Original URL: https://www.theregister.com/2001/04/25/meet_americas_new_top_cybercop/

Meet America's new top cybercop

New NIPC chief steps away from 'electronic Pearl Harbor' rhetoric

By Kevin Poulsen

Posted in Security, 25th April 2001 18:54 GMT

The new head of the National Infrastructure Protection Center (NIPC) says it takes time to turn FBI agents into a cyber defense team.

"One of the things that gets lost in the translation of where we started and where we are now, is there's a lack of realization that this entity is only three years old," NIPC Director Ronald Dick told us. "And unlike in a lot of organizations....the center was created without a startup period to get people on board and to get operational."

Created by Presidential directive in February 1998, the NIPC was intended to be a multi-agency command center for evaluating, investigating and responding to physical and cyber attacks on the nation's "critical infrastructures," including telecommunications networks, the power grid and financial systems. It was a new role for law enforcement, says Dick.

"The center was created with a priority other than investigations," Dick says. "We had a whole new area in which the FBI, and a lot of our partners, hadn't previously been involved in."

Since then, the NIPC's grown to a staff of approximately 100, and has fostered a broad array of public/private partnerships, including the Electrical Power Indications and Warning System -- a plan to defend the North American power grid from attack -- and two Information Sharing and Analysis Centers (ISACs) that allow carefully screened information on cyber attacks to pass back and forth between the government and the private sector.

But when Dick, a 24-year veteran of the FBI, took the NIPC helm from founding director Michael Vatis last month, he inherited an organization that's been dogged by criticism and controversy almost since inception.

Cooperation problems

The most frequent complaint is that the FBI, which houses and heads the center, doesn't play well with other law enforcement agencies, the intelligence community and the Department of Defense (DoD), all of which were meant to have significant roles in the NIPC. Last year, that criticism compelled a Senate subcommittee to order a General Accounting Office review of NIPC's effectiveness, which is still pending.

"NIPC was meant to be a focal point to coordinate the investigations of various federal law enforcement agencies," said US Senator Charles Grassley (Republican, Iowa), in a statement to a subcommittee in June of last year. "Instead, it has become a cash cow for the FBI to fund its computer crime cases. It's nothing more than a computer crime squad of the FBI. That's not what was ever envisioned."

It was probably to counter such criticism that the new director's second-in-command was picked from the Defense Department, rather than the FBI, and has ties to the intelligence community; Rear Admiral James Plehal is a naval reserve commander and a former National Security Agency (NSA) department head.

"We've added a two-star admiral from DoD as deputy director," said Dick. "He and I are very much in concert with trying to dispel those kinds of perceptions. I don't particularly think those perceptions are true, but perception is reality."

Another perception Dick may have to battle centers on the NIPC's judgment in issuing public advisories. The center sometimes appears to focus on trivial matters -- one recent assessment reported that "intruders" had been spotted abusing an open FTP server to play interactive computer games -- while responding slowly to more important developments, like last year's LoveLetter virus.

"There's not a terrible amount of analysis that's going on," says one security professional, speaking on condition of anonymity. "It's sort of summarizing information that other people publish."

But Dick says any perception that NIPC's advisories are arbitrary or hyped stems from a misunderstanding of the center's criteria.

"The only time that we're going to engage in issuing an assessment or a warning or an alert is where we can add value, where we can add information from law enforcement, or the intelligence community or sanitized information from an ISAC," Dick says. "If we can't provide value added, then I don't feel that it's appropriate for us to engage... For us to speak as often as antivirus companies would detract from our mission."

The NIPC also issues public warnings when a vulnerability is so significant that it would affect national security, says Dick. "Then it's incumbent upon us to add to the volume of the noise so that system administrators will fix it."

Russian attacks

By way of example, Dick points to NIPC's public warning last month that a Russian hacker ring was penetrating e-commerce sites, stealing credit card numbers and extorting financial institutions. The NIPC publicly identified specific vulnerabilities the intruders were exploiting, while adding information about the perpetrators' modus operandi gathered from an FBI investigation. (The FBI recently arrested two Russian men in Seattle on charges apparently related to the NIPC warning.)

"The financial services ISAC was able to identify 1600 attempts on systems that they helped protect right after the announcement," says Dick.

Dick says the Russian case is part of an ongoing devolution in the character of computer intrusions.

"I think that what we're seeing is a movement," Dick says. "The number of intrusions that are coming into the public eyes are not just young hackers... doing it for adventure and notoriety... [Now] greed motivates some intruders. Or reprisal by disgruntled employees... It's a swing that is not unlike what we've seen in other tools to commit crimes."

Of course, the NIPC was formed, not just to fight crime, but also to combat cyber terrorism and state-sponsored information warfare-- threats that despite years of warnings, have not yet materialized. Dick believes the danger is real, though he's seemingly more optimistic than high-profile cyber defense hawks like Rep. Curt Weldon (Republican, Pennsylvania), who frequently claims that an "electronic Pearl Harbor" is unavoidable.

"Hopefully, there will never be a cyber Pearl Harbor, because we've done our job right and people have used appropriate due diligence," said Dick. "We'll see some minor things, but not the catastrophes that have been portrayed in the past."

Meanwhile, America's top cybercop says there's much work to be done in his new post. "Michael [Vatis], I think, did a good job of building the foundation," says Dick. "My role is to finish the rest of the building."

© 2001 SecurityFocus.com, all rights reserved.