                        
|
| Home
NSTAC XXV Meeting - March 2002 Looking
at Vulnerability Issues in Addressing Cyber Security. Thank you. I'd like to first of all thank the NSTAC for the advice they've already given us on the development of the National Strategy to protect cyberspace. The events of September 11th have changed somewhat the way we look at that strategy and the way we look at threats. And so it may be appropriate for the NSTAC to look again at the National Strategy before it's published. The shift, I think, in the way we look at threats is important, and I think back to the aviation industry -- not to say that the telecom industry is the same in any way -- but I look at the aviation industry, and it examined in 1997 security -- there was a Presidential Commission and it examined aviation security. And everybody knew there were aviation security vulnerabilities. Government knew it. Industry knew it -- maybe not the CEOs [Chief Executive Officers], but people below them certainly knew it. And the Government and the industry chose in that Presidential review to say, "We're really not going to do much about it" because it would have been hard. It would have been expensive. It would have been inconvenient. We would have had to decide the roles and missions, the burden-sharing between the Government and the industry, who was going to pay for what, and the customers wouldn't have liked it. And so they said, "yeah, there are some vulnerabilities," but they persuaded themselves not to do anything about it by saying, "We have no specific intelligence that anyone is going to exploit those vulnerabilities". We can't do that in this industry. After September 11th, we can no longer say, "We know about vulnerabilities, maybe not at the CEO level, but further down the chain, and we're not going to go down that chain to find out what the vulnerabilities are because it might be expensive, or it might be troublesome, or it's not on our agenda". We can't say anymore that we're only going to respond when we get intelligence saying there's going to be an attack, or saying that someone is going to use the vulnerability. When Howard [Howard Schmidt, Vice Chair of the President’s Critical Infrastructure Protection Board] and I briefed the President on the ASN.1 [Abstract Syntax Notation. One] vulnerability, he said to us, "Don't wait for somebody to tell you that there's intelligence, or that there's a hacker group out there about to exploit the vulnerability because it will be too late then to fix it". We have to do a little paradigm shift here and look not at the threats, but at the vulnerabilities because so many of these vulnerabilities that do exist will take a very long time to fix, and if we wait until we get intelligence that says somebody is going to do it -- Al Qaeda this time, or some entirely different kind of threat the next time, maybe it's China, maybe it's a group of Americans who are disturbed for some reason -- we can't worry about who it is going to be or what they are going to look like, we need to worry about what the vulnerabilities are, rank-order them in terms of severity, and start figuring out how we're going to do the burden-sharing to fix it. That's the new way that we look at the National Strategy which we are developing. The National Strategy -- we hope to be done in July. It will be done at the same time as the National Strategy for Homeland Security. It will be totally coordinated with that, but this National Strategy to Secure Cyberspace will look at the virtual, logical and physical security of telecoms, the Internet, and the critical infrastructures that are supported by them. We've already gone out to about 800 people around the country and asked them, "When you read this strategy, what questions do you want to have answered?" And we received back 237 questions. We have boiled those questions down. They are in this supplement, which you have, which the Washington Post Company was nice enough to publish. Some of you have ads in it. I thank you for those of you who paid for the ads. To the extent that those questions involve telecommunications companies and IT [information technology] companies. I'd like you to take a look at them through the IES [NSTAC’s Industry Executive Subcommittee]. If you haven't already addressed them, take a look at them and see if there are additional pieces of advice you want to give us as we go forward with this strategy. We have town meetings in the May-June time frame -- Denver, Portland, Atlanta, and a few other cities. The goal of having a national strategy is not to have a piece of paper, it's to have a work program that constantly changes and constantly updates, online, in real-time. As we know that the vulnerabilities are fixed, as we learn about new kinds of vulnerabilities, as the technology changes, or -- and this will be unique for Government -- when we find out that the policy isn't working, we change it. Some of the things I want to bring to your attention -- and Dan [NSTAC Chair Daniel P. Burnham, Chairman, President and Chief Executive Officer of Raytheon Company] said earlier we want to focus on a few issues for the NSTAC to look at in the future -- I want to nominate a few issues here that we're looking at in the National Strategy. We've stopped thinking about how do we protect individual enterprises because a major national attack is not going to go after one company, it's going to go after the thing that all companies use and depend on -- the Internet itself. And the Internet itself was designed, like the ASN.1 vulnerability, by the Internet Engineering Task Force [IETF], not by a Government agency, not by a company, and they are still the people who are running it. And oddly enough, the Internet Engineering Task Force doesn't work in Internet time. It takes them a long time to agree on changing things. And there's a disconnect between the sort of informal non-Government body and your companies on the one hand, and the Government on the other hand. So there are vulnerabilities in the very mechanisms of the Internet. The Domain Name Servers, the Border Gateway Protocols [BGPs], the things that make the Internet work are not secure. They could be hit by a denial of service attack, as we talked about last year. They could be hit by a corruption of the look-up tables, the address space, very easy to do. The Defense Department has funded research, and that research has created a secure Domain Name Service, a secure BGP, but they are not being deployed. They are going to be difficult. They are going to be cumbersome. There are going to be issues about who pays for it and what is the burden sharing. But one of the reasons they are not being deployed is there is no corporate leadership saying that they need to be deployed. So I want to nominate that as an issue for you to think about. One of the reasons that one packet from an ASN.1 message, one packet can crash a router because the routers can be addressed by anyone in the world. Every router that's connected to a network that's connected to the Internet can be addressed by somebody in Beijing or Bulgaria or Baltimore. They all have IP [Internet Protocol] addresses. The management plain for routers is in-band. What does that mean in English? It means you can get online in Beijing and send one packet down and crash the router at BellSouth -- not to pick on you [reference to F. Duane Ackerman, Chairman, President and CEO of BellSouth, who is an NSTAC Principal and in attendance]. That's not true with SS7 [Signaling System 7]. With SS7, we had enough sense to design it so that the management plain cannot be addressed by picking up the telephone at the local phone booth. For routers, it's about like anybody being able to walk into a phone booth and take over the SS7 switch because routers can have their management plain addressed anywhere in the world, and you can hit them with a denial-of-service attack, you can knock off a router with two or three laptops doing a denial-of-service attack or, as we've just discovered because we did it with one packet from an SNMP protocol, we crashed routers. So another issue I'd like you to think about as one of your agenda items going forward is to look at security of routers. But the overall issue here is the architecture of the Internet, the infrastructure of the Internet, thinking about securing it. It's the tragedy of the commons -- who owns the Internet? Whose job is it to secure it? I'm going to run through these and then ask for comments because I know you've got something to say on this. What about ISPs? Many of you own and operate ISPs. What are ISPs role in doing security? We don't want to regulate ISPs, we make that very clear. I'll say that again loudly -- we do not want to regulate ISPs. Everybody believe me! But having said that, maybe we need a voluntary Code of Good Conduct like the broadcasters have. Maybe ISPs ought to offer, maybe for an additional fee, to do remote security for home users -- firewalls, anti-virus, patching -- because remote users, particularly home users now that have DSL [digital subscriber line] lines and cable modems and have static IP addresses, are being hacked and being used as Zombies for denial-of-service attacks. Most ISPs around the country do nothing about spoofed IP addresses, which is the way that most attacks occur. And you could do a lot relatively easily and relatively cheaply about spoofed IP addresses, but that's generally not being done. We talked over a year ago in this group about denial-of-service attacks, but very few people have deployed the new hardware and the new software that some startup companies have created to deal with denial-of-service attacks. One of the reasons denial-of-service attacks are hard to deal with is that ISPs, some of them, don't cooperate with each other. They simply take the denial-of-service attack and say, "It's big, but it's not so big it's going to crash our system, we've got lots of capacity", and they pass that denial-of-service attack on to the next customer. There is no organized, formal, systematic way for ISPs to cooperate with each other. There are no rules among them in any formal way. If your NOC [network operations center] gets called at 2 o'clock in the morning by another NOC, and they say, "Can you help us with this?" Can you trace back? It's all ad hoc. Sometimes it works, sometimes it doesn't. Frequently, it doesn't. Craig Mundie [Microsoft Corporation Senior Vice President and Chief Technical Officer, Advanced Strategies and Policy] talked a little while ago, maybe we need some sort of network to do this kind of thing. We are going to offer this year to install that network in your NOC, in NOCs not only for telephone companies and ISPs, but for other IT companies that have a unique role in the industry, so that when there is an attack we can get the right people talking to each other quickly, out-of-band, and eventually securely. When we had the Code Red attack, NSA [National Security Agency], Microsoft, Cisco [Systems], lots of companies around the country, VeriSign, Symantech, Network Associates, all got on a conference call with us, and everybody pooled their information, and we were able, by doing that, to figure out at 4 o'clock in the afternoon that the Code Red attack was going to be a massive denial-of-service attack, tens of thousands of computers all zipping out their messages to one site. I asked on the conference call, "What's that one site?" And they said, "It's you", it's the White House. And I said, "When is that going to happen?" And they said, "Four hours from now". We were able, during those four hours, to contact the Tier 1 ISPs, to call the NOCs and say, "Hi, I'm from the White House. I'd like you to block all traffic at the edge of the Internet that's going to the White House". Now, you might want to try that sometime. Call your NOC and say, "Hi, I'm from the White House, I want you to block all traffic going to the White House". The answer typically is, "Yeah, sure you are, fellow". We were able, during the course of those four hours, to get all the Tier 1 ISPs to agree to block all traffic at the edge-routers going to the White House, so that at 8 o'clock, when that massive tsunami denial-of-service attack would have come down the Internet and knocked routers off as it went, 8 o'clock came, nothing happened because we were able to get your cooperation. But it was too ad hoc. And so we'd like to create this -- CWIN [Computer Warning Information Network] would like to have some understanding about sharing information and best practices in a Code of Good Conduct. Joe [NSTAC Vice Chairman Joseph P. Nacchio, Chairman and CEO of Qwest Communications] talked with Senator [Robert] Bennett at breakfast about physical security of Points of Peering and Telecoms Hotels. As most of you know, Verizon came very close to losing a major Point of Peering and Telecoms Hotel on September 11th. We need to know what the effect would be of losing some of the key ones. There were 19 people involved in that attack on September 11th, 19 people perfectly coordinated all across the country. What if 19 people perfectly coordinated all across the country went after half a dozen sites like 1 Wiltshire Boulevard [in Los Angeles]. What's the effect? We don't know. You may know. You may not know. But we need to know and we need to either increase security there at those sites, or increase redundancy, or both. I'm told, for example, that although TransAtlantic Fiber lands at about 10 different places in Massachusetts, Rhode Island, Long Island and New Jersey that, after having landed, it all goes to one of two facilities -- 60 Hudson Street or 111 Eighth Avenue in Lower Manhattan. If that's true, that would seem to be a problem. And what is the role of Government in the burden sharing, the cost sharing of increasing the diversification of routing? But I suspect this statement, which I am told is true, is true, that if you blew up 60 Hudson Street and 111 Eighth Avenue, we could not communicate via fiber optic with Europe. In the wake of September 11th, that's not a circumstance we can continue, if it's true. And it's not just Telecoms Hotels, it's also Points of Peering for the Internet. Originally, as you all know, the points of peering were concentrated in the MAEs -- MAE-East, MAE-West -- and at one point MAE-East here in Tysons Corner had about 80 percent of the Internet traffic going through it, and I used to joke with people that it was guarded by one old guy with a .38 that didn't have any bullets in it, but it had security because it was above a steakhouse and nobody really knew it was there. What happened after those original years of the Internet is that you all began doing bilateral peering and pulling out of the MAE system. But now there is a trend to go back in that direction. One company that has established Internet business exchanges, they are called, has now all of the Tier 1 ISP doing peering in six facilities across the country. Those facilities -- they've done a pretty good job of security, as much as you can do. But if somebody has a cage on the floor, if they are renting space, and they hire a maintenance company to come in and do maintenance on the box that's in that cage on the floor, they get in. No one checks their identity beyond what they say their identity is. No one checks their criminal record. No one checks their name against our database of terrorists. As Joe was saying, if there's a C-LEC [Competitive Local Exchange Carrier], a fly-by-night little company, by law, you have to let them in. And if they then turn around and hire the Mohammed Atta Repair Company to run the box in their cage in your facility, you don't know that it's Mohammed Atta. You don't know what CIA's files or FBI's files say about that guy, but you open the door and you let them in to your control center. Now, whose fault is that? It's ours, the Government's fault. But in order to change it, you all need to make a stink about it. You all need to ask us, demand from us, that we set up a system so that when you're allowing somebody in your Telecoms Hotel and your Point of Peering, because you have to under the law, that you have an opportunity to know what the Government knows about that guy. There are three other issues: National Infrastructure Simulation and Analysis Center. What does that mean? We were talking earlier about what happens if six buildings blow up. We don't know. Because we can't model the Internet. We can't model the telephone grid. We can't model the way in which the electric grid affects the Internet, affects the telephone grid, [or] affects the railroad grid. Many of you had a problem last summer when a train derailed in a tunnel under the Baltimore Harbor. Initially, that looked like a train infrastructure problem until we realized that it was melting backbone. What are the relationships among and between these various kinds of infrastructures? We need to be able to model that. [Retired Air Force] General [Richard] Lawson is helping to create the Center, and he'll talk to you about that. [See separate remarks – not included in this text]. When we think about the National Strategy, we don't want it just to be a fix for our current problems. We want it to look forward. What are the new systems that are coming on, and maybe we can identify the vulnerabilities in the new systems before they are widely deployed. Well, my horizon doesn't go very far. As far out as I can see, the next widely deployed technology is ubiquitous computing, Web-enabled devices, Web-enabled wireless devices everywhere. And from what we can see so far, wireless security is an oxymoron. [Dr. ] Bill Hancock [of Exodus] is going to talk about that. [See separate remarks – not included in this text]. Dan mentioned the problems that we had on September 11th with cell phones, cell phones overloaded. We were very quickly told by the Cabinet following September 11th, to fix that problem. And in the Emergency Supplemental that went through the Congress, we took some of that money to begin addressing the problem of wireless priority. Gen. Raduege [Air Force Lieutenant General Harry D. Raduege, Jr., Manager, National Communications System] is going to talk about that. [See separate remarks – not included in this text]. I think there is a rich menu here for you to choose from and look at what issues the NSTAC can make its greatest contribution on in the immediate future.
Published for internal information use by the National Communications System. Parenthetical entries are speaker/author notes; bracketed entries are editorial notes. This material is in the public domain and may be reprinted without permission.
Questions or comments concerning this site? Please contact the webmaster. |
