RE: FBI's InfraGard

[Russ <Russ.Cooper () rc on ca>]

I recently was called by an FBI Field Agent in response to an email I
sent to the two publicly available InfraGard addresses
(infragard () fbi gov and nipc () fbi gov). I had contacted them, as a
Canadian moderating the NTBugtraq mailing list (a significant
contributor to their monthly bulletins) in the hope that I could better
understand what they were trying to achieve (since InfraGard is
restricted to U.S. nationals). I'm all for helping anyone who wants to
try and do a better job of securing networks, but after reading the NIPC
web site (http://www.nipc.gov), I had serious misgivings about their
stance.

The first thing that became abundantly clear is that there is some
serious disorganization going on wrt InfraGard. The NIPC states it is
part of their Outreach program, and details its goals on their site.
However, the field agent implied that it was virtually wholly a FBI
Field Office program with little relationship to NIPC. Obviously I was
confused by this (as most would be).

To read the NIPC web site, you'd likely come away (as I did) with the
impression that InfraGard is intended to replace or supplant CERT, CIAC,
and other existing mechanisms for dealing with cybercrime, when it
relates to Infrastructure. Since Infrastructure could be as vast as
anyone cares to make it, its pretty all-encompassing.

To hear the Field Agent's explanation (and that of numerous private and
public participants to InfraGard), InfraGard is merely a cooperative
effort between the FBI and "others" to put the FBI into a position to be
more effective in cyber-issues. They have no desire to thwart anything
that already exists, and would like to work with all for the benefit of
mankind...laudable.

My problem is that it's the NIPC which is getting the attention, and
therefore they're stated goals for InfraGard that need to be
scrutinized. Meanwhile, in every discussion of InfraGard, you get all
these grass roots folks telling you how wonderful it is that the FBI has
finally decided to get themselves a clue.

I'm all for the FBI getting themselves better connected (if I have one
more Agent ask me for my fax number I think I'll scream!), and better
educated in the ways and wiles of cyberspace...but we must consider what
is happening in this process.

The consensus from folks who have had the FBI presentation and discussed
InfraGard involvement seems to be that you can pretty much decide for
yourself what you will or won't do, tell them, exchange with other
members. That seems reasonable enough...as long as it stays that way. Of
course there's a certain amount of trepidation over the idea that every
communication with them is potentially federal evidence, causing hosters
and comms companies to have to be careful over what they say for fear
they might give evidence against one of their customers in the process
of discussions with the FBI...but that's nothing new really.

The bigger issue, at least for me anyway, is the way the NIPC has
presented itself. People (e.g. Congressman and Senators) might come away
with the impression that these folks are the best possible resource for
cybercrime info/stats/protection... Given that there has been no
concerted effort by the NIPC to involve itself in the existing scene,
and their staff is, um, lacking (something like, a Few Good Men, comes
to mind...) I'm hard pressed not to assert that their extremely tightly
focused view of things (that's being kind) can be downright harmful to
us all.

The Field Agent I spoke with stressed that they wanted to work in
cooperation with existing reporting mechanisms. InfraGard private
supporters stressed that they didn't expect InfraGard to provide them
with all their research info (meaning they'd continue to monitor other
sources for information), but they also said that InfraGard was
providing them with info they did not see elsewhere.

As I tried to explain to the Field Agent, this combination is a serious
threat to overall security.

If NIPC is successful in convince its creators and funding sources that
it is, or can be, the be all and end all...

and...

if the Field Offices continue to provide information to the InfraGard
participants that is not disseminated publicly...

and...

if the InfraGard participants are in any way inhibited from sharing
InfraGard information with the public at large...

then...

the success of InfraGard could result in legislation that makes the
dissemination of security information even more restrictive if there is
a perceived benefit from sharing facts amongst a "private" group.

At a recent CERIAS workshop on Vulnerability Databases, we covered,
extensively, the issues surrounding disclosure and dissemination of
security information. There are numerous reasons why people who hold
such information chose not to distribute it openly. One of those
reasons, and a significant one, is the issue of liability. If I tell
you, and everyone, how to break into your machine, and you use that
information to break into a 3rd party's machine, I could be held liable.
Such case law may not be fully tested yet, but the fear of such
liability is a big inhibitor to the dissemination of vulnerability info.

The NIPC and the FBI, via InfraGard, have an unprecedented opportunity
to support the dissemination of security information openly and
publicly, and by doing so, provide a shelter to information sources from
liability. They are in the position to establish legislation that would
protect a discloser from prosecution when the dissemination is being
done in the interests of better security (which should, IMO, cover every
disclosure).

Obviously there are other disclosure liability issues which are not
directly addressed by the NIPC taking such a stance (Vendor A breaks an
NDA with Vendor B to disclose a bug in Vendor B's software to win market
share), but, if the NIPC and FBI are truly interested in enhancing the
pre-existing security information environment, this one step could
represent a significant step in the right direction. It would, again
IMO, also help to dispel the apprehensions some may have about the
entire program's tightly focused view.

Given how the facts and figures these groups come up with are likely to
permeate Congressional Hearings and become the basis for many
legislative decisions, its imperative that we ensure they are not
permitted to generate them without sufficient scrutiny. As an entity
strictly for U.S. consumption, allowing involvement solely by U.S.
nationals and corporations, its obvious that they are excluding numerous
individuals who could add value to their observations and information
that they spread amongst their participants.

Given the number of people they already intend on sharing this
information with (I was told numbers around 10,000 corporations, which
could be translated into 100's of 1000's of individuals), going a step
further and publishing the information to the public at large would,
IMO, make more sense. If they wish to restrict who can put information
into their distribution engine, fine, so be it, but at least if the
information is available to the general public its value, accuracy, and
NIPC/FBI treatment, can be discussed openly in other forums (like most
other security info available today).

Without denigrating the benefit that some InfraGard participants believe
they will gain by its existence, its stated goals and implementation
should not be left as they are without realizing that in doing so, we
are/could be very easily, rolling back the obvious benefits that full
disclosure have brought.

To their credit, the FBI Field Office has asked me to speak at their
next meeting in June...to me an obvious sign that the Field Offices have
the right idea. I'm more worried about the Arlington crowd who may not
understand what their statements and actions are doing.

Cheers,
Russ - NTBugtraq moderator
http://ntbugtraq.ntadvice.com
Come to the 1st Annual NTBugtraq Canada Day Conference/Party!