Feds reach out to hacker community
Feds reach out to hacker community
At Las Vegas conference, two officials concede infrastructure is vulnerable
By William Jackson
NSC's Jeffrey Hunker lists security plan components
- Identify and fix vulnerabilities.
- Detect attacks and intrusions.
- Develop robust law enforcement and intelligence capabilities.
- Develop a mechanism to share attack warnings and information between government agencies and corporations.
- Create a response and recovery system.
- Improve information security R&D.
- Train and employ more security specialists.
- Form partnerships with the private sector and with state and local governments.
- Adopt legislation and appropriate the funds.
- While pursuing all these goals, ensure full protection of civil liberties and privacy rights.
LAS VEGAS'Under Presidential Decision Directive 63, the government is supposed to serve as a national model by safeguarding its critical infrastructure.
'I can assure you the federal government is a model'for the most part, a model for what you don't want to do,' said Jeffrey A. Hunker, the National Security Council's senior director for infrastructure protection. He spoke at the opening session of this month's Black Hat Briefings conference.
A few federal officials showed up, hats in hand, at the annual gathering for hackers, systems administrators and security experts. They were looking for help from those who exploit system vulnerabilities for fun and profit.
'We find out about holes and vulnerabilities from hackers,' said Phillip J. Loranger, chief of the Command and Control Protection Division at the Army's Office of Information Assurance.
Loranger and several private-sector experts said the Defense Department finally is getting serious about security, but they agreed that it has a long way to go.
DOD is applying Band-Aid solutions, Loranger said.
Because the economic incentives to produce and upgrade software are more powerful than the incentives to secure existing software, 'we'll be playing catch-up' for a long time, he said.
His hypothetical answer for securing DOD systems: 'Separate .mil [domains] and make it an intranet, every last bit of it. I have trouble keeping people out because I have too many gateways and back doors.'
The place to be
In its third year, the Black Hat Briefings conference has become an annual precursor to the DefCon hackers convention, also in Las Vegas.
Unlike past years, when federal visitors hovered at the edges of meetings or were downright covert, Hunker and Loranger took part in high-profile presentations and panel discussions at both events.
They said they want to build bridges to the hacker community. The National Security Agency's National Computer Security Center was even one of the Black Hat sponsors this year.
Overall, hackers at the conference said there has been little improvement in computer security in the last year.
'It is really kind of frustrating,' said Dr. Mudge, the nom de hack of the chief scientist at Boston's hacker think tank, L0pht Heavy Industries. 'But I'm starting to see some encouraging changes in small pockets.'
One change is the government's increasingly self-protective stance, he said. Recent exploits that have shut down government Web sites show there is a long way to go, however.
'We know of foreign governments creating offensive attack capabilities against U.S. networks,' Hunker said. Russia and China have publicly announced such programs, and other countries are pursuing them secretly, he said.
PDD 63 sets a 2003 deadline for establishing a viable self-defense capability. 'I'm optimistic we will have it in place,' Hunker said, 'but we won't be able to stop there. This is an issue we will be working on the rest of our lives.'
Hunker said the initial version of the protection plan will have 10 parts.
The effort has bipartisan congressional support, and the government's overall computer security budget will increase 40 percent in fiscal 2000 to $1.5 billion, Hunker said. Another $508 million will go to information technology R&D that will contribute to better security, he said.