By Richard Bray
In an ideal world, the first computer user to detect a threat would alert every other user as quickly and completely as possible.
In this world, however, computer users may not even know their systems have been compromised until they learn they have infected other machines.
In this world, even if they know about a threat, some users may not share that information with others, because of concerns about legal liability or loss of reputation.
In this world, even co-operative computer users may not know where or how to report an incident properly.
And in this world, even when incident reports do reach a higher authority, they may not be shared any further – or may be selectively distributed to a small group of affiliated organizations.
Even when they are co-ordinated, Computer Incident Response Teams – or CIRTs – at universities, government departments and corporations around the world too often communicate slowly and ineffectively.
Computer security incidents that crippled the developing Internet in the late 1980s highlighted the drawbacks of isolation and the need for international co-operation. One of the results was FIRST, the Forum of Incident Response and Security Teams, an international organization founded in 1990 by 11 incident response teams to tackle the barriers of language, distance and conflicting standards.
The Internet has of course grown beyond recognition since FIRST was established, to become a key, if not critical, component of business and government in the developed world and a rising hope for education and prosperity everywhere else.
FIRST’s membership has grown along with it, drawing its membership from around the world, but it still does not quickly and efficiently distribute important information about immediate threats to computer networks.
In its defence, FIRST has probably achieved its somewhat limited goals of “fostering co-operation … in the effective prevention, detection and recovery from computer security incidents; providing a means for the communication of alert and advisory information on potential threats and emerging incident situations; facilitating the actions and activities of the FIRST members including research, and operational activities; and facilitating the sharing of security-related information, tools, and techniques.”
However, as the summer of 2003 has proved, computer networks are still being knocked out by malicious code, the problem seems to be getting worse, not better, and many CIRTs are still not communicating with each other.
One specialist, Russ Cooper of TruSecure Corp. says that “there is no concerted, co-ordinated effort to do this type of work.”
“(Government) organizations are largely underfunded, understaffed,” says Cooper. “It is very difficult to keep people because if they are any good there are lots of private sector jobs that pay a lot more. So it is not surprising that we are in the state of affairs that we are.”
As for FIRST, he says, “it is surprising that there hasn’t been a mandate to do more. But it has been around for a very, very long time and despite that it is still more like an old boys’ club than it is an organization of incident response teams.”
Peter Hillier of CGI, who helped set up Canada’s first incident response centre at the Department of National Defence, believes FIRST’s major product is its ability to provide an international forum.
“They’ve been doing a good job for a lot of years, but they do have some challenges to overcome,” Hillier says. “Stop treating it like a listserv, for example. Let’s get into a formal relationship with partner organizations and evolve rather than just status quo, which it has been for many years.”
Chris van Breda, a colleague of Hillier’s at CGI, believes that effective international co-operation on incident response is not only possible but may already be on the way.
“With a very few countries,” he says, “it’s happening now, but they are agreements more between private industry than government.”
“If you are talking about government agreements, you are talking about several years’ lead time. But co-operation between major industries is there now because many companies are already international.”
According to van Breda, the good news is that there will probably be some decisive action within the next two years. The bad news is that “what will drive this again is some other major crisis, the next vulnerability that’s going to take your network down.
“This is going to be the driving force. It always is. There has to be something that stimulates this reaction, and then you move forward another few paces, and then you sit for a while.”
In the federal government, all departments and agencies must report computer incidents to OCIPEP, the Office of Critical Infrastructure Protection and Emergency Planning.
Andrew McAllister, the agency’s director of cyber protection, identifies three sets of constituents for OCIPEP, beginning with federal departments as mandated under the government security policy.
The second group of constituents is domestic, according to McAllister – provinces, municipalities and the private sector. That’s because the infrastructure of the Internet is widely distributed and much of it is in private hands.
McAllister says OCIPEP is trying to develop the models of incident reporting, incident response and recovery, best practices and tools, to enable critical infrastructure owners and operators not only to detect but to respond to incidents to protect their own systems.
“The third set of constituents are international partners,” he says. “This is a global problem. How do we, in our global community, mature and develop the procedures, agreements and frameworks to ensure we all have an acceptable level of cybersecurity?
“I think FIRST is one of many organizations that is helping us mature these models.”
At this point, McAllister says, there is no globally accepted and followed standard of how to move incident information around.
“The obstacles lie primarily in different legal and policy frameworks in different countries, provinces and states,” he says. “The issue here is that of information, and the problems can be broken down into three distinct points: How do you properly acquire the information, how do you properly protect it and how do you disseminate it to the right entities?”
Reporting templates and forms will be important, he concedes, “but I think the bigger issue here is creating the policy and legal framework in which those in the cyberprotection community can share information with each other for the benefit of the community as a whole.”
Officials are already attempting to automate incident reporting and relieve reporting organizations of their possible legal liability. The Cyber Security Information Sharing Project, now under development, would automatically and anonymously gather incidents from computer networks. Because it’s proved impossible to get information from some organizations, a successful demonstration could go a long way to building an international reporting system.
Back at CGI, Chris van Breda points out today’s limitations to widespread and immediate reporting.
“For example, the Cisco vulnerability: How would you find out about that unless Cisco notifies you? They notified their prime customers first . . . but they didn’t let the world know until the Friday night. In the meantime government organizations, Bell and everyone else was warned, had the patch and were ready to use it. But for the rest of the community …”
As Peter Hillier phrased it: “You have to have the initiative to go out and look for the information.”
Meanwhile, there has been a “balkanization” of incident reporting. In some cases, FIRST members have negotiated successful sharing agreements, but they are often based on personal trust.
In the United States, Information Sharing Assurance Centers or ISACS serve the various segments of critical infrastructure. According to Hillier, “financial institutions have one, oil and gas has one, the hydro and IT segments have theirs and because of the proprietary nature of the information that they all work within, they have a little bit more confidence in ensuring that information for themselves.
“They don’t want to share their information with the government, whatever government that might be, because of Access To Information regulations that would basically allow people to receive that information for a $5 cheque and a form.”
In Canada, he added, “a lot of the provinces are still getting their heads wrapped around what they are going to do internally with regard to intrusion detection and managed security services, or information protection as a whole. It’s money-driven, it’s budget-driven as well for some of those provinces.”
Today, FIRST is the only international group in a position to take the lead. As Chris van Breda said, “FIRST has recognized it is at a crux, where it has to go to become a viable organization. It either stagnates or it has to move. . . .”
Richard Bray ( email@example.com) is an Ottawa-based writer specializing in high technology issues.