IP: A report on the WHite House meeting by Gene Stafford

[Dave Farber <farber@cis.upenn.edu>]

>Date: Sat, 19 Feb 2000 12:59:48 -0500
>To: Dave Farber <farber@cis.upenn.edu>
>From: Gene Spafford <spaf@cerias.purdue.edu>
>
>
>Infosecurity at the White House
>Gene Spafford
>
>Prolog
>
>Last week (ca. 2/8/00), a massive distributed denial of service attack was 
>committed against a number of Internet businesses, including e-Bay, Yahoo, 
>Amazon.com, and others.   This was accomplished by breaking into hundreds 
>(thousands?) of poorly-secured machines around the net and installing 
>packet generation "slave" programs.   These programs respond by remote 
>control to send packets of various types to target hosts on the 
>network.  The resulting flood effectively shut those target systems out of 
>normal operation for periods ranging up to several hours.
>
>The press jumped all over this as if it was something terribly new (it 
>isn't -- experienced security researchers have known about this kind of 
>problem for many years) and awful (it can be, but wasn't as bad as they 
>make it out to be).   One estimate in one news source speculated that over 
>a billion dollars had been lost in lost revenue, downtime, and 
>preventative measures.  I'm skeptical of that, but it certainly is the 
>case that a significant loss occurred.
>
>Friday, Feb 11, I got a call from someone I know at OSTP (Office of 
>Science and Technology Policy) inquiring if I would be available to meet 
>with the President as part of a special meeting on Internet security.  I 
>said "yes."   I was not provided with a list of attendees or an 
>agenda.    Initially, I was told it would be a meeting of security 
>experts, major company CEOs, and some members of the Security Council, but 
>that was subject to change.
>
>The Meeting
>
>I arrived at the Old Executive Office Building prior to the meeting to 
>talk with some staff from OSTP.   These are the people who have been 
>working on the Critical Infrastructure issues for some time, along with 
>some in the National Security Council.   They really "get it" about the 
>complexity of the problem, and about academia's role and needs, and this 
>may be one reason why this was the first Presidential-level meeting on 
>information security that included academic faculty.
>
>After a few minutes, I was ushered into Dr. Neal Lane's office where we 
>spent about 15 minutes talking.   (As a scientist and polymath, I think 
>Lane has one of the more fascinating jobs in the Executive Branch: that of 
>Assistant to the President for Science and Technology  and  Director of 
>OSTP .   For instance, on his table he had some great photos of the Eros 
>asteroid that had been taken the day before.)   We then decided to walk 
>over to the White House (next door) where we joined the other attendees 
>who were waiting in a lobby area.
>
>Eventually, we were all escorted upstairs to the Cabinet Room.  It was a 
>tight fit, as there were over 30 of us, staff and guests (invitee list at 
>the end).   We then spent a half hour mingling and chatting.  There were a 
>lot of people I didn't know, but that's because normally I don't get to 
>talk to CEOs.  Most notably, there were people present from several CERIAS 
>sponsor organizations (AT&T, Veridian/Trident, Microsoft, Sun, HP, Intel, 
>Cisco).  I also (finally!) got to meet Prof. David Farber in 
>person.  We've "known" each other electronically for a long time, but this 
>was our first in-person meeting.
>
>After a while, some more of the government folk joined the group: Attorney 
>General Reno; Commerce Secretary Daley; Richard Clarke, the National 
>Coordinator for Security, Infrastructure Protection and Counter-terrorism; 
>and others.   After some more mingling, I deduced the President was about 
>to arrive -- several Secret Service agents walked through the room giving 
>everyone a once-over.   Then, without any announcement or fanfare, the 
>President came into the room along with John Podesta, his chief of staff.
>
>President Clinton worked his way around the room, shaking everyone's hand 
>and saying "hello."  He has a firm handshake.  In person, he looks thinner 
>than I expected, and is not quite as tall as I expected, either.
>
>We all then sat down at assigned places.   I had the chair directly 
>opposite the President.  Normally, it is the chair of the Secretary of 
>State.   To my left was Whit Diffie of Sun, and to my right was John 
>Podesta.   I was actually surprised that I had a seat at the table instead 
>of in the "overflow" seats around the room.
>
>The press was then let into the room.  It was quite a mass.   The 
>President made a statement, as did Peter Solvik of Cisco.  The press then 
>asked several questions (including one about oil prices that had nothing 
>to do with the meeting).   Then, they were ushered out and the meeting began.
>
>The President asked a few individuals (Podesta, Daley, Reno, Pethia, 
>Noonan) to make statements on behalf of a particular segment of industry 
>of government, and then opened it up for discussion.   The next hour went 
>by pretty quickly.  Throughout, the President listened carefully, and 
>seemed really involved in the discussion.  He asked several follow-up 
>questions to things, and steered the discussion back on course a few 
>times.  He followed the issues quite well, and asked some good follow-up 
>questions.
>
>During the discussion, I made two short comments.  The first was about how 
>it was important that business and government get past using cost as the 
>primary deciding factor in acquiring computer systems, because quality and 
>safety were important.  I went on to say  that it was important to start 
>holding managers and owners accountable when their systems failed because 
>of well-known problems.   I observed that if the government could set a 
>good example in these regards, others might well follow.
>
>My second comment was on the fact that everyone was talking about 
>"business and government" at the meeting but that there were other 
>players, and that academia in particular could play an important part in 
>this whole situation in cooperation with everyone else.    After all, 
>academia is where much of the research gets done, and where the next 
>generation of leaders, researchers, and businesspeople are coming from!
>
>Overall, the bulk of the comments and interchange were reasoned and 
>polite.  I only remember two people making extreme comments (to which the 
>rest of us gave polite silence or objections); I won't identify the people 
>here, but neither were CERIAS sponsors :-).   One person claimed that we 
>were in a crisis and more restrictions should be placed on publishing 
>vulnerability information, and the other was about how the government 
>should fund "hackers" to do more offensive experimentation to help protect 
>systems.    My summary of the major comments and conclusions is included 
>below.
>
>After considerable discussion, the meeting concluded with Dick Clarke 
>reminding everyone that the President had submitted a budget to Congress 
>with a number of new and continuing initiatives in information security 
>and cybercrime investigation, and it would be up to Congress to provide 
>the follow-through on these items.
>
>We then broke up the meeting, and the President spent a little more time 
>shaking hands and talking with people present.   Buddy (his dog) somehow 
>got into the room and "met" several of us, too  -- I got head-butt in the 
>side of my leg as he went by. :-)  The official photographer got a picture 
>of the President shaking my hand again.
>
>The President commented to Vint Cerf how amazed he was that the group had 
>been so well-behaved --- we listened to each other, no one made long 
>rambling speeches, and there was very little posturing going 
>on.  Apparently, similar groups from other areas are quite noisy and 
>contentious.
>
>We (the invitees) then went outside where there was a large crowd of the 
>press.   Several of us made short statements, and then broke up into 
>groups for separate interviews.    After that was done, I left and 
>returned home to teach class on Wednesday.
>
>My interview with the local news station didn't make it on the 6pm news, 
>and all the print accounts seemed make a big deal of the fact that "Mudge" 
>was at the meeting.   Oh well, I thought "Spaf" was a way-cool "handle", 
>better than "Mudge" but it doesn't go over as well with the press for some 
>reason.  I'll have to find some other way to develop a following of 
>groupies. :-)
>
>On Friday, I was back in DC at the White House conference center to 
>participate in a working session with the PCAST (President's Committee of 
>Advisors on Science & Technology) to discuss the structure and 
>organization of the President's proposed Institute for Information 
>Infrastructure  Protection.   This will have a projected budget of $50 
>million per year.   CERIAS is already doing a significant part of what the 
>IIIP is supposed to address (but at a smaller scale).  Thus, we may have a 
>role to play in that organization, as will (I hope) many of the other 
>established infosec centers.  The outcome of that meeting was that the 
>participants are going to draft some "strawman" documents on the proposed 
>IIIP organization for consideration.   I am unsure whether this is 
>significant progress or not.
>
>Outcomes
>
>I didn't enter the meeting with any particular expectations. However, I 
>was pleasantly surprised at the sense of cooperation that permeated the 
>meeting.    I don't think we solved any problems, or even set an agenda of 
>exactly what to do.   There was a clear sense of resistance from the 
>industry participants to any major changes in regulations or Internet 
>structure.  In fact, most of the companies represented did not send CEOs 
>so that (allegedly) there would be no one there who could make a solid 
>commitment for their firms should the President press for some action.
>
>Nonetheless, there were issues discussed, some subsets of those present 
>did agree to meet and pursue particular courses of action, and we were 
>reminded about the President's info protection plan.  To be fair, this is 
>an area that has been getting attention from the Executive Branch for 
>several years, so this whole event shouldn't be seen as a sudden reaction 
>to specific events.   Rather, from the PCCIP on, there has been concern 
>and awareness of the importance of these issues.   This was simply good 
>timing for the President to again demonstrate his concern, and remind 
>people of the national plan that was recently released.
>
>I came away from the meeting with the feeling that a small, positive step 
>had been made.   Most importantly, the President had made it clear that 
>information security is an area of national importance and that it is 
>taken seriously by him and his administration.   By having Dave Farber and 
>myself there, he had also made a statement to the industry people present 
>that his administration takes the academic community seriously in this 
>area.  (Whether many of the industry people got that message -- or care -- 
>remains to be seen.)
>
>I recall that there were about 7 major points made that no one disputed:
>   1)  The Internet is international in scope, and most of the companies 
> present have international operations.   Thus, we must continue to think 
> globally.   US laws and policies won't be enough to address all our problems.
>   2) Privacy is a big concern for individuals and companies 
> alike.  Security concerns should not result in new rules or mechanisms 
> that result in significant losses of privacy.
>   3) Good administration and security hygiene are critical.   The 
> problems of the previous week were caused by many sites (including, 
> allegedly, some government sites) being compromised because they were not 
> maintained and monitored.    This, more than any perceived weakness in 
> the Internet, led to the denial of service.
>   4) There is a great deal of research that yet needs to be done.
>   5) There are not enough trained personnel to deal with all our security 
> needs.
>   6) Government needs to set a good example for everyone else, by using 
> good security, employing standard security tools, installing patches, and 
> otherwise practicing good infosec.
>   7) Rather than new structure or regulation, broadly-based cooperation 
> and information sharing is the near-term approach best suited to solving 
> these kinds of problems.
>
>Let's see what happens next.  I hope there is good follow-though by some 
>of the parties in attendance, both within and outside government.
>
>Miscellany
>
>Rich Pethia of CERT, Alan Paller of SANS, and I have drafted a short list 
>of near-term actions that sites can implement to help prevent a recurrence 
>of the DDOS problems.  Alan is going to coordinate input from a number of 
>industry people, and then we will publicize this widely.   It isn't an 
>agenda for research or long-term change, but we believe it can provide a 
>concrete set of initial steps.   This may serve as a good model for future 
>such collaborative activities.
>
>I was asked by several people if I was nervous.   Actually, no.    I've 
>been on national television many times, and I've spoken before crowds of 
>nearly a thousand people.   Actually, *he* should have been nervous -- I 
>have tenure, and he clearly does not. :-)
>
>The model we have at CERIAS with the partnership of industry and academia 
>is exactly what is needed right now.  Our challenge is to find some ways 
>to solve our faculty needs and space shortage.  In every other way, we're 
>ideally positioned to continue to make a big difference in the coming years.
>
>Of the 29 invited guests, there was only one woman and one member of a 
>traditional minority.    I wonder how many of the people in the room 
>didn't even notice?
>
>Attendees
>
>Douglas F. Busch
>Vice President of Information Technology, Intel
>
>Clarence Chandran
>President, Service Provider & Carrier Group, Nortel Networks
>
>Vinton Cerf
>Senior Vice President, Internet & Architecture & Engineering, MCI Worldcom
>
>Christos Costakos
>Chief Executive Officer, E-Trade Group, Inc.
>
>Jim Dempsey
>Senior Staff Counsel, Center for Democracy and Technology
>
>Whitfield Diffie
>Corporate Information Officer, Sun Microsystems
>
>Nick Donofrio
>Senior Vice President and Group Executive, Technology & Manufacturing, IBM
>
>Dave Farber
>University of  Pennsylvania
>
>Elliot Gerson
>Chief Executive Officer, Lifescape.com
>
>Adam Grosser
>President, Subscriber Networks, >President, Subscriber Networks, Excite@home
>
>Stephen Kent
>BBN Technologies (GTE)
>
>David Langstaff
>Chairman and Chief Executive Officer, Veridan
>
>Michael McConnell
>Booz-Allen
>
>Mary Jane McKeever
>Senior Vice President, World Markets, AT&T
>
>Roberto Medrano
>Senior Vice President, Hewlett Packard
>
>Harris N. Miller
>President, Information Technology Association of  America (ITAA)
>
>Terry Milholland
>Chief Information Officer, EDS
>
>Tom Noonan
>Internet Security Systems (ISS)
>
>Ray Oglethorpe
>President, AOL Technologies, America Online
>
>Allan Paller
>Chairman, SANS Institute
>
>Rich Pethia
>CERT/CC, SEI at Carnegie-Mellon University
>
>Geoff Ralston
>Vice President for Engineering, Yahoo!
>
>Howard Schmidt
>Chief Information Security Officer, Microsoft
>
>Peter Solvik
>Chief Information Officer, Cisco Systems
>
>Gene Spafford
>CERIAS at Purdue University
>
>David Starr
>Chief Information Officer, 3Com
>
>Charles Wang
>Chief Executive Officer, Computer Associates International
>
>Maynard Webb
>President, Ebay
>
>Peiter Zatko a.k.a. "Mudge"
>@stake
>
></blockquote></x-html>