[Note: you may post this account or forward it to mailing lists, provided you pass the account and this notice in its entirety.] Infosecurity at the White House Gene Spafford Prolog Last week (ca. 2/8/00), a massive distributed denial of service attack was committed against a number of Internet businesses, including e-Bay, Yahoo, Amazon.com, and others. This was accomplished by breaking into hundreds (thousands?) of poorly-secured machines around the net and installing packet generation "slave" programs. These programs respond by remote control to send packets of various types to target hosts on the network. The resulting flood effectively shut those target systems out of normal operation for periods ranging up to several hours. The press jumped all over this as if it was something terribly new (it isn't -- experienced security researchers have known about this kind of problem for many years) and awful (it can be, but wasn't as bad as they make it out to be). One estimate in one news source speculated that over a billion dollars had been lost in lost revenue, downtime, and preventative measures. I'm skeptical of that, but it certainly is the case that a significant loss occurred. Friday, Feb 11, I got a call from someone I know at OSTP (Office of Science and Technology Policy) inquiring if I would be available to meet with the President as part of a special meeting on Internet security. I said "yes." I was not provided with a list of attendees or an agenda. Initially, I was told it would be a meeting of security experts, major company CEOs, and some members of the Security Council, but that was subject to change. The Meeting I arrived at the Old Executive Office Building prior to the meeting to talk with some staff from OSTP. These are the people who have been working on the Critical Infrastructure issues for some time, along with some in the National Security Council. They really "get it" about the complexity of the problem, and about academia's role and needs, and this may be one reason why this was the first Presidential-level meeting on information security that included academic faculty. After a few minutes, I was ushered into Dr. Neal Lane's office where we spent about 15 minutes talking. (As a scientist and polymath, I think Lane has one of the more fascinating jobs in the Executive Branch: that of Assistant to the President for Science and Technology and Director of OSTP . For instance, on his table he had some great photos of the Eros asteroid that had been taken the day before.) We then decided to walk over to the White House (next door) where we joined the other attendees who were waiting in a lobby area. Eventually, we were all escorted upstairs to the Cabinet Room. It was a tight fit, as there were over 30 of us, staff and guests (invitee list at the end). We then spent a half hour mingling and chatting. There were a lot of people I didn't know, but that's because normally I don't get to talk to CEOs. Most notably, there were people present from several CERIAS sponsor organizations (AT&T, Veridian/Trident, Microsoft, Sun, HP, Intel, Cisco). I also (finally!) got to meet Prof. David Farber in person. We've "known" each other electronically for a long time, but this was our first in-person meeting. After a while, some more of the government folk joined the group: Attorney General Reno; Commerce Secretary Daley; Richard Clarke, the National Coordinator for Security, Infrastructure Protection and Counter-terrorism; and others. After some more mingling, I deduced the President was about to arrive -- several Secret Service agents walked through the room giving everyone a once-over. Then, without any announcement or fanfare, the President came into the room along with John Podesta, his chief of staff. President Clinton worked his way around the room, shaking everyone's hand and saying "hello." He has a firm handshake. In person, he looks thinner than I expected, and is not quite as tall as I expected, either. We all then sat down at assigned places. I had the chair directly opposite the President. Normally, it is the chair of the Secretary of State. To my left was Whit Diffie of Sun, and to my right was John Podesta. I was actually surprised that I had a seat at the table instead of in the "overflow" seats around the room. The press was then let into the room. It was quite a mass. The President made a statement, as did Peter Solvik of Cisco. The press then asked several questions (including one about oil prices that had nothing to do with the meeting). Then, they were ushered out and the meeting began. The President asked a few individuals (Podesta, Daley, Reno, Pethia, Noonan) to make statements on behalf of a particular segment of industry of government, and then opened it up for discussion. The next hour went by pretty quickly. Throughout, the President listened carefully, and seemed really involved in the discussion. He asked several follow-up questions to things, and steered the discussion back on course a few times. He followed the issues quite well, and asked some good follow-up questions. During the discussion, I made two short comments. The first was about how it was important that business and government get past using cost as the primary deciding factor in acquiring computer systems, because quality and safety were important. I went on to say that it was important to start holding managers and owners accountable when their systems failed because of well-known problems. I observed that if the government could set a good example in these regards, others might well follow. My second comment was on the fact that everyone was talking about "business and government" at the meeting but that there were other players, and that academia in particular could play an important part in this whole situation in cooperation with everyone else. After all, academia is where much of the research gets done, and where the next generation of leaders, researchers, and businesspeople are coming from! Overall, the bulk of the comments and interchange were reasoned and polite. I only remember two people making extreme comments (to which the rest of us gave polite silence or objections); I won't identify the people here, but neither were CERIAS sponsors :-). One person claimed that we were in a crisis and more restrictions should be placed on publishing vulnerability information, and the other was about how the government should fund "hackers" to do more offensive experimentation to help protect systems. My summary of the major comments and conclusions is included below. After considerable discussion, the meeting concluded with Dick Clarke reminding everyone that the President had submitted a budget to Congress with a number of new and continuing initiatives in information security and cybercrime investigation, and it would be up to Congress to provide the follow-through on these items. We then broke up the meeting, and the President spent a little more time shaking hands and talking with people present. Buddy (his dog) somehow got into the room and "met" several of us, too -- I got head-butt in the side of my leg as he went by. :-) The official photographer got a picture of the President shaking my hand again. The President commented to Vint Cerf how amazed he was that the group had been so well-behaved --- we listened to each other, no one made long rambling speeches, and there was very little posturing going on. Apparently, similar groups from other areas are quite noisy and contentious. We (the invitees) then went outside where there was a large crowd of the press. Several of us made short statements, and then broke up into groups for separate interviews. After that was done, I left and returned home to teach class on Wednesday. My interview with the local news station didn't make it on the 6pm news, and all the print accounts seemed make a big deal of the fact that "Mudge" was at the meeting. Oh well, I thought "Spaf" was a way-cool "handle", better than "Mudge" but it doesn't go over as well with the press for some reason. I'll have to find some other way to develop a following of groupies. :-) On Friday, I was back in DC at the White House conference center to participate in a working session with the PCAST (President's Committee of Advisors on Science & Technology) to discuss the structure and organization of the President's proposed Institute for Information Infrastructure Protection. This will have a projected budget of $50 million per year. CERIAS is already doing a significant part of what the IIIP is supposed to address (but at a smaller scale). Thus, we may have a role to play in that organization, as will (I hope) many of the other established infosec centers. The outcome of that meeting was that the participants are going to draft some "strawman" documents on the proposed IIIP organization for consideration. I am unsure whether this is significant progress or not. Outcomes I didn't enter the meeting with any particular expectations. However, I was pleasantly surprised at the sense of cooperation that permeated the meeting. I don't think we solved any problems, or even set an agenda of exactly what to do. There was a clear sense of resistance from the industry participants to any major changes in regulations or Internet structure. In fact, most of the companies represented did not send CEOs so that (allegedly) there would be no one there who could make a solid commitment for their firms should the President press for some action. Nonetheless, there were issues discussed, some subsets of those present did agree to meet and pursue particular courses of action, and we were reminded about the President's info protection plan. To be fair, this is an area that has been getting attention from the Executive Branch for several years, so this whole event shouldn't be seen as a sudden reaction to specific events. Rather, from the PCCIP on, there has been concern and awareness of the importance of these issues. This was simply good timing for the President to again demonstrate his concern, and remind people of the national plan that was recently released. I came away from the meeting with the feeling that a small, positive step had been made. Most importantly, the President had made it clear that information security is an area of national importance and that it is taken seriously by him and his administration. By having Dave Farber and myself there, he had also made a statement to the industry people present that his administration takes the academic community seriously in this area. (Whether many of the industry people got that message -- or care -- remains to be seen.) I recall that there were about 7 major points made that no one disputed: 1) The Internet is international in scope, and most of the companies present have international operations. Thus, we must continue to think globally. US laws and policies won't be enough to address all our problems. 2) Privacy is a big concern for individuals and companies alike. Security concerns should not result in new rules or mechanisms that result in significant losses of privacy. 3) Good administration and security hygiene are critical. The problems of the previous week were caused by many sites (including, allegedly, some government sites) being compromised because they were not maintained and monitored. This, more than any perceived weakness in the Internet, led to the denial of service. 4) There is a great deal of research that yet needs to be done. 5) There are not enough trained personnel to deal with all our security needs. 6) Government needs to set a good example for everyone else, by using good security, employing standard security tools, installing patches, and otherwise practicing good infosec. 7) Rather than new structure or regulation, broadly-based cooperation and information sharing is the near-term approach best suited to solving these kinds of problems. Let's see what happens next. I hope there is good follow-though by some of the parties in attendance, both within and outside government. Miscellany Rich Pethia of CERT, Alan Paller of SANS, and I have drafted a short list of near-term actions that sites can implement to help prevent a recurrence of the DDOS problems. Alan is going to coordinate input from a number of industry people, and then we will publicize this widely. It isn't an agenda for research or long-term change, but we believe it can provide a concrete set of initial steps. This may serve as a good model for future such collaborative activities. I was asked by several people if I was nervous. Actually, no. I've been on national television many times, and I've spoken before crowds of nearly a thousand people. Actually, *he* should have been nervous -- I have tenure, and he clearly does not. :-) The model we have at CERIAS with the partnership of industry and academia is exactly what is needed right now. Our challenge is to find some ways to solve our faculty needs and space shortage. In every other way, we're ideally positioned to continue to make a big difference in the coming years. Of the 29 invited guests, there was only one woman and one member of a traditional minority. I wonder how many of the people in the room didn't even notice? Attendees Douglas F. Busch Vice President of Information Technology, Intel Clarence Chandran President, Service Provider & Carrier Group, Nortel Networks Vinton Cerf Senior Vice President, Internet & Architecture & Engineering, MCI Worldcom Christos Costakos Chief Executive Officer, E-Trade Group, Inc. Jim Dempsey Senior Staff Counsel, Center for Democracy and Technology Whitfield Diffie Corporate Information Officer, Sun Microsystems Nick Donofrio Senior Vice President and Group Executive, Technology & Manufacturing, IBM Dave Farber University of Pennsylvania Elliot Gerson Chief Executive Officer, Lifescape.com Adam Grosser President, Subscriber Networks, Excite@home Stephen Kent BBN Technologies (GTE) David Langstaff Chairman and Chief Executive Officer, Veridan Michael McConnell Booz-Allen Mary Jane McKeever Senior Vice President, World Markets, AT&T Roberto Medrano Senior Vice President, Hewlett Packard Harris N. Miller President, Information Technology Association of America (ITAA) Terry Milholland Chief Information Officer, EDS Tom Noonan Internet Security Systems (ISS) Ray Oglethorpe President, AOL Technologies, America Online Allan Paller Chairman, SANS Institute Rich Pethia CERT/CC, SEI at Carnegie-Mellon University Geoff Ralston Vice President for Engineering, Yahoo! Howard Schmidt Chief Information Security Officer, Microsoft Peter Solvik Chief Information Officer, Cisco Systems Gene Spafford CERIAS at Purdue University David Starr Chief Information Officer, 3Com Charles Wang Chief Executive Officer, Computer Associates International Maynard Webb President, Ebay Peiter Zatko a.k.a. "Mudge" @stake -- COMPASS [for the CDC-6000 series] is the sort of assembler one expects from a corporation whose president codes in octal. -- J.N. Gray
