IP: A report on the WHite House meeting by Gene Stafford

[Dave Farber <farber () cis upenn edu>]

> Date: Sat, 19 Feb 2000 12:59:48 -0500
> To: Dave Farber <farber () cis upenn edu>
> From: Gene Spafford <spaf () cerias purdue edu>
>
>
> Infosecurity at the White House
> Gene Spafford
>
> Prolog
>
> Last week (ca. 2/8/00), a massive distributed denial of service attack was 
> committed against a number of Internet businesses, including e-Bay, Yahoo, 
> Amazon.com, and others.   This was accomplished by breaking into hundreds 
> (thousands?) of poorly-secured machines around the net and installing 
> packet generation "slave" programs.   These programs respond by remote 
> control to send packets of various types to target hosts on the 
> network.  The resulting flood effectively shut those target systems out of 
> normal operation for periods ranging up to several hours.
>
> The press jumped all over this as if it was something terribly new (it 
> isn't -- experienced security researchers have known about this kind of 
> problem for many years) and awful (it can be, but wasn't as bad as they 
> make it out to be).   One estimate in one news source speculated that over 
> a billion dollars had been lost in lost revenue, downtime, and 
> preventative measures.  I'm skeptical of that, but it certainly is the 
> case that a significant loss occurred.
>
> Friday, Feb 11, I got a call from someone I know at OSTP (Office of 
> Science and Technology Policy) inquiring if I would be available to meet 
> with the President as part of a special meeting on Internet security.  I 
> said "yes."   I was not provided with a list of attendees or an 
> agenda.    Initially, I was told it would be a meeting of security 
> experts, major company CEOs, and some members of the Security Council, but 
> that was subject to change.
>
> The Meeting
>
> I arrived at the Old Executive Office Building prior to the meeting to 
> talk with some staff from OSTP.   These are the people who have been 
> working on the Critical Infrastructure issues for some time, along with 
> some in the National Security Council.   They really "get it" about the 
> complexity of the problem, and about academia's role and needs, and this 
> may be one reason why this was the first Presidential-level meeting on 
> information security that included academic faculty.
>
> After a few minutes, I was ushered into Dr. Neal Lane's office where we 
> spent about 15 minutes talking.   (As a scientist and polymath, I think 
> Lane has one of the more fascinating jobs in the Executive Branch: that of 
> Assistant to the President for Science and Technology  and  Director of 
> OSTP .   For instance, on his table he had some great photos of the Eros 
> asteroid that had been taken the day before.)   We then decided to walk 
> over to the White House (next door) where we joined the other attendees 
> who were waiting in a lobby area.
>
> Eventually, we were all escorted upstairs to the Cabinet Room.  It was a 
> tight fit, as there were over 30 of us, staff and guests (invitee list at 
> the end).   We then spent a half hour mingling and chatting.  There were a 
> lot of people I didn't know, but that's because normally I don't get to 
> talk to CEOs.  Most notably, there were people present from several CERIAS 
> sponsor organizations (AT&T, Veridian/Trident, Microsoft, Sun, HP, Intel, 
> Cisco).  I also (finally!) got to meet Prof. David Farber in 
> person.  We've "known" each other electronically for a long time, but this 
> was our first in-person meeting.
>
> After a while, some more of the government folk joined the group: Attorney 
> General Reno; Commerce Secretary Daley; Richard Clarke, the National 
> Coordinator for Security, Infrastructure Protection and Counter-terrorism; 
> and others.   After some more mingling, I deduced the President was about 
> to arrive -- several Secret Service agents walked through the room giving 
> everyone a once-over.   Then, without any announcement or fanfare, the 
> President came into the room along with John Podesta, his chief of staff.
>
> President Clinton worked his way around the room, shaking everyone's hand 
> and saying "hello."  He has a firm handshake.  In person, he looks thinner 
> than I expected, and is not quite as tall as I expected, either.
>
> We all then sat down at assigned places.   I had the chair directly 
> opposite the President.  Normally, it is the chair of the Secretary of 
> State.   To my left was Whit Diffie of Sun, and to my right was John 
> Podesta.   I was actually surprised that I had a seat at the table instead 
> of in the "overflow" seats around the room.
>
> The press was then let into the room.  It was quite a mass.   The 
> President made a statement, as did Peter Solvik of Cisco.  The press then 
> asked several questions (including one about oil prices that had nothing 
> to do with the meeting).   Then, they were ushered out and the meeting began.
>
> The President asked a few individuals (Podesta, Daley, Reno, Pethia, 
> Noonan) to make statements on behalf of a particular segment of industry 
> of government, and then opened it up for discussion.   The next hour went 
> by pretty quickly.  Throughout, the President listened carefully, and 
> seemed really involved in the discussion.  He asked several follow-up 
> questions to things, and steered the discussion back on course a few 
> times.  He followed the issues quite well, and asked some good follow-up 
> questions.
>
> During the discussion, I made two short comments.  The first was about how 
> it was important that business and government get past using cost as the 
> primary deciding factor in acquiring computer systems, because quality and 
> safety were important.  I went on to say  that it was important to start 
> holding managers and owners accountable when their systems failed because 
> of well-known problems.   I observed that if the government could set a 
> good example in these regards, others might well follow.
>
> My second comment was on the fact that everyone was talking about 
> "business and government" at the meeting but that there were other 
> players, and that academia in particular could play an important part in 
> this whole situation in cooperation with everyone else.    After all, 
> academia is where much of the research gets done, and where the next 
> generation of leaders, researchers, and businesspeople are coming from!
>
> Overall, the bulk of the comments and interchange were reasoned and 
> polite.  I only remember two people making extreme comments (to which the 
> rest of us gave polite silence or objections); I won't identify the people 
> here, but neither were CERIAS sponsors :-).   One person claimed that we 
> were in a crisis and more restrictions should be placed on publishing 
> vulnerability information, and the other was about how the government 
> should fund "hackers" to do more offensive experimentation to help protect 
> systems.    My summary of the major comments and conclusions is included 
> below.
>
> After considerable discussion, the meeting concluded with Dick Clarke 
> reminding everyone that the President had submitted a budget to Congress 
> with a number of new and continuing initiatives in information security 
> and cybercrime investigation, and it would be up to Congress to provide 
> the follow-through on these items.
>
> We then broke up the meeting, and the President spent a little more time 
> shaking hands and talking with people present.   Buddy (his dog) somehow 
> got into the room and "met" several of us, too  -- I got head-butt in the 
> side of my leg as he went by. :-)  The official photographer got a picture 
> of the President shaking my hand again.
>
> The President commented to Vint Cerf how amazed he was that the group had 
> been so well-behaved --- we listened to each other, no one made long 
> rambling speeches, and there was very little posturing going 
> on.  Apparently, similar groups from other areas are quite noisy and 
> contentious.
>
> We (the invitees) then went outside where there was a large crowd of the 
> press.   Several of us made short statements, and then broke up into 
> groups for separate interviews.    After that was done, I left and 
> returned home to teach class on Wednesday.
>
> My interview with the local news station didn't make it on the 6pm news, 
> and all the print accounts seemed make a big deal of the fact that "Mudge" 
> was at the meeting.   Oh well, I thought "Spaf" was a way-cool "handle", 
> better than "Mudge" but it doesn't go over as well with the press for some 
> reason.  I'll have to find some other way to develop a following of 
> groupies. :-)
>
> On Friday, I was back in DC at the White House conference center to 
> participate in a working session with the PCAST (President's Committee of 
> Advisors on Science & Technology) to discuss the structure and 
> organization of the President's proposed Institute for Information 
> Infrastructure  Protection.   This will have a projected budget of $50 
> million per year.   CERIAS is already doing a significant part of what the 
> IIIP is supposed to address (but at a smaller scale).  Thus, we may have a 
> role to play in that organization, as will (I hope) many of the other 
> established infosec centers.  The outcome of that meeting was that the 
> participants are going to draft some "strawman" documents on the proposed 
> IIIP organization for consideration.   I am unsure whether this is 
> significant progress or not.
>
> Outcomes
>
> I didn't enter the meeting with any particular expectations. However, I 
> was pleasantly surprised at the sense of cooperation that permeated the 
> meeting.    I don't think we solved any problems, or even set an agenda of 
> exactly what to do.   There was a clear sense of resistance from the 
> industry participants to any major changes in regulations or Internet 
> structure.  In fact, most of the companies represented did not send CEOs 
> so that (allegedly) there would be no one there who could make a solid 
> commitment for their firms should the President press for some action.
>
> Nonetheless, there were issues discussed, some subsets of those present 
> did agree to meet and pursue particular courses of action, and we were 
> reminded about the President's info protection plan.  To be fair, this is 
> an area that has been getting attention from the Executive Branch for 
> several years, so this whole event shouldn't be seen as a sudden reaction 
> to specific events.   Rather, from the PCCIP on, there has been concern 
> and awareness of the importance of these issues.   This was simply good 
> timing for the President to again demonstrate his concern, and remind 
> people of the national plan that was recently released.
>
> I came away from the meeting with the feeling that a small, positive step 
> had been made.   Most importantly, the President had made it clear that 
> information security is an area of national importance and that it is 
> taken seriously by him and his administration.   By having Dave Farber and 
> myself there, he had also made a statement to the industry people present 
> that his administration takes the academic community seriously in this 
> area.  (Whether many of the industry people got that message -- or care -- 
> remains to be seen.)
>
> I recall that there were about 7 major points made that no one disputed:
>   1)  The Internet is international in scope, and most of the companies 
> present have international operations.   Thus, we must continue to think 
> globally.   US laws and policies won't be enough to address all our problems.
>   2) Privacy is a big concern for individuals and companies 
> alike.  Security concerns should not result in new rules or mechanisms 
> that result in significant losses of privacy.
>   3) Good administration and security hygiene are critical.   The 
> problems of the previous week were caused by many sites (including, 
> allegedly, some government sites) being compromised because they were not 
> maintained and monitored.    This, more than any perceived weakness in 
> the Internet, led to the denial of service.
>   4) There is a great deal of research that yet needs to be done.
>   5) There are not enough trained personnel to deal with all our security 
> needs.
>   6) Government needs to set a good example for everyone else, by using 
> good security, employing standard security tools, installing patches, and 
> otherwise practicing good infosec.
>   7) Rather than new structure or regulation, broadly-based cooperation 
> and information sharing is the near-term approach best suited to solving 
> these kinds of problems.
>
> Let's see what happens next.  I hope there is good follow-though by some 
> of the parties in attendance, both within and outside government.
>
> Miscellany
>
> Rich Pethia of CERT, Alan Paller of SANS, and I have drafted a short list 
> of near-term actions that sites can implement to help prevent a recurrence 
> of the DDOS problems.  Alan is going to coordinate input from a number of 
> industry people, and then we will publicize this widely.   It isn't an 
> agenda for research or long-term change, but we believe it can provide a 
> concrete set of initial steps.   This may serve as a good model for future 
> such collaborative activities.
>
> I was asked by several people if I was nervous.   Actually, no.    I've 
> been on national television many times, and I've spoken before crowds of 
> nearly a thousand people.   Actually, *he* should have been nervous -- I 
> have tenure, and he clearly does not. :-)
>
> The model we have at CERIAS with the partnership of industry and academia 
> is exactly what is needed right now.  Our challenge is to find some ways 
> to solve our faculty needs and space shortage.  In every other way, we're 
> ideally positioned to continue to make a big difference in the coming years.
>
> Of the 29 invited guests, there was only one woman and one member of a 
> traditional minority.    I wonder how many of the people in the room 
> didn't even notice?
>
> Attendees
>
> Douglas F. Busch
> Vice President of Information Technology, Intel
>
> Clarence Chandran
> President, Service Provider & Carrier Group, Nortel Networks
>
> Vinton Cerf
> Senior Vice President, Internet & Architecture & Engineering, MCI Worldcom
>
> Christos Costakos
> Chief Executive Officer, E-Trade Group, Inc.
>
> Jim Dempsey
> Senior Staff Counsel, Center for Democracy and Technology
>
> Whitfield Diffie
> Corporate Information Officer, Sun Microsystems
>
> Nick Donofrio
> Senior Vice President and Group Executive, Technology & Manufacturing, IBM
>
> Dave Farber
> University of  Pennsylvania
>
> Elliot Gerson
> Chief Executive Officer, Lifescape.com
>
> Adam Grosser
> President, Subscriber Networks, >President, Subscriber Networks, Excite@home
>
> Stephen Kent
> BBN Technologies (GTE)
>
> David Langstaff
> Chairman and Chief Executive Officer, Veridan
>
> Michael McConnell
> Booz-Allen
>
> Mary Jane McKeever
> Senior Vice President, World Markets, AT&T
>
> Roberto Medrano
> Senior Vice President, Hewlett Packard
>
> Harris N. Miller
> President, Information Technology Association of  America (ITAA)
>
> Terry Milholland
> Chief Information Officer, EDS
>
> Tom Noonan
> Internet Security Systems (ISS)
>
> Ray Oglethorpe
> President, AOL Technologies, America Online
>
> Allan Paller
> Chairman, SANS Institute
>
> Rich Pethia
> CERT/CC, SEI at Carnegie-Mellon University
>
> Geoff Ralston
> Vice President for Engineering, Yahoo!
>
> Howard Schmidt
> Chief Information Security Officer, Microsoft
>
> Peter Solvik
> Chief Information Officer, Cisco Systems
>
> Gene Spafford
> CERIAS at Purdue University
>
> David Starr
> Chief Information Officer, 3Com
>
> Charles Wang
> Chief Executive Officer, Computer Associates International
>
> Maynard Webb
> President, Ebay
>
> Peiter Zatko a.k.a. "Mudge"
> @stake
>
> </blockquote></x-html>