New Cybersecurity Center To Warn Law Enforcement Of Critical Infrastructure Attacks

Several businesses and organizations are testing a new process for anonymously sharing cyberthreat and attack data with their peers and government agencies without being subject to law-enforcement audits.

Larry Greenemeier, Contributor

August 24, 2005

5 Min Read

With about 85% of the nation's critical infrastructure--energy utilities, manufacturing and transportation facilities, telecommunication and data networks, and financial services--in the private sector, it's no wonder there have been so many attempts to create services that keep these companies apprised of threats to their IT networks. But there's a problem: Most companies aren't eager to share their adventures in cybersecurity with each other or the government.

Keeping this in mind, several Philadelphia-area businesses and organizations are testing out a new model called the Cyber Incident Detection & Data Analysis Center, or CIDDAC, which lets private-sector entities anonymously share cyberthreat and attack data with their peers and government agencies such as the Homeland Security Department and the FBI without that data being subject to law-enforcement audits.

CIDDAC arose out of the deficiencies in the different organizations already working on cybersecurity, says Brad Rawling, a CIDDAC board member. A major sticking point that has hindered other attempts to create cyberattack-reporting infrastructures is the concern by businesses and other organizations that their proprietary information will be made public. Once information about a company's inner workings and security issues is documented by the government, that proprietary information may become fair game for Freedom Of Information Act requests by the press and public. CIDDAC circumvents this sticky situation because it's not a government entity and it doesn't provide specific information to members or law enforcement about the identity of the organization reporting a cyberattack.

Participation in CIDDAC is voluntary. Since its April debut, the effort has been funded with about $100,000 in contributions from members, as well as $200,000 from the Homeland Security Department's Science and Technology Directorate. CIDDAC is searching for an additional $400,000 in funding to move it from the pilot stage to a point where data can be collected and shared and the program can sustain itself. Membership will cost $10,000 per year and will include one sensor, a year of monitoring service, and access to CIDDAC reports.

CIDDAC's services are expected to be fully functional by the end of the year. The organization is piloting its sensor technology and reporting system at test locations in Philadelphia, southern New Jersey, and North Carolina. The next phase of testing, as CIDDAC receives production models of its network sensors over the next month and a half, will include as many as 10 large companies and institutions that have volunteered to participate and to whom CIDDAC has promised anonymity.

The University of Pennsylvania has donated lab space, E-mail listserv services, and Internet access via its Institute of Strategy Threat Analysis and Response for the CIDDAC's pilot phase, although the initiative may have to look elsewhere for a permanent home.

A company called AdminForce Remote LLC has developed the underlying real-time cyberattack-detection sensor technology that CIDDAC uses to gather information from its members' networks, and AdminForce chairman and CEO Charles Fleming serves as CIDDAC's executive director. Board members include Liberty Bell Bank chief technology officer Brian Schaeffer, Federal Reserve Bank of Philadelphia directory of information security Keith Morales, Air Products and Chemicals Inc. computer crime investigator Lance Hawk, and Kema Inc. senior principal consultant Scott Mix. FBI special agent John Chesson and Homeland Security Department director of privacy technology Peter Sand have served as advisers to the CIDDAC effort.

As envisioned, a CIDDAC member connects AdminForce's sensors within their corporate network. If an intruder attempts to hack or penetrate the system, this intrusion-monitoring device sends a message to law enforcement and to other CIDDAC participants but protects the identity of the reporting entity. CIDDAC's plan is to provide members with trend-analysis information about specific intrusion activity that they can use to assess risks to their own networks.

CIDDAC's arrival is timely. This year's FBI Computer Security Institute computer crime and security survey results, based on the responses of 700 computer security practitioners in U.S. companies, government agencies, financial institutions, medical institutions, and universities, indicates that the percentage of organizations reporting computer intrusions to law enforcement continues to decline. Only 20% of organizations reported cyberattacks to law enforcement, while only 12% reported such attacks to legal counsel. The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity.

FBI Director Robert Mueller has acknowledged this reluctance that organizations have to air their dirty cyber laundry in public, thus hurting their image and giving rivals an edge. Mueller made these comments earlier this month at a conference hosted by InfraGard, an FBI program begun in 1996 in Cleveland as a local effort to gain support from the IT industry and academia for the FBI's cybersecurity investigative efforts. The program expanded nationally through the late 1990s.

At the conference, Mueller likened a malicious command sent over a network to harm a power station's control computer to being as deadly as a backpack full of explosives.

The FBI is expected to receive CIDDAC-generated law-enforcement incident reports when different criminal thresholds are exceeded. Homeland Security is likewise expected to be a consumer of CIDDAC reports. The FBI will use CIDDAC incident reports to initiate preliminary investigations to determine the magnitude of the cyberthreat, Rawling says. Such reports could be used as a basis to justify opening a criminal or intelligence case, for example, but are not expected to be used as evidence to be presented in a court of law. "The FBI must use the tools they have to build a case without revealing the identity of the source," Rawling adds.

CIDDAC is by no means the only organization established to provide business-technology managers with information about cyberthreats. The new effort most closely resembles the SANS Institute's Internet Storm Center, although that service has no direct link with federal law enforcement. CIDDAC also is targeting large companies with similar IT security needs. Internet Storm Center uses the DShield distributed intrusion-detection system technology to collect data from users' intrusion-detection logs and disseminate this information to other users. DShield is a piece of freeware maintained by the SANS Institute. The Internet Storm Center, a free service, lets users submit firewall logs anonymously, but they must register with the SANS Institute to view an archive of firewall logs they submitted to the DShield database in the past 30 days and get confirmation of log submissions.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights