Feeds

Meet America's new top cybercop

New NIPC chief steps away from 'electronic Pearl Harbor' rhetoric

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

The new head of the National Infrastructure Protection Center (NIPC) says it takes time to turn FBI agents into a cyber defense team.

"One of the things that gets lost in the translation of where we started and where we are now, is there's a lack of realization that this entity is only three years old," NIPC Director Ronald Dick told us. "And unlike in a lot of organizations....the center was created without a startup period to get people on board and to get operational."

Created by Presidential directive in February 1998, the NIPC was intended to be a multi-agency command center for evaluating, investigating and responding to physical and cyber attacks on the nation's "critical infrastructures," including telecommunications networks, the power grid and financial systems. It was a new role for law enforcement, says Dick.

"The center was created with a priority other than investigations," Dick says. "We had a whole new area in which the FBI, and a lot of our partners, hadn't previously been involved in."

Since then, the NIPC's grown to a staff of approximately 100, and has fostered a broad array of public/private partnerships, including the Electrical Power Indications and Warning System -- a plan to defend the North American power grid from attack -- and two Information Sharing and Analysis Centers (ISACs) that allow carefully screened information on cyber attacks to pass back and forth between the government and the private sector.

But when Dick, a 24-year veteran of the FBI, took the NIPC helm from founding director Michael Vatis last month, he inherited an organization that's been dogged by criticism and controversy almost since inception.

Cooperation problems

The most frequent complaint is that the FBI, which houses and heads the center, doesn't play well with other law enforcement agencies, the intelligence community and the Department of Defense (DoD), all of which were meant to have significant roles in the NIPC. Last year, that criticism compelled a Senate subcommittee to order a General Accounting Office review of NIPC's effectiveness, which is still pending.

"NIPC was meant to be a focal point to coordinate the investigations of various federal law enforcement agencies," said US Senator Charles Grassley (Republican, Iowa), in a statement to a subcommittee in June of last year. "Instead, it has become a cash cow for the FBI to fund its computer crime cases. It's nothing more than a computer crime squad of the FBI. That's not what was ever envisioned."

It was probably to counter such criticism that the new director's second-in-command was picked from the Defense Department, rather than the FBI, and has ties to the intelligence community; Rear Admiral James Plehal is a naval reserve commander and a former National Security Agency (NSA) department head.

"We've added a two-star admiral from DoD as deputy director," said Dick. "He and I are very much in concert with trying to dispel those kinds of perceptions. I don't particularly think those perceptions are true, but perception is reality."

Another perception Dick may have to battle centers on the NIPC's judgment in issuing public advisories. The center sometimes appears to focus on trivial matters -- one recent assessment reported that "intruders" had been spotted abusing an open FTP server to play interactive computer games -- while responding slowly to more important developments, like last year's LoveLetter virus.

"There's not a terrible amount of analysis that's going on," says one security professional, speaking on condition of anonymity. "It's sort of summarizing information that other people publish."

But Dick says any perception that NIPC's advisories are arbitrary or hyped stems from a misunderstanding of the center's criteria.

"The only time that we're going to engage in issuing an assessment or a warning or an alert is where we can add value, where we can add information from law enforcement, or the intelligence community or sanitized information from an ISAC," Dick says. "If we can't provide value added, then I don't feel that it's appropriate for us to engage... For us to speak as often as antivirus companies would detract from our mission."

The NIPC also issues public warnings when a vulnerability is so significant that it would affect national security, says Dick. "Then it's incumbent upon us to add to the volume of the noise so that system administrators will fix it."

Russian attacks

By way of example, Dick points to NIPC's public warning last month that a Russian hacker ring was penetrating e-commerce sites, stealing credit card numbers and extorting financial institutions. The NIPC publicly identified specific vulnerabilities the intruders were exploiting, while adding information about the perpetrators' modus operandi gathered from an FBI investigation. (The FBI recently arrested two Russian men in Seattle on charges apparently related to the NIPC warning.)

"The financial services ISAC was able to identify 1600 attempts on systems that they helped protect right after the announcement," says Dick.

Dick says the Russian case is part of an ongoing devolution in the character of computer intrusions.

"I think that what we're seeing is a movement," Dick says. "The number of intrusions that are coming into the public eyes are not just young hackers... doing it for adventure and notoriety... [Now] greed motivates some intruders. Or reprisal by disgruntled employees... It's a swing that is not unlike what we've seen in other tools to commit crimes."

Of course, the NIPC was formed, not just to fight crime, but also to combat cyber terrorism and state-sponsored information warfare-- threats that despite years of warnings, have not yet materialized. Dick believes the danger is real, though he's seemingly more optimistic than high-profile cyber defense hawks like Rep. Curt Weldon (Republican, Pennsylvania), who frequently claims that an "electronic Pearl Harbor" is unavoidable.

"Hopefully, there will never be a cyber Pearl Harbor, because we've done our job right and people have used appropriate due diligence," said Dick. "We'll see some minor things, but not the catastrophes that have been portrayed in the past."

Meanwhile, America's top cybercop says there's much work to be done in his new post. "Michael [Vatis], I think, did a good job of building the foundation," says Dick. "My role is to finish the rest of the building."

© 2001 SecurityFocus.com, all rights reserved.

Boost IT visibility and business value

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.