[LWN Logo]

Date: Sat, 19 Feb 2000 12:59:48 -0500
From: Gene Spafford <spaf@cerias.purdue.edu>

Infosecurity at the White House
Gene Spafford

Prolog

Last week (ca. 2/8/00), a massive distributed denial of service attack
was committed against a number of Internet businesses, including
e-Bay, Yahoo, Amazon.com, and others.  This was accomplished by
breaking into hundreds (thousands?) of poorly-secured machines around
the net and installing packet generation "slave" programs.  These
programs respond by remote control to send packets of various types
to target hosts on the network.  The resulting flood effectively shut
those target systems out of normal operation for periods ranging up to
several hours.

The press jumped all over this as if it was something terribly new (it
isn't -- experienced security researchers have known about this kind
of problem for many years) and awful (it can be, but wasn't as bad as
they make it out to be).  One estimate in one news source speculated
that over a billion dollars had been lost in lost revenue, downtime,
and preventative measures.  I'm skeptical of that, but it certainly is
the case that a significant loss occurred.

Friday, Feb 11, I got a call from someone I know at OSTP (Office
of Science and Technology Policy) inquiring if I would be available
to meet with the President as part of a special meeting on Internet
security.  I said "yes."  I was not provided with a list of attendees
or an agenda.  Initially, I was told it would be a meeting of security
experts, major company CEOs, and some members of the Security Council,
but that was subject to change.

The Meeting

I arrived at the Old Executive Office Building prior to the meeting
to talk with some staff from OSTP.  These are the people who have
been working on the Critical Infrastructure issues for some time,
along with some in the National Security Council.  They really "get
it" about the complexity of the problem, and about academia's role and
needs, and this may be one reason why this was the first Presidential-
level meeting on information security that included academic faculty.

After a few minutes, I was ushered into Dr. Neal Lane's office where
we spent about 15 minutes talking.  (As a scientist and polymath,
I think Lane has one of the more fascinating jobs in the Executive
Branch: that of Assistant to the President for Science and Technology
and Director of OSTP .  For instance, on his table he had some great
photos of the Eros asteroid that had been taken the day before.)
We then decided to walk over to the White House (next door) where we
joined the other attendees who were waiting in a lobby area.

Eventually, we were all escorted upstairs to the Cabinet Room.  It was
a tight fit, as there were over 30 of us, staff and guests (invitee
list at the end).  We then spent a half hour mingling and chatting.
There were a lot of people I didn't know, but that's because normally
I don't get to talk to CEOs.  Most notably, there were people present
from several CERIAS sponsor organizations (AT&T, Veridian/Trident,
Microsoft, Sun, HP, Intel, Cisco).  I also (finally!) got to meet
Prof. David Farber in person.  We've "known" each other electronically
for a long time, but this was our first in-person meeting.

After a while, some more of the government folk joined the group:
Attorney General Reno; Commerce Secretary Daley; Richard Clarke,
the National Coordinator for Security, Infrastructure Protection and
Counter-terrorism; and others.  After some more mingling, I deduced
the President was about to arrive -- several Secret Service agents
walked through the room giving everyone a once-over.  Then, without
any announcement or fanfare, the President came into the room along
with John Podesta, his chief of staff.

President Clinton worked his way around the room, shaking everyone's
hand and saying "hello."  He has a firm handshake.  In person, he
looks thinner than I expected, and is not quite as tall as I expected,
either.

We all then sat down at assigned places.  I had the chair directly
opposite the President.  Normally, it is the chair of the Secretary
of State.  To my left was Whit Diffie of Sun, and to my right was
John Podesta.  I was actually surprised that I had a seat at the table
instead of in the "overflow" seats around the room.

The press was then let into the room.  It was quite a mass.  The
President made a statement, as did Peter Solvik of Cisco.  The press
then asked several questions (including one about oil prices that had
nothing to do with the meeting).  Then, they were ushered out and the
meeting began.

The President asked a few individuals (Podesta, Daley, Reno, Pethia,
Noonan) to make statements on behalf of a particular segment of
industry of government, and then opened it up for discussion.  The
next hour went by pretty quickly.  Throughout, the President listened
carefully, and seemed really involved in the discussion.  He asked
several follow-up questions to things, and steered the discussion back
on course a few times.  He followed the issues quite well, and asked
some good follow-up questions.

During the discussion, I made two short comments.  The first was about
how it was important that business and government get past using cost
as the primary deciding factor in acquiring computer systems, because
quality and safety were important.  I went on to say that it was
important to start holding managers and owners accountable when their
systems failed because of well-known problems.  I observed that if
the government could set a good example in these regards, others might
well follow.

My second comment was on the fact that everyone was talking about
"business and government" at the meeting but that there were other
players, and that academia in particular could play an important part
in this whole situation in cooperation with everyone else.  After all,
academia is where much of the research gets done, and where the next
generation of leaders, researchers, and businesspeople are coming
from!

Overall, the bulk of the comments and interchange were reasoned and
polite.  I only remember two people making extreme comments (to which
the rest of us gave polite silence or objections); I won't identify
the people here, but neither were CERIAS sponsors :-).  One person
claimed that we were in a crisis and more restrictions should be
placed on publishing vulnerability information, and the other was
about how the government should fund "hackers" to do more offensive
experimentation to help protect systems.  My summary of the major
comments and conclusions is included below.

After considerable discussion, the meeting concluded with Dick
Clarke reminding everyone that the President had submitted a budget
to Congress with a number of new and continuing initiatives in
information security and cybercrime investigation, and it would be
up to Congress to provide the follow-through on these items.

We then broke up the meeting, and the President spent a little more
time shaking hands and talking with people present.  Buddy (his
dog) somehow got into the room and "met" several of us, too -- I
got head-butt in the side of my leg as he went by. :-) The official
photographer got a picture of the President shaking my hand again.

The President commented to Vint Cerf how amazed he was that the group
had been so well-behaved --- we listened to each other, no one made
long rambling speeches, and there was very little posturing going
on.  Apparently, similar groups from other areas are quite noisy and
contentious.

We (the invitees) then went outside where there was a large crowd of
the press.  Several of us made short statements, and then broke up
into groups for separate interviews.  After that was done, I left and
returned home to teach class on Wednesday.

My interview with the local news station didn't make it on the 6pm
news, and all the print accounts seemed make a big deal of the fact
that "Mudge" was at the meeting.  Oh well, I thought "Spaf" was a
way-cool "handle", better than "Mudge" but it doesn't go over as well
with the press for some reason.  I'll have to find some other way to
develop a following of groupies. :-)

On Friday, I was back in DC at the White House conference center to
participate in a working session with the PCAST (President's Committee
of Advisors on Science & Technology) to discuss the structure and
organization of the President's proposed Institute for Information
Infrastructure Protection.  This will have a projected budget of $50
million per year.  CERIAS is already doing a significant part of what
the IIIP is supposed to address (but at a smaller scale).  Thus, we
may have a role to play in that organization, as will (I hope) many
of the other established infosec centers.  The outcome of that meeting
was that the participants are going to draft some "strawman" documents
on the proposed IIIP organization for consideration.  I am unsure
whether this is significant progress or not.

Outcomes

I didn't enter the meeting with any particular expectations. However,
I was pleasantly surprised at the sense of cooperation that permeated
the meeting.  I don't think we solved any problems, or even set an
agenda of exactly what to do.  There was a clear sense of resistance
from the industry participants to any major changes in regulations
or Internet structure.  In fact, most of the companies represented
did not send CEOs so that (allegedly) there would be no one there who
could make a solid commitment for their firms should the President
press for some action.

Nonetheless, there were issues discussed, some subsets of those
present did agree to meet and pursue particular courses of action,
and we were reminded about the President's info protection plan.
To be fair, this is an area that has been getting attention from
the Executive Branch for several years, so this whole event shouldn't
be seen as a sudden reaction to specific events.  Rather, from the
PCCIP on, there has been concern and awareness of the importance of
these issues.  This was simply good timing for the President to again
demonstrate his concern, and remind people of the national plan that
was recently released.

I came away from the meeting with the feeling that a small, positive
step had been made.  Most importantly, the President had made it clear
that information security is an area of national importance and that
it is taken seriously by him and his administration.  By having Dave
Farber and myself there, he had also made a statement to the industry
people present that his administration takes the academic community
seriously in this area.  (Whether many of the industry people got that
message -- or care -- remains to be seen.)

I recall that there were about 7 major points made that no one
disputed:

   1) The Internet is international in scope, and most of the
 companies present have international operations.  Thus, we must
 continue to think globally.  US laws and policies won't be enough
 to address all our problems.

   2) Privacy is a big concern for individuals and companies alike.
 Security concerns should not result in new rules or mechanisms that
 result in significant losses of privacy.

   3) Good administration and security hygiene are critical.  The
 problems of the previous week were caused by many sites (including,
 allegedly, some government sites) being compromised because they were
 not maintained and monitored.  This, more than any perceived weakness
 in the Internet, led to the denial of service.

   4) There is a great deal of research that yet needs to be done.

   5) There are not enough trained personnel to deal with all our
 security needs.

   6) Government needs to set a good example for everyone else, by
 using good security, employing standard security tools, installing
 patches, and otherwise practicing good infosec.

   7) Rather than new structure or regulation, broadly-based
 cooperation and information sharing is the near-term approach best
 suited to solving these kinds of problems.

Let's see what happens next.  I hope there is good follow-though by
some of the parties in attendance, both within and outside government.

Miscellany

Rich Pethia of CERT, Alan Paller of SANS, and I have drafted a short
list of near-term actions that sites can implement to help prevent
a recurrence of the DDOS problems.  Alan is going to coordinate
input from a number of industry people, and then we will publicize
this widely.  It isn't an agenda for research or long-term change,
but we believe it can provide a concrete set of initial steps.  This
may serve as a good model for future such collaborative activities.

I was asked by several people if I was nervous.  Actually, no.  I've
been on national television many times, and I've spoken before crowds
of nearly a thousand people.  Actually, *he* should have been nervous
- -- I have tenure, and he clearly does not. :-)

The model we have at CERIAS with the partnership of industry and
academia is exactly what is needed right now.  Our challenge is
to find some ways to solve our faculty needs and space shortage.
In every other way, we're ideally positioned to continue to make
a big difference in the coming years.

Of the 29 invited guests, there was only one woman and one member of
a traditional minority.  I wonder how many of the people in the room
didn't even notice?

Attendees

Douglas F. Busch
Vice President of Information Technology, Intel

Clarence Chandran
President, Service Provider & Carrier Group, Nortel Networks

Vinton Cerf
Senior Vice President, Internet & Architecture & Engineering, MCI Worldcom

Christos Costakos
Chief Executive Officer, E-Trade Group, Inc.

Jim Dempsey
Senior Staff Counsel, Center for Democracy and Technology

Whitfield Diffie
Corporate Information Officer, Sun Microsystems

Nick Donofrio
Senior Vice President and Group Executive, Technology & Manufacturing, IBM

Dave Farber
University of  Pennsylvania

Elliot Gerson
Chief Executive Officer, Lifescape.com

Adam Grosser
President, Subscriber Networks, Excite@home

Stephen Kent
BBN Technologies (GTE)

David Langstaff
Chairman and Chief Executive Officer, Veridan

Michael McConnell
Booz-Allen

Mary Jane McKeever
Senior Vice President, World Markets, AT&T

Roberto Medrano
Senior Vice President, Hewlett Packard

Harris N. Miller
President, Information Technology Association of America (ITAA)

Terry Milholland
Chief Information Officer, EDS

Tom Noonan
Internet Security Systems (ISS)

Ray Oglethorpe
President, AOL Technologies, America Online

Allan Paller
Chairman, SANS Institute

Rich Pethia
CERT/CC, SEI at Carnegie-Mellon University

Geoff Ralston
Vice President for Engineering, Yahoo!

Howard Schmidt
Chief Information Security Officer, Microsoft

Peter Solvik
Chief Information Officer, Cisco Systems

Gene Spafford
CERIAS at Purdue University

David Starr
Chief Information Officer, 3Com

Charles Wang
Chief Executive Officer, Computer Associates International

Maynard Webb
President, Ebay

Peiter Zatko a.k.a. "Mudge"
@stake