present. Buddy (his dog) somehow got
> into the room and "met" several of us, too -- I got head-butt in
> the side of
> my leg as he went by. :-) The official photographer got a picture of the
> President shaking my hand again.
>
> The President commented to Vint Cerf how amazed he was that the group had
> been so well-behaved --- we listened to each other, no one made long
> rambling speeches, and there was very little posturing going on.
> Apparently,
> similar groups from other areas are quite noisy and contentious.
>
> We (the invitees) then went outside where there was a large crowd of the
> press. Several of us made short statements, and then broke up into groups
> for separate interviews. After that was done, I left and returned home to
> teach class on Wednesday.
>
> My interview with the local news station didn't make it on the
> 6pm news, and
> all the print accounts seemed make a big deal of the fact that "Mudge" was
> at the meeting. Oh well, I thought "Spaf" was a way-cool "handle", better
> than "Mudge" but it doesn't go over as well with the press for
> some reason.
> I'll have to find some other way to develop a following of groupies. :-)
>
> On Friday, I was back in DC at the White House conference center to
> participate in a working session with the PCAST (President's Committee of
> Advisors on Science & Technology) to discuss the structure and
> organization
> of the President's proposed Institute for Information Infrastructure
> Protection. This will have a projected budget of $50 million per year.
> CERIAS is already doing a significant part of what the IIIP is supposed to
> address (but at a smaller scale). Thus, we may have a role to play in that
> organization, as will (I hope) many of the other established infosec
> centers. The outcome of that meeting was that the participants
> are going to
> draft some "strawman" documents on the proposed IIIP organization for
> consideration. I am unsure whether this is significant progress or not.
>
> Outcomes
>
> I didn't enter the meeting with any particular expectations.
> However, I was
> pleasantly surprised at the sense of cooperation that permeated
> the meeting.
> I don't think we solved any problems, or even set an agenda of
> exactly what
> to do. There was a clear sense of resistance from the industry
> participants
> to any major changes in regulations or Internet structure. In
> fact, most of
> the companies represented did not send CEOs so that (allegedly)
> there would
> be no one there who could make a solid commitment for their firms
> should the
> President press for some action.
>
> Nonetheless, there were issues discussed, some subsets of those
> present did
> agree to meet and pursue particular courses of action, and we
> were reminded
> about the President's info protection plan. To be fair, this is
> an area that
> has been getting attention from the Executive Branch for several years, so
> this whole event shouldn't be seen as a sudden reaction to
> specific events.
> Rather, from the PCCIP on, there has been concern and awareness of the
> importance of these issues. This was simply good timing for the
> President to
> again demonstrate his concern, and remind people of the national plan that
> was recently released.
>
> I came away from the meeting with the feeling that a small, positive step
> had been made. Most importantly, the President had made it clear that
> information security is an area of national importance and that
> it is taken
> seriously by him and his administration. By having Dave Farber and myself
> there, he had also made a statement to the industry people
> present that his
> administration takes the academic community seriously in this
> area. (Whether
> many of the industry people got that message -- or care -- remains to be
> seen.)
>
> I recall that there were about 7 major points made that no one disputed:
> 1) The Internet is international in scope, and most of the
> companies present
> have international operations. Thus, we must continue to think
> globally. US
> laws and policies won't be enough to address all our problems.
> 2) Privacy is a big concern for individuals and companies alike. Security
> concerns should not result in new rules or mechanisms that result in
> significant losses of privacy.
> 3) Good administration and security hygiene are critical. The problems of
> the previous week were caused by many sites (including, allegedly, some
> government sites) being compromised because they were not maintained and
> monitored. This, more than any perceived weakness in the Internet, led to
> the denial of service.
> 4) There is a great deal of research that yet needs to be done.
> 5) There are not enough trained personnel to deal with all our security
> needs.
> 6) Government needs to set a good example for everyone else, by using good
> security, employing standard security tools, installing patches, and
> otherwise practicing good infosec.
> 7) Rather than new structure or regulation, broadly-based cooperation and
> information sharing is the near-term approach best suited to solving these
> kinds of problems.
>
> Let's see what happens next. I hope there is good follow-though by some of
> the parties in attendance, both within and outside government.
>
> Miscellany
>
> Rich Pethia of CERT, Alan Paller of SANS, and I have drafted a
> short list of
> near-term actions that sites can implement to help prevent a recurrence of
> the DDOS problems. Alan is going to coordinate input from a number of
> industry people, and then we will publicize this widely. It isn't
> an agenda
> for research or long-term change, but we believe it can provide a concrete
> set of initial steps. This may serve as a good model for future such
> collaborative activities.
>
> I was asked by several people if I was nervous. Actually, no. I've been on
> national television many times, and I've spoken before crowds of nearly a
> thousand people. Actually, *he* should have been nervous -- I have tenure,
> and he clearly does not. :-)
>
> The model we have at CERIAS with the partnership of industry and
> academia is
> exactly what is needed right now. Our challenge is to find some ways to
> solve our faculty needs and space shortage. In every other way, we're
> ideally positioned to continue to make a big difference in the
> coming years.
>
> Of the 29 invited guests, there was only one woman and one member of a
> traditional minority. I wonder how many of the people in the room didn't
> even notice?
>
> Attendees
>
> Douglas F. Busch
> Vice President of Information Technology, Intel
>
> Clarence Chandran
> President, Service Provider & Carrier Group, Nortel Networks
>
> Vinton Cerf
> Senior Vice President, Internet & Architecture & Engineering, MCI Worldcom
>
> Christos Costakos
> Chief Executive Officer, E-Trade Group, Inc.
>
> Jim Dempsey
> Senior Staff Counsel, Center for Democracy and Technology
>
> Whitfield Diffie
> Corporate Information Officer, Sun Microsystems
>
> Nick Donofrio
> Senior Vice President and Group Executive, Technology & Manufacturing, IBM
>
> Dave Farber
> University of Pennsylvania
>
> Elliot Gerson
> Chief Executive Officer, Lifescape.com
>
> Adam Grosser
> President, Subscriber Networks, Excite@home
>
> Stephen Kent
> BBN Technologies (GTE)
>
> David Langstaff
> Chairman and Chief Executive Officer, Veridan
>
> Michael McConnell
> Booz-Allen
>
> Mary Jane McKeever
> Senior Vice President, World Markets, AT&T
>
> Roberto Medrano
> Senior Vice President, Hewlett Packard
>
> Harris N. Miller
> President, Information Technology Association of America (ITAA)
>
> Terry Milholland
> Chief Information Officer, EDS
>
> Tom Noonan
> Internet Security Systems (ISS)
>
> Ray Oglethorpe
> President, AOL Technologies, America Online
>
> Allan Paller
> Chairman, SANS Institute
>
> Rich Pethia
> CERT/CC, SEI at Carnegie-Mellon University
>
> Geoff Ralston
> Vice President for Engineering, Yahoo!
>
> Howard Schmidt
> Chief Information Security Officer, Microsoft
>
> Peter Solvik
> Chief Information Officer, Cisco Systems
>
> Gene Spafford
> CERIAS at Purdue University
>
> David Starr
> Chief Information Officer, 3Com
>
> Charles Wang
> Chief Executive Officer, Computer Associates International
>
> Maynard Webb
> President, Ebay
>
> Peiter Zatko a.k.a. "Mudge"
> @stake
>
> --
> COMPASS [for the CDC-6000 series] is the
> sort of assembler one expects from a corporation
> whose president codes in octal. -- J.N. Gray
>
> ------------------------------------------------------------------
> ----------
> Delivery co-sponsored by SUNBELT SOFTWARE -
http://www.sunbelt-software.com/

STAT: NT VULNERABILITY SCANNER - http://www.sunbelt-software.com/stat.htm

Ever had that feeling of ACUTE PANIC that a hacker has invaded your
network? Plug NT's holes before they plug you. There are now over 750
known NT vulnerabilities. You just have to protect your LAN _before_ it
gets attacked. STAT comes with a responsive web-update service and a
dedicated Pro SWAT team that helps you to hunt down and kill Security
holes. Built by anti-hackers for DOD sites. Download a demo copy before
you become a statistic.
----------------------------------------------------------------------------