|
|
|
|
|
|
|
|
|
|
|
|
Michael A. Vatis, Director, National Infrastructure Protection Center The National Infrastructure Protection Center (NIPC) located at FBI Headquarters in Washington, D.C., was created by the Department of Justice and the FBI in February 1998. It is a joint government and private sector partnership that includes representatives from relevant agencies of federal, state and local government. The concept evolved from recommendation of the President's Commission of Critical Infrastructure Protection and from the government's experience in dealing with illegal intrusion into government and private sector computer systems over the years How many computers are used in your jurisdiction? How many are connected to the Internet? How many can be used to commit crimes? How would you respond if a hacker accessed your critical water or power distribution and control systems? Who has jurisdiction if a local financial institution or merchant is defrauded through the Internet? Are your own department’s computer systems protected from outside attack? What about the insider threat? How safe are you from careless, untrained, or disgruntled users inside your agency? These are tough questions that demand answers. Society has come to depend on an ever-expanding, increasingly complex web of electronic information systems. We rely on these systems to conduct business, perform research, communicate, control processes, and manage our personal lives. As we conduct more of our public and private lives on-line, criminals use computers and the Internet to steal, defraud, disrupt, destroy, and threaten our data, services, commerce, and national security. The recent distributed denial of service (DDoS) attacks which temporarily shut down e-commerce web sites such as YAHOO!, buy.com, and E*TRADE are only the latest example of the threat posed by cyber-crime. The National Infrastructure Protection Center (NIPC), created by Attorney General Janet Reno and FBI Director Louis Freeh in February 1998, addresses the growing threat of illicit computer activity, particularly as it affects critical national infrastructures. The mission of NIPC is to assess, warn of, respond to, and investigate illegal acts involving computer and information technologies, and unlawful acts that threaten or target our critical infrastructures. The NIPC does not merely respond to attacks after they occur; it concentrates equally on prevention, and the collection, analysis, and dissemination of information to law enforcement partners, other government agencies, and the private sector. The NIPC issues warnings based on its analyses of possible incidents and vulnerabilities. It relies on the assistance and cooperation of its partners including federal agencies, the private sector, and state and local law enforcement agencies, who often respond first to attacks. As one example, in December 1999 the NIPC issued warnings about the possibility of DDoS attacks and released a tool that could be used to detect whether a computer had unwittingly been victimized by a hacker as part of such an attack. In February, these warnings were borne out when several e-commerce sites were knocked off line by DDoS attacks. The NICP and Critical Infrastructure Protection On July 15, 1996, President Clinton issued Executive Order 13010, which identified the nation’s critical infrastructure sectors: telecommunications, transportation, electric power, banking and finance, gas and oil storage and delivery, water supply, emergency services, and government operations. Each infrastructure sector includes interdependent physical and electronic networks defined as critical because their failure could affect our economic security or national defense. These infrastructures, which are essential to our national well being, are mostly owned and operated by private interests, not the government. The Executive Order also established the President’s Commission on Critical Infrastructure Protection (PCCIP), whose objective was to recommend a comprehensive national infrastructure protection policy and implementation strategy. In October 1997, the PCCIP recommended that the federal government develop collaborative relationships with the owners and operators of critical infrastructures. Protecting from attack and responding to threats are vital responsibilities that must be shouldered by public and private partners. This initiative bore fruit in May 1998 in the form of Presidential Decision Directive (PDD) 63, which set forth the President’s framework and policy for protecting the nation’s critical infrastructures. It also formally endorsed the NIPC’s role as the focal point for the federal government’s efforts for warning of and investigating cyber-attacks. The NIPC is located at FBI Headquarters in Washington, D.C. It combines criminal investigative, counterintelligence, and counterterrorism resources and responsibilities related to computer intrusions and infrastructure issues. The NIPC also provides the Attorney General and FBI Director with a centralized support and planning structure capable of responding to threats ranging from domestic computer crime to attacks orchestrated by foreign national states. While located at the FBI, the NIPC is an interagency center and includes representatives from the FBI, the Department of Defense and the military services, the intelligence community, other federal agencies, state and local law enforcement and private industry. All of these partners have a role to play in protecting our infrastructures, and their presence in the center allows for coordination of investigations, sharing of expertise and information, and collaborative development of protective initiatives. NIPC Organization The NIPC is organized into three sections: The Computer Investigations and Operations Section (CIOS), the Analysis and Warning Section (AWS), and the Training, Outreach, and Strategy Section (TOSS). CIOS is the operational and response arm of the center and addresses cyber-terrorism, cyber-crime, and computer based foreign intelligence activities. The CIOS program manages computer intrusion investigations conducted by FBI field offices and provides subject matter experts, equipment, and technical support to cyber-investigators in federal, state, and local government agencies involved in critical infrastructure protection. The CIOS also provides an emergency response capability to assist in resolving incidents. The AWS serves as the intelligence and warning arm of the NIPC. It provides analytical support during computer intrusion investigations, conducts strategic analysis of threats, and issues warnings and advisories of ongoing or imminent attacks to government and private sector partners. The TOSS coordinates the training and education of cyber investigators in FBI field offices, state and local law enforcement agencies, and private sector organizations. The TOSS also coordinates outreach activities for private and public partners and manages the Key Asset Initiative and InfraGard Program. The Key Asset Initiative collects and catalogs information on critical infrastructure components across the nation. InfraGard is a cooperative network of interested partners in the private sector directed at sharing information about threats and vulnerabilities. Finally, the TOSS provides strategic planning and administrative support to the NIPC. Beyond the NIPC, the FBI has created a related National Infrastructure Protection and Computer Intrusion Program (NIPCIP) in its field offices. This is a new investigative program that places special agents responsible for computer intrusion and infrastructure protection matters in each field office. Regional NIPC squads are located in 16 offices: Atlanta, Baltimore, Boston, Charlotte, Chicago, Dallas, Houston, Los Angeles, Miami, Newark, New Orleans, New York City, San Diego, San Francisco, Seattle, and Washington, D.C. Other offices have between one and five agents assigned to the programs. The hope is to expand the program so that eventually every FBI office has the full capability to conduct complex computer investigations. Technological Vulnerabilities There are three major reasons why our critical infrastructures are at risk. First, developments in telecommunications and information technology (IT) have brought the farthest reaches of the world to our computers. Satellite communications, the Internet, and international ownership of telecommunications and IT industries infrastructure components make communications a global enterprise. Geographic isolation no longer guarantees protection from foreign adversaries. With a portable computer and a telephone connection, an attacker can bring down or infiltrate critical computer systems just as easily from St. Petersburg, Russia as from St. Petersburg, Florida. Second, our nation’s critical infrastructures are interdependent. For example, the financial services industry depends on the telecommunications infrastructure, which relies on electric power, which relies on gas and petroleum distribution, which relies on transportation. A single disruption incident in this chain of interdependency can cascade quickly through the other infrastructures, broadening and exacerbating the effects on our economy and public safety. Last, we rely on widely available commercial hardware and software technology. If a product contains an inherent vulnerability, it becomes an Achilles' heel for all systems relying on it. Information on vulnerabilities is disseminated quickly through the information technology community, exposing users and systems to cyber attack on a broad scale. Threats to critical infrastructures Advances in technology have opened new vulnerabilities to our critical infrastructures and created new tools to exploit those vulnerabilities. The open nature of the Internet and our telecommunications systems allows anyone with moderate technical skills and the right tools to exploit vulnerabilities and penetrate computer systems. These tools are relatively easy to use and are readily available on hacker websites. Then tools can be used to steal, alter or erase data; intercept communications; or deny service of critical information systems. In the past, threats to our infrastructures were physical in nature, such as truck bombs or acts of sabotage, and the likely perpetrators were terrorist groups and hostile foreign powers. Now the list of possible attackers includes disgruntled insiders seeking revenge, hackers testing their skills, criminals seeking financial gain, foreign intelligence operatives seeking sensitive government or industrial information, and terrorist groups or hostile nations conducting attacks on vital services such as electrical energy or telecommunications. The anonymity of the cyber world makes it difficult to identify those responsible for an intrusion, or their intentions. The potential harm from illegal intrusions is enormous. Even the unclassified systems used by industry and government contain massive amounts of important and sensitive data. The loss or alteration of this data could seriously affect personal privacy and the ability to conduct business. Statistics underscore how pervasive and detrimental cyber attacks can be. A 1999 study by the Computer Security Institute revealed that 62 percent of respondents reported information system security breaches within the previous 12 months, while a staggering 90 percent reported virus infections. Total financial losses reported by the 163 organizations that could put a dollar figure on losses, added up to $123.8 million. A total of 51 percent of the respondents reported financial loss but only 31 percent were willing or able to quantify the extent of the damage.1 A 1996 survey of 1,000 companies by the American Bar Association showed that 48 percent had experienced computer fraud in the previous five years. While losses for the entire period were not available, each incident resulted in a loss of $2 million to $10 million.2 The CERT Coordination Center reported only six incidents in 1988. That number increased to 3,734 in 1998, and in 1999, 8,268 incidents were handled.3 At the FBI, our caseload involving computer intrusions has doubled each of the last two years, with over 800 current pending cases. This does not even include other types of computer crime such as child pornography or Internet fraud schemes. NIPC’s state and local law enforcement partners The NIPC’s success depends on building and enhancing long-term relationships with state and local law enforcement agencies. We are doing this in several ways. First, we have representatives from state and local law enforcement working with us at the NIPC on detail assignment, and we welcome additional representatives. These officers help us keep the perspective of state and local law enforcement in mind as we perform our mission. Second, we have made our computer investigation training courses available to state and local law enforcement officers who work on these matters. Information on our training programs can be obtained from the local FBI field office, NIPCIP, or training coordinator. Third, each field office is developing cyber crime task forces with federal, state and local partners, so that we can work together to address this growing crime problem. Fourth, we routinely send threat and vulnerability information to our partners via the National Law Enforcement Telecommunications System (NLETS) and Law Enforcement On-line (LEO). Finally, pursuant to PDD-63, we are working with a group of police chiefs and sheriffs on something called the "Emergency Law Enforcement Sector (ELES) Forum,” to develop a plan to protect state and local law enforcement computer and information systems from attack that could disrupt or undermine effective law enforcement. The ELES Forum also advises the NIPC on matters of state and local interest. The InfraGard Program, rolled out in July of 1999, is another example of inter-jurisdictional cooperation. InfraGard began as a pilot project in the Cleveland, Ohio FBI field office when local computer security officials were asked to assist the FBI in determining how to best protect critical information systems. The first InfraGard chapter was formed from this partnership. InfraGard is now an integral part of the NIPC’s national outreach and information sharing efforts. Through a secure encrypted website and messaging network, private sector and government partners can share information about vulnerabilities and attacks in a secure and confidential way. Members can also participate in local chapter activities and access an NIPC help desk. InfraGard chapters are now being formed across the country and the website and secure e-mail system are up and running. State and local agencies investigate and prosecute cyber-crimes that violate local laws. By sharing investigative data with the NIPC, agencies can identify and analyze emerging trends and share their findings with other agencies. In some cases it may be appropriate for state and local agencies to share investigative responsibilities or seek assistance from their local FBI field office and the NIPC, especially through the developing cyber-crime task forces. The cross-jurisdictional nature of cyber-crimes, in which attacks originate anywhere, means that investigative efforts must be coordinated among local, state, and Federal agencies to ensure effective prosecution. A good example of this type of cooperative investigation was the Melissa Macro Virus case last year. In that case, the New Jersey State Police (NJSP) and the FBI’s Newark Office, through the NIPCIP squad, successfully investigated a virus that affected hundreds of companies and individuals worldwide and caused over $80 million in damage. The NJSP received a critical tip from America Online which, with other investigative work, ultimately led to the prosecution and guilty plea of David Smith in a New Jersey court. If you have questions concerning the jurisdiction of specific computer crimes, or are seeking investigative guidance for cases, look first to your state attorney general. Each United States Attorney’s Office also has an Assistant United States Attorney who serves as the Computer and Telecommunications Coordinator (CTC) to oversee cyber-crime prosecutions. The CTC can offer advice and guidance regarding jurisdictional and investigative threshold issues. If a computer crime involves a federal interest or crosses state boundaries, call your local FBI field office. To support the NIPC in combating the cyber threat, state and local law enforcement agencies, as well as other organizations, should first safeguard their own computer systems from intrusions and attack. Develop and implement sound security policies for your systems: Identify the person responsible for computer security in your organization--the one who knows how to fix system vulnerabilities or knows where to go for help. Enable audit features to monitor log on and log off activity and determine which files are accessed and by whom. Install anti-virus software and scan all outside software and files for computer viruses before they enter your systems. Install firewalls, hardware or software to protect internal networks from attack via the Internet or outside networks. Change passwords frequently and use passwords with a combination of letters, numbers, and special characters. Don’t use words or well-known phrases. Ensure that only authorized persons have access privileges to your systems and computers. Restrict the use of guest and training accounts. Change default administrator and "Superuser" passwords. Warn users through banners and messages on computer screens that their activities may be monitored. Use messaging networks to remind users of the necessity to practice good computer security. Enforce existing security policy and develop new guidelines to limit vulnerabilities. State and local law enforcement agencies are in a position to perform critical functions that can significantly affect the outcome of investigations. Complete, accurate and timely gathering of information is crucial to conduct a successful investigation. Whether you are investigating an incident independently, or assisting other agencies, it is important to answer these questions: How was access gained? Is there evidence of physical damage? What level of access was obtained? Which programs were accessed? Which operating systems were involved? What is the value of data exploited? Has data been lost, altered, or made unavailable? How can we prevent future occurrences? Contacting the nipc If you suspect a cyber-crime falls under Federal jurisdiction, contact the local FBI field office, which will initiate an inquiry and notify the NIPC Watch Office. If you are investigating a cyber-crime independently, contact the NIPC Watch Office directly by e-mail to nipc.watch@fbi.gov or by fax to (202) 323-2079 or call (202) 323-3205. Information provided will be used to develop threat warnings and measures to prevent future attacks and for correlation with other investigations that might be underway by other agencies. Another source of information is the NIPC special-interest group on LEO. LEO is a national interactive computer communications system operated by the FBI for the law enforcement community. Software and on-line access are provided free of charge to qualified law enforcement professionals. For more information on LEO contact the LEO Program Office at 202-324-8833. Looking to the future The NIPC and FBI field offices have made great progress over the last two years in establishing a proactive, cutting edge investigative capability and a true partnership with industry and state and local law enforcement. But as the profusion of cyber-crime continues to grow, we will need to leverage our limited resources by working together more than ever before. The collaborative efforts of interested parties, including state and local law enforcement, are critical to realizing the goals of the NIPC. Together, we can continue to protect the nation’s infrastructures and keep on the cutting edge of law enforcement in the 21st century. Notes: Issues and Trends: 1999 CSI/FBI Computer Crime and Security Survey. Computer Security Institute, March 5, 1999. http://www.gocsi.com Johnson, Anna, "Companies Losing Millions over Rising Computer Crime." Shake Security Journal, Volume 1, Issue 1, March 1998. The CERT® Coordination Center is a federally funded research and development center located at Carnegie Mellon University in Pittsburgh, PA. CERT serves as a 24-hr. central contact point for identifying and correcting computer vulnerabilities. http://www.cert.org
|
|
|
