Getting Past the Secrecy Surrounding Network Break-ins

Your network has just been breached. Do you call the police? Alert the FBI?

Not if you’re a typical IT manager, according to the latest Computer Crime and Security Survey, which is conducted annually by the Computer Security Institute and the FBI. According to the survey — of more than 500 U.S. IT security professionals — only 30 percent of computer crimes are reported to law enforcement.

Reporting a break-in to law enforcement is “a double-edged sword,” said Brian Schaeffer, the chief technology officer of Liberty Bell Bank, in Cherry Hill, N.J. “I might get help, but I get the bad press too, and I’ve got customers and shareholders to think about.”

That’s a problem for law enforcement agencies, who may well never hear about the attack. It’s also a problem for other companies, who might be next on the target list.

And in this post-9/11 era, it’s also being recognized as a potential disaster-in-the-making for the nation as a whole, which has no way of rapidly detecting a wide-scale attack on its computing infrastructure.

Companies under attack often turn to CERT, the Internet security center operated by Carnegie Mellon University, for help. CERT tracked 76,404 cyber-incidents in the first six months of 2003 alone. But because of privacy concerns those incidents don’t get reported to the FBI.

Real-Time Intrusion Monitoring

Help is on the way, however. A group of corporate IT managers, security consultants, and law enforcement officials think they’ve come up with a way to share real-time data about computer break-ins, without compromising the privacy of those who’ve been attacked.

The group, which has incorporated as the non-profit Cyber Incident Detection and Analysis Center (CIDAC), based in Philadelphia, hopes to distribute a series of intrusion monitoring machines — CIDAC calls them Real-time Cyber Attack Detection Sensors — into computer networks across the country.

These computers would not be connected to the production systems of the host company, although they will appear to belong on its network, says FBI agent and computer security expert John Chesson, who is working with the group.

“All an attacker would see,” Chesson says, “is that computer is in the IP block range of the target network, and looks like a machine that belongs there.”

That system has as good a chance of being attacked as any other machine on the network, according to Chesson, because an attacker doesn’t always know which machines are production machines and which ones aren’t.

“They may figure it out once they get inside that machine, but by then, you’ve already discovered the methods they’ve used to compromise the system. And that information is very valuable,” he says.

The machines would also be connected to a real-time monitoring center run by CIDDAC, which would promptly alert both law enforcement and other organizations which might be attacked, without revealing the actual identity of the company that was attacked.

Distributing machines like this widely enough could provide an early warning of a widespread attack on the nation’s infrastructure. If the monitoring station saw lots of alarms going off at power companies, for example, it would be able to quickly notify other public utilities of the intrusions.

Hampered by Corporate Bureaucracy

CIDAC’s monitoring program emerged out of an information-sharing program called InfraGard, which aims to reduce the barriers to communication between IT managers and the FBI. The program’s local chapters — there are 72 of them, in cities across the U.S. — arranges regular meetings between FBI computer crime investigators and private sector IT departments.

The program has helped. Schaeffer, of Liberty Bell Bank, says before he joined InfraGard, “if I had a [security] problem, I didn’t know who to talk to.”

Even the improved communication that has emerged out of InfraGard, however, hasn’t been enough to get companies to start reporting cyber break-ins.

IT managers who want to call the FBI often find themselves hampered by corporate bureaucracy, says Chesson. It can easily take days or weeks for a request to work its way up the chain of command and be approved by the legal department and others.

And a company’s first priority during a network intrusion is not to gather evidence and notify law enforcement, but to close the hole and get its production systems back online as quickly as possible.

Once that’s happened — often with the help of CERT or other security organizations — there’s little incentive for companies to talk about the event. “They say to themselves, ‘I’ve solved this problem, why should I drag it out for two more years?'” Chesson says.

“Nobody in the private sector wants the FBI looking at their computers,” agrees Buck Fleming, CIDAC’s Executive Director.

CIDAC, therefore, has spent considerable time and effort examining issues of liability and privacy. “We believe that we’ve worked out a way to gather this data and put it in a form that’s useful, but still protect the private sector’s privacy rights,” Fleming says.