U.S. government adds powerful weapon to federal computer security arsenal

Signal, Dec 1998 by Silver, Judy

A federal agency has launched a proactive program aimed at preventing, detecting, handling and recovering from computer security attacks on government databases. The federal computer incident response capability, or FedCIRC-managed in partnership by the General Services Administration-focuses on crossagency information sharing so that organizations can benefit from each other's experiences.

More than 400 incidents of breached computer security occurred in Fiscal Year 1998 alone, ranging from computer viruses to denial of service by overwhelming servers with phony messages. According to reports published earlier this year, 57 percent of federal government security managers reported unauthorized system use in 1997. And, many more incidents go unreported.

The General Services Administration's (GSA's) office of information security manages the FedCIRC partnership between federal civilian agencies, the Department of Defense, law enforcement organizations and academia. At its operational core is Carnegie Mellon University's Software Engineering Institute Computer Emergency Response Team Coordination Center in Pittsburgh, Pennsylvania.

FedCIRC fosters cooperation by encouraging incident reporting. "By tracking incidents and matching modus operandi, team members can help pro tect other agencies from similar attacks," according to Judy Spencer, GSA's director of government-wide security and FedCIRC's program manager. "Awareness among the agencies differs," she continues. "Some are fully cognizant of the threat and are taking steps to protect themselves, while others may not realize the full extent of their vulnerability. If the agency has a web site, it has a need to protect itself."

Now, under Presidential Decision Directive 63 that came out in May, federal agencies are directed to ensure they are protecting their critical infrastructures, including information systems capability.

FedCIRC provides baseline services such as a hotline for incident reporting and technical advice. The center also facilitates communications between law enforcement agencies and sites. When an incident occurs, a representative, usually the system administrator, calls FedCIRC. Together they conduct a telephone triage to assess the situation. "Every incident is unique unto itself," states Kathy T. Fithen, the Software Engineering Institute's FedCIRC operation manager, "but the first step is to help the agency understand what has occurred. Often all they know is that their system has crashed."

At this point, FedCIRC provides technical advice, such as how to recover files, rebuild the system or install patches to protect against future assaults. "We may instruct the agency on how to invoke the logging function, which shows where someone is coming from, helping us to track the attack," Fithen explains. "We also try to find out what files were opened, so we know what the intruder was looking at."

The next step involves alerting other agencies. The team sends urgent advisories via electronic (e)-mail to subscribers. On-line information about technical documents or guidelines on configuring networks and firewalls is available at http://www.fedcirc.gov. Agencies are responsible for implementing recommendations. Courses on intrusion and incident response will be available on the web as well.

Spencer explains that, "One of the most valuable lessons is the importance of bringing all agencies in as part of the process, so they become aware and fully understand the risks and what they can do to prevent them and deal with them." She is calling for a more collaborative relationship between the agencies and FedCIRC, stating that, "Under the pilot, there was not an emphasis on organizations passing information up. There were incidences where the webmaster caught a potential intrusion, blocked it from happening and didn't bother to report it."

Some program improvements were made. The pilot program offered different levels of services on a subscription basis. "Although the core services were very successful, many agencies didn't reply to this service, perhaps because of the hefty price tag," notes Spencer, adding that FedCIRC has gone to a just-in-time approach with fee-based services that agencies might need in the future. Soon, agencies will be able to purchase information security products and services as needed under a GSA contract. Some services will charge hourly rates, while other service fees will be project-based.

To further assist federal agencies in protecting computer networks, NIST is preparing a special publication, "How to Set Up An Incidence Response Capability." According to Mariann Swanson, former FedCIRC manager in NIST's Security Division, "A lot of agencies need to be brought up to speed. This guide will help them in using existing resources." Swanson is now a member of the transition team assisting GSA.