CYBER PREPAREDNESS

THROUGH INFORMATION
SHARING

William F. Pelgrin
Krista Montie

“Without disclosure, there is no truth. Without truth,

there is no accountability.”
- Richard Thieme

The information revolution, as many have coined it, has significantly

changed our lives forever. However, the word “revolution” is badly
chosen: there wasn’t a rebellion, a revolt or an uprising. It wasn’t a
hostile takeover – well at least not for most of us. It was more of a
transformation. If we think back just a decade ago, very few of us
even knew anything about this thing called “the Internet.” The “World
Wide Web” was nothing more than a sci-fi concept to most of us. But
here we are none the less, totally connected to each other through this
technology. This “revolution” occurred over a surprisingly short span
of time and has reached astounding proportions, whose limits are not
yet realized. Who among us could have comprehended the role the
Internet would play in our lives?

This information technology transformation has had a tremendous

impact (both positive and negative) on our culture. Some of the pos-
itive impacts include faster and more efficient ways to communicate,
conduct business and provide services. The negative impacts occur
when information technology is misused and mismanaged. The
impact is not only economic, which is staggering, but also societal.
The free flow of information available via the Internet, coupled with
the perceived anonymity of Internet use, contributes to a loss of a true
sense of what is right and wrong in the digital age. At one end of the
spectrum, we live in a time when some children believe it is not only
fair, but in fact their right, to download copyrighted music and a time
1
when some teenagers believe it is a rite of passage to be a scriptkiddie. ed used slow, dial-up connections. In today’s environment the home
user can and does have the computing power, and high speed connec-
At the other end of the spectrum, we also live in a time when we must tions, that were once only affordable to the largest of corporations and
recognize that there may be some individuals who wish to use cyber- universities. The home user is now becoming a target for a hacker.
space for malicious purposes. Cyber terror is no longer a hypothetical Compounding this vulnerability of the home user is the fact that,
premise. We must treat the threats as real. unfortunately, a high percentage of home users are unprotected by
antivirus software or basic firewalls. Given the broadband connection
analogy, it is as if the lights are on in your home, the door is open, and
IF YOU THINK YOU ARE SECURE, THEN YOU ARE NOT SAFE no one is there to protect your privacy or valuable possessions.

However, there are those who claim that cyber security advocates are In addition to the vulnerability of the home user, we also need to focus
doomsayers who delight in trying to convince us that “the sky is attention on the private sector, including those small businesses that
falling.” Or they claim that cyber threats are nothing more than fic- may not have the resources or expertise for enhanced cyber security
tion dreamed up by security vendors trying to instill fear in consumers programs. Because we are all connected through cyberspace, we are
in order to sell more products. The nay-sayers point to the fact that only as strong as our weakest link. We must ensure that the links are
there hasn’t been a “Digital Pearl Harbor” and therefore cyber solid in both the public and private sectors.
terror/threats must be all hype. But remember, pre-September 11th,
most Americans would have thought the same thing about the possi- While we haven’t yet seen the Digital Pearl Harbor, the opening
bility of false IDs, box cutters, and airplanes being used as a weapons salvos have been fired. The recent and constant rash of worms and
of mass destruction. viruses, as well as breaches into cyber systems throughout the world,
is sobering evidence that the damage is real, and that the time for talk
For most adult Americans, we did not grow up as part of the comput- is over. It is time to act. Only through true collaboration and coordi-
er generation; therefore, it is hard to argue with the apparent logic of nation can we be successful in our efforts to achieve readiness and
the statement that cyber warfare is not real. Especially since for most resilience. Sharing is the key.
of us, it is difficult to understand this new world called “cyber.” Part
of the reason is because a cyber attack is so amorphous that it is dif- Cyber attacks can have the same devastating impact as a more tradi-
ficult to put our arms—let alone our minds—around the concept. Just tional physical attack and are occurring at an increasing frequency.
think about it: we don’t know where the cyber attack will come from Whether cyber incidents are man-made—intentional or inadvertent—
– cyber knows no geographic boundary; we don’t know who will or a result of a natural disaster, a cyber impact to our critical infra-
launch the attack – it could come from a twelve year old scriptkiddie structure can be devastating.
or a terrorist; and we don’t know who or what the target will be—
home users, businesses, or governments. In 2003 alone, there were 137,529 cyber security incidents reported to
Carnegie Mellon CERT Coordination Center. The costs associated
The frightening thing is that in some cases we can be a victim of an with cyber incidents vary and are often difficult to measure. In the
attack and never know. It used to be that hacker targets were aimed 2003 CSI/FBI Computer Crime and Security Survey, 75 percent of
primarily at big entities, such as large corporations and universities— survey respondents acknowledged financial losses, but only 47per-
those with the large computing power. Breaking into a home user’s cent could quantify the losses. The Computer Economics Institute
PC didn’t make much sense a decade ago, since the home user’s com- estimates that the worldwide financial impact of major virus attacks
puter did not have much power, and the few users who were connect- alone is $13.5 billion for 2003. Others put that figure even higher.

2 3
While the number and financial impact of cyber incidents seem high, not do this alone. However, the interdependencies that draw us togeth-
it is really just the tip of the iceberg, as only an estimated 20percent er are also the things that push us apart, thereby potentially impeding
of all incidents get reported. What about the other 80percent? Why our ability to share. Fear of competitive edge, loss of confidence, loss
weren’t they reported? of market share, and concerns regarding liability are just a few artic-
ulated reasons for not sharing.
For the most part it is because we don’t share information. The culture
of cyberspace is such that if you are breached, you don’t tell. There There are also legal hurdles to true information sharing. Anti-trust,
are fiscal, political, social, and selfish reasons not to tell. indemnification, and freedom of information laws can be problemat-
Additionally, for those who have been the victim of a breach, myriad ic even where you have willing partners who want to share.
emotions set in — a sense of being violated, feeling embarrassed, or
feeling guilty that it was somehow “my fault.” There are no clear and easy answers, but we must work collectively
to find the solutions. The worst action we could take is no action at
The atmosphere of shameful secrecy that “I’ve been breached, but I all. Together we can overcome the barriers. We must act now and
can’t tell anyone” has to give way to an atmosphere of sharing. This begin meaningful sharing. We don’t have a nanosecond to waste; we
will take a major shift in our culture. But we can’t be thwarted by the must quickly seek out best practices and solutions and develop a
size of our ultimate goal to be better prepared. We must build our viable agenda to address the issues.
resilience as we go—one step at a time.
Cyber security awareness must become ingrained in each of us, and it
IT’S THE STARTS THAT STOP MOST PEOPLE must become as second nature as buckling a seatbelt.

In order to modify this culture and effectuate true, long-reaching

change, we must build an environment of trust, collaboration and coop- WHAT’S THE RUSH? WHY MUST WE BE SO
eration. It is critical that if we are going to be successful in our fight CONCERNED?
against cyber warfare, the “white hats” have to coalesce to stay one step
ahead of the “black hats.”
There are five reasons why we should be concerned about the risk
The main reasons to share information are to reduce the risk of an inci- posed by cyber attacks:
dent to others and to respond to an incident that is occurring by mitigat-
ing its potential impact. One of the challenges in sharing information is •Cyber attacks can originate from anywhere;
the need to balance the distribution of information to appropriate trust-
ed parties while at the same time keeping it out of the wrong hands. •There is a perceived sense of anonymity;
Another key challenge is developing a trusted environment where •The technology to launch such cyber attacks is relatively
information flow can occur in a timely and effective manner. But even inexpensive and widely available;
if this conducive reporting structure is created, what do you share, to
whom, and when? There is so much information available that if •Sophisticated computer expertise is no longer necessary;
everything were shared, it would result in extreme overload.
•The rate of infection is increasing exponentially; and
None of us can approach cyber security in a vacuum: we simply can-

4 5
 •The mean time to exploit is decreasing rapidly. Regardless of where the attacks originate, or the motivation of the
originator, we must be on guard for vulnerability and risk both inter-
CYBER ATTACKS CAN ORIGINATE FROM ANYWHERE nally and externally. Internal security requirements must be estab-
lished and enforced, and our interdependencies and connections with
We don’t need to look to other parts of the world to find cyber crimi- external environments must be protected.
nals. Some studies indicate that much of the cyber attack activity orig-
inates from the United States (see figure below for one example). THERE IS A PERCEIVED SENSE OF ANONYMITY
However, the statistics may not be telling the complete story, as it is
often difficult to determine the true source of origin. Cyber incidents know no geographic boundaries. Every second,
someone is probing your network or your computer. The din is so loud
and has been so constant that cyber security experts now filter out this
noise as “expected” and concentrate on more anomalous activity. Will
Figure 1 the bar continually be raised as to what is anomalous or of concern?
Top Ten Attack Sources
Six Months Ending June 2003 While I am not aware of any supporting empirical data, I strongly
believe that because of the perceived anonymity of cyberspace, some
Rank Country Percent of Total individuals involve themselves in malicious cyber activity who would
not otherwise do so.
1 United States 51%

2 China 5% THE TECHNOLOGY REQUIRED TO LAUNCH ATTACKS IS RELATIVELY

INEXPENSIVE AND WIDELY AVAILABLE
3 Germany 5%
The tools required by hackers are readily available. A quick tour
4 South Korea 4% through the Internet reveals a plethora of hacker “starter kits” which
provide the resources needed to do damage.
5 Canada 4%

6 France 3% SOPHISTICATED COMPUTER EXPERTISE IS NO LONGER NECESSARY

7 Great Britain 2% Not only can hackers readily find the tools they need, as noted above,
but those tools are becoming increasingly easy to use. Thus, the level
8 Netherlands 2%
of sophistication of an attack that a hacker can achieve is increasing
9 Japan 2% greatly, while the knowledge required to launch these attacks is
decreasing. It’s so easy that even I could do it.
10 Italy 2%

In addition to the recognition that cyber events can originate from

anywhere, including inside our borders, one must also be as con-
cerned about the fact that malicious cyber attacks can occur from
inside an organization.

6 7
 •Klez (April 2002): Surfaced and was still a major threat
a year later, representing 34.3percent of all attacks world-
wide.5

•Slammer (January 2003): Affected servers running

Microsoft software that had not been updated with a patch
- issued months prior - to fix the vulnerability. Slammer
took down ATM machines for a major bank, disrupted 911
emergency services in Seattle, shut down certain systems
within Houston International Airport, hindered the opera-
tions of hundreds of thousands of computers and slowed
Internet traffic. Slammer peaked in just three minutes, at
which point it was scanning 55 million targets per second.6

•SoBig.F (August 2003): Accounted for one out of every

17 e-mail messages,7 and infected 200 million email mes-
sages across the Internet during its first week of activity.8

• MyDoom (January 2004): Accounted for approximately

one in every 12 messages.9 Approximately 20 to 30per-
THE RATE OF INFECTION IS INCREASING EXPONENTIALLY cent of all worldwide emails were infected with
MyDoom10, and estimates indicate it is the most expensive
We have seen a rapid progression in the rate of worm and virus infec- computer virus ever.11
tions. In 2001, Code Red infected more than 350,000 devices in less
than fourteen hours, spanning the globe. Two years later, in January At this rate of propagation, it becomes an ever-increasing challenge to
2003, Slammer dwarfed Code Red’s rate exponentially by infecting take evasive actions before you get hit with an infection. This situation
90percent of all vulnerable servers worldwide within ten minutes.1 In cries out for all of us to deploy intrusion prevention in addition to
August 2003, SoBIG.F became the fastest spreading worm, and held intrusion detection.
this title until January 2004, when MyDoom claimed the title.
THE MEAN TIME TO EXPLOIT IS DECREASING RAPIDLY
The threats—and the resulting damage—are real:
Not only are worms and viruses spreading at an alarming rate, the
•Code Red (July 2001): Infected 359,000 devices in less mean time to exploit is decreasing. By the time the software patch is
than 14 hours. It spread at a rate of 2,000 devices a minute released, some hacker has developed a program to take advantage of
at its peak.2 It is estimated the worldwide cost of Code the vulnerability. Again, as with the increased rate of propagation, the
Red was $2.62 billion.3 decrease in mean time exacerbates our ability to take defensive maneu-
vers to patch or block the attack.
•NIMDA (September 2001): Infected more than 2.2 mil-
lion servers and PCs in a 24 hour period.4 Mean Time to Exploit is Decreasing

8 9
 public and private sectors to facilitate true information
sharing;

•Expanding security awareness to wider audiences

including home users;

•Employing more preventative methodologies and auto-

mated technologies such as patch management tools;

•Building language into vendor contracts to enforce good

security practices;

•Expanding the use of intrusion detection and intrusion

prevention technologies;

•Employing stronger, enforceable security policies and

procedures;

Chart courtesy of P. Elias •Fostering stronger relationships with software vendors to

facilitate timely notification; and
We cannot rely on the fact that these exploits will never occur concur-
rently. Don’t forget about that one tough week in August 2003. In that •Requiring greater responsibility of vendors to fix vulner-
week we were hit with Lovsan,W32/MSBlaster, SoBig.F and abilities before they can be exploited.
Welchia/ Nachi. No matter how bad that week was, we were all for-
tunate that these worms did not carry a malicious payload.
The remainder of this paper will address the first bullet which, in my
How long before we see multiple malicious attacks? Will they coin- opinion, is one of the most essential if we are going to be as prepared
cide with physical attacks? Will they attempt to thwart our response and resilient as we collectively can be.
to a physical attack?
STRONG COLLABORATION WITH THE PRIVATE SECTOR
WHAT CAN WE DO TO CONTINUE TO IMPROVE
Because an overwhelming majority—more than 80percent—of criti-
OUR PREPAREDNESS? cal infrastructure is owned or controlled by the private sector, trying
to address cyber security and critical infrastructure readiness without
We are still, for the most part, in a responsive, fire-fighting mode, including the private sector would leave us vulnerable to potential
reacting to problems as they occur. Clearly, the time to react is disastrous consequences.
decreasing. We need to focus resources on becoming more proactive.
This can be accomplished by the following: In New York State, our Public/Private Sector Cyber Security
Workgroup includes representatives from critical State agencies and
•Creating stronger relationships between and among the
10 11
private sector companies. We have identified high-level executives and are now on the monthly sector conference calls. In addition,
and commissioners to represent critical industry sectors, including these entities receive all of the cyber advisories that are distributed.
chemical, education/awareness, financial/economic, food, health,
public safety, telecommunications, and utilities. Additional critical These entities will work closely with the established sector chairs
industry sectors will be included in the Workgroup as it moves for- and my Office to more fully engage those critical entities to share
ward. The Workgroup is examining the current state of cyber readi- information and build important communication relationships. This
ness throughout the entities within each sector, working to identify mutual information sharing arrangement will prove to be an invalu-
and assess vulnerabilities and identify mitigation strategies. The able factor in helping to ensure the readiness and resilience of New
Workgroup meets in person quarterly and monthly via conference York State’s critical infrastructure assets—both public and private.
call with each sector.
The participation in this Workgroup has been tremendous, and the
The Workgroup has published two reports: Cyber Security: information sharing relationship with the private sector serves to
Protecting New York State’s Critical Infrastructure, which details better prepare and protect New York State.
the on-going efforts in New York State to address cyber security
readiness and response, in both the public and the private sectors; An excellent example of information sharing between the public and
and the Best Practice Guidelines for Cyber Security Awareness private sectors can be seen in the Telecommunications and Utilities
which includes a number of useful tips and practical advice, along Sector. When a cyber advisory gets distributed to the NYS
with links to additional information for all New Yorkers on how to Public/Private Sector Workgroup from the my Office, that informa-
become more “cyber security aware.” tion gets distributed to the Utility Sector through its Sector chairs,
representing the NYS Public Service Commission (PSC), the New
One of the next phases of the Workgroup is expanding participation York Power Authority, the New York Independent System Operator,
within each of the sectors to include more entities within the sector. and Consolidated Edison. The PSC also forwards the cyber advi-
I invited the major stakeholders within the industry sectors to meet sories out to sixteen major electric, gas and electric generation enti-
with me, along with the Director of our State’s Office of Public ties. Some of the utilities are now asking to be placed directly on the
Security and the Workgroup Sector chairs. The goal was to discuss Public/Private Sector Advisory Distribution list because of the
the efforts of the Workgroup, identify areas for collaboration, and tremendous value-add of getting the advisories in a timely manner.
engage these major stakeholders as we collectively move forward in The information gets distributed to the major telecommunications
securing our cyber assets. entities, including Verizon, AT&T, Frontier and MCI.

During 2003, this next level of outreach was conducted with the Let’s take a closer look at how this public/private relationship with-
Education, Financial and Telecommunications Sectors. Each of in New York’s Telecommunications and Utilities Sectors is working
these meetings was extremely successful. Initially, and not surpris- toward the goals of enhanced cyber security preparedness.
ingly, some of the entities expressed concern as to how the informa-
tion they shared with the Workgroup would be handled. We engaged In August 2002, the New York State Public Service Commission
in honest and straightforward dialogue with the entities, and allayed (PSC) ordered major telecommunications providers and utilities that
their fears. All of the entities with whom we met expressed support PSC regulates to conduct third party vulnerability and risk assess-
for the work we are doing in New York State through the ments. Each provider retained a consultant to assess the state of its
Workgroup, and were eager to participate in our efforts. All of the physical and cyber security, and the ability to prevent or respond to
entities we met with agreed to become involved in the Workgroup acts of terrorism. Subsequently, the PSC retained a security consult-

12 13
ing firm to review each assessment and to ascertain whether or not the August. On August 20, 2003, the PSC initiated a formal inquiry into
reports were thorough and covered the scope of work determined in the circumstances surrounding the electrical blackout of August 14.
the Order. In August 2003, a final overall report was issued to reca- In the course of this inquiry the Office of Utility Security has been
pitulate the state of cyber readiness of the regulated telecommunica- reviewing actions and policies at the utilities to determine the extent
tions and utility providers. Later in August 2003, the PSC directed the to which information systems failures may have played a role in exac-
same major telecommunications and utility companies to prepare erbating the spread of the blackout in New York, or added delay to the
security management action plans detailing how the recommenda- recovery from it.
tions of the final report would be effectuated.
Out of this inquiry we will acquire a better understanding of the ade-
The Department of Public Service Office of Utility Security, estab- quacy of cyber security systems that could prove useful in preventing
lished in mid 2003 by the Public Service Commission, has been or thwarting an attempted malicious act against the power grid. The
tasked to review the security reports and following action plans, and realization of the need for the expanded focus on cyber security in the
to verify that each provider is following the recommendations made energy and telecommunications industries is evident. The northeast
for improvement in cyber aspects of readiness, as well as adhering to electric blackout served to underscore what we already understand –
industry best practices for security, or is formulating definitive plans that our energy generation and transmission grid is increasingly
to do so. dependent on reliable cyber systems, and that our telecom networks
are at the heart of the accelerating interdependency of all our critical
The Office of Utility Security will act as a liaison to the telecommu- infrastructures. In 2004, some telecommunications providers have
nications providers and utilities, maintaining continuous outreach to expressed interest in sharing best practices in cyber security with
assist in addressing the ever-increasing demands of security readi- providers across industry lines, specifically with the energy providers.
ness. Beyond its responsibility to enhance security through its regu-
latory oversight responsibility, the Office will undertake a broadly All companies are making stronger efforts in enhancing their security
proactive role in strengthening security. Through close coordination posture by including more vigorous employee awareness programs,
and partnership with federal and other state security and public safe- understanding that the first line of defense is circumspect and atten-
ty agencies, the Department of Public Service Office of Utility tive personnel.
Security is providing a uniquely focused perspective on the informa-
tion sharing needs required by the current threat situations. STRONG COLLABORATION WITH OTHER STATES
Interacting on a daily basis with security personnel at the State’s ener- Another key initiative underway in New York State is the coordina-
gy and communications utilities, the staff of the Office of Utility tion of a Multi-State Information Sharing and Analysis Center (MS-
Security is working toward implementation and maintenance of the ISAC). The MS-ISAC currently includes participation from forty-
highest practicable security standards and practices. nine states and the District of Columbia. Because cyber incidents
know no geographic boundaries, the MS-ISAC is critical to fostering
This task will be realized by providing a balance of education, threat communication and information sharing among all states regarding
awareness briefings, advocacy, technical guidance, as well as tradi- cyber and critical infrastructure readiness and response efforts. By
tional monitoring and inspection. being aware of what is occurring outside New York State which may
potentially impact the State, we will be better prepared.
2003 brought a major event that has further prompted the scrutiny of
cyber security in New York’s energy infrastructure – the blackout in The MS-ISAC members meet monthly via teleconference to discuss
security issues and share information from a cyber perspective. The
14 15
MS-ISAC is working toward the adoption of a common cyber alert the MS-ISAC joined the National ISAC Council as a non-voting
level protocol and incident reporting process. The Multi-State ISAC member (liaison). Additionally, we currently send communications,
has conducted five incident reporting exercises, two of which includ- alerts, advisories and informational bulletins to several of the largest
ed reporting the impact of the Blaster and MyDoom. national private ISACs, including: Telecom ISAC, Chemical ISAC,
Electric ISAC, Emergency Fire Services ISAC, IT ISAC, Surface and
New York State, in its coordination of the Multi-State ISAC, is work- Water Transportation ISAC, Water ISAC and Financial Services
ing to develop strong relationships with the private sector on a nation- ISAC.
al level. For example, we’ve developed a collaborative relationship
with Microsoft to facilitate better information sharing between New York State, through the Multi-State ISAC, is working collabora-
Microsoft and the State of New York. Microsoft readily agreed to our tively with the federal government in advancing the National Strategy
invitation to participate in the August 2003 Multi-State ISAC confer- to Secure Cyberspace. The Department of Homeland Security supports
ence call to discuss the recent Microsoft vulnerabilities occurring at the MS-ISAC and participates on the monthly conference calls as well.
the time and hear concerns from the States. The White House and The MS-ISAC was recently recognized by the Department of
Department of Homeland Security, along with approximately 40 Homeland Security for its proactive role in bringing the states together.
states, participated in this call.

Microsoft has invited the Multi-State ISAC to participate in its CONCLUSION

monthly teleconference calls. These calls are held after security bul-
letins are released and are designed to give experts access to
Microsoft developers who understand the vulnerability and the patch. It is clear that the Information Age is upon us and this new Age ush-
This represents a tremendous step forward in helping the States better ers in a new era of connectivity and interdependence. This connectiv-
prepare against future cyber attacks. ity allows us to communicate in many positive ways, but also creates
a new era of challenges. In order to protect ourselves and our critical
Through the MS-ISAC, we are also reaching out to build relationships assets, we must be aware of—and understand—the vulnerabilities and
with the private ISACs. In 2003, an introductory letter was forward- risks, and how to protect, detect, respond and recover.
ed to the chairs of the major national ISACs on behalf of the MS-
ISAC members, to inform them of the MS-ISAC’s existence and Each individual is responsible for taking security seriously. Each
objectives, and to request that the private ISACs consider developing individual must be totally committed and involved and set the exam-
a relationship with the MS-ISAC. ple in the fight against cyber threats.

As the majority of critical infrastructure assets are maintained in the Each vendor is responsible for providing more secure products, better
private sector, the benefit to each of the states in this information shar- methodology to upgrade, and more timely notification to consumers
ing arrangement is clear. The benefit to the private ISACs is that the of vulnerabilities.
Multi-State ISAC can serve as a coordinated point of contact with
them, and the entities within it, in dealing with the states. One of our All users are responsible for understanding and employing sound
goals is to share information — with the Multi-State ISAC providing security practices. Training for each of the above-mentioned groups is
information, as appropriate, to the private ISACs, and vice versa. critical in order to ensure success. These practices must become part
of our culture, and ingrained in each of us
The response from the ISACs has been tremendous. In January 2004,

16 17
Strong relationships between the public and private sectors must be ENDNOTES
fostered.

We live in a digital age where we all interconnected, all mutually 1 CAIDA-the Cooperative Association for Internet Data Analysis
dependent and thus suffer the consequences of the failures of our
2 CAIDA-the Cooperative Association for Internet Data Analysis
weakest link.
3 BitDefender.com
Two key principles that we must employ in our fight against cyber 4 Computer Economics
attacks are vigilance and resilience.
5 Central Command, Inc.
Vigilance – The need for security is constant—we can never be 100 6 CAIDA-the Cooperative Association for Internet Data Analysis
percent secure. Good security is never one layer deep, rather it is 7 CNET News
multiple layers. For example, a firewall is one layer; not just good,
but strong passwords is another layer. Cyber security is a journey, not 8 The Register
a destination and the job is never finished. 9 CNET News
10 Internet Week.com
Resilience – The point is not whether you’ll be the victim of a cyber
incident, but how well you respond if you are a victim. 11 TechWeb News

While change is difficult and changing a culture is daunting we must

take the first steps. And we must remember that security is everyone’s
responsibility. You are never done.

18 19