Firewall Wizards mailing list archives
RE: FBI's InfraGard
From: Russ <Russ.Cooper () rc on ca>
Date: Thu, 29 Apr 1999 12:38:51 -0400
I recently was called by an FBI Field Agent in response to an email I sent to the two publicly available InfraGard addresses (infragard () fbi gov and nipc () fbi gov). I had contacted them, as a Canadian moderating the NTBugtraq mailing list (a significant contributor to their monthly bulletins) in the hope that I could better understand what they were trying to achieve (since InfraGard is restricted to U.S. nationals). I'm all for helping anyone who wants to try and do a better job of securing networks, but after reading the NIPC web site (http://www.nipc.gov), I had serious misgivings about their stance. The first thing that became abundantly clear is that there is some serious disorganization going on wrt InfraGard. The NIPC states it is part of their Outreach program, and details its goals on their site. However, the field agent implied that it was virtually wholly a FBI Field Office program with little relationship to NIPC. Obviously I was confused by this (as most would be). To read the NIPC web site, you'd likely come away (as I did) with the impression that InfraGard is intended to replace or supplant CERT, CIAC, and other existing mechanisms for dealing with cybercrime, when it relates to Infrastructure. Since Infrastructure could be as vast as anyone cares to make it, its pretty all-encompassing. To hear the Field Agent's explanation (and that of numerous private and public participants to InfraGard), InfraGard is merely a cooperative effort between the FBI and "others" to put the FBI into a position to be more effective in cyber-issues. They have no desire to thwart anything that already exists, and would like to work with all for the benefit of mankind...laudable. My problem is that it's the NIPC which is getting the attention, and therefore they're stated goals for InfraGard that need to be scrutinized. Meanwhile, in every discussion of InfraGard, you get all these grass roots folks telling you how wonderful it is that the FBI has finally decided to get themselves a clue. I'm all for the FBI getting themselves better connected (if I have one more Agent ask me for my fax number I think I'll scream!), and better educated in the ways and wiles of cyberspace...but we must consider what is happening in this process. The consensus from folks who have had the FBI presentation and discussed InfraGard involvement seems to be that you can pretty much decide for yourself what you will or won't do, tell them, exchange with other members. That seems reasonable enough...as long as it stays that way. Of course there's a certain amount of trepidation over the idea that every communication with them is potentially federal evidence, causing hosters and comms companies to have to be careful over what they say for fear they might give evidence against one of their customers in the process of discussions with the FBI...but that's nothing new really. The bigger issue, at least for me anyway, is the way the NIPC has presented itself. People (e.g. Congressman and Senators) might come away with the impression that these folks are the best possible resource for cybercrime info/stats/protection... Given that there has been no concerted effort by the NIPC to involve itself in the existing scene, and their staff is, um, lacking (something like, a Few Good Men, comes to mind...) I'm hard pressed not to assert that their extremely tightly focused view of things (that's being kind) can be downright harmful to us all. The Field Agent I spoke with stressed that they wanted to work in cooperation with existing reporting mechanisms. InfraGard private supporters stressed that they didn't expect InfraGard to provide them with all their research info (meaning they'd continue to monitor other sources for information), but they also said that InfraGard was providing them with info they did not see elsewhere. As I tried to explain to the Field Agent, this combination is a serious threat to overall security. If NIPC is successful in convince its creators and funding sources that it is, or can be, the be all and end all... and... if the Field Offices continue to provide information to the InfraGard participants that is not disseminated publicly... and... if the InfraGard participants are in any way inhibited from sharing InfraGard information with the public at large... then... the success of InfraGard could result in legislation that makes the dissemination of security information even more restrictive if there is a perceived benefit from sharing facts amongst a "private" group. At a recent CERIAS workshop on Vulnerability Databases, we covered, extensively, the issues surrounding disclosure and dissemination of security information. There are numerous reasons why people who hold such information chose not to distribute it openly. One of those reasons, and a significant one, is the issue of liability. If I tell you, and everyone, how to break into your machine, and you use that information to break into a 3rd party's machine, I could be held liable. Such case law may not be fully tested yet, but the fear of such liability is a big inhibitor to the dissemination of vulnerability info. The NIPC and the FBI, via InfraGard, have an unprecedented opportunity to support the dissemination of security information openly and publicly, and by doing so, provide a shelter to information sources from liability. They are in the position to establish legislation that would protect a discloser from prosecution when the dissemination is being done in the interests of better security (which should, IMO, cover every disclosure). Obviously there are other disclosure liability issues which are not directly addressed by the NIPC taking such a stance (Vendor A breaks an NDA with Vendor B to disclose a bug in Vendor B's software to win market share), but, if the NIPC and FBI are truly interested in enhancing the pre-existing security information environment, this one step could represent a significant step in the right direction. It would, again IMO, also help to dispel the apprehensions some may have about the entire program's tightly focused view. Given how the facts and figures these groups come up with are likely to permeate Congressional Hearings and become the basis for many legislative decisions, its imperative that we ensure they are not permitted to generate them without sufficient scrutiny. As an entity strictly for U.S. consumption, allowing involvement solely by U.S. nationals and corporations, its obvious that they are excluding numerous individuals who could add value to their observations and information that they spread amongst their participants. Given the number of people they already intend on sharing this information with (I was told numbers around 10,000 corporations, which could be translated into 100's of 1000's of individuals), going a step further and publishing the information to the public at large would, IMO, make more sense. If they wish to restrict who can put information into their distribution engine, fine, so be it, but at least if the information is available to the general public its value, accuracy, and NIPC/FBI treatment, can be discussed openly in other forums (like most other security info available today). Without denigrating the benefit that some InfraGard participants believe they will gain by its existence, its stated goals and implementation should not be left as they are without realizing that in doing so, we are/could be very easily, rolling back the obvious benefits that full disclosure have brought. To their credit, the FBI Field Office has asked me to speak at their next meeting in June...to me an obvious sign that the Field Offices have the right idea. I'm more worried about the Arlington crowd who may not understand what their statements and actions are doing. Cheers, Russ - NTBugtraq moderator http://ntbugtraq.ntadvice.com Come to the 1st Annual NTBugtraq Canada Day Conference/Party!
Current thread:
- FBI's InfraGard Stout, Bill (Apr 17)
- <Possible follow-ups>
- Re: FBI's InfraGard Vin McLellan (Apr 20)
- solaris + tis Anderson Alves de Albuquerque (Apr 21)
- Re: FBI's InfraGard George Jones (Apr 29)
- Re: FBI's InfraGard Joseph S D Yao (Apr 29)
- Re: FBI's InfraGard Vin McLellan (Apr 29)
- RE: FBI's InfraGard Russ (Apr 29)