gov't to "anonymously" sharing cyberthreat data?

Bradley Malin malin at
Fri Aug 26 07:30:29 PDT 2005

Prof Dave - looks like UPenn is the facilitator.


New Cybersecurity Center To Warn Law Enforcement Of Critical
Infrastructure Attacks   Aug. 24, 2005

Several businesses and organizations are testing a new process for
anonymously sharing cyberthreat and attack data with their peers and
government agencies without being subject to law-enforcement audits.
By Larry Greenemeier

With about 85% of the nation's critical infrastructure--energy
utilities, manufacturing and transportation facilities,
telecommunication and data networks, and financial services--in the
private sector, it's no wonder there have been so many attempts to
create services that keep these companies apprised of threats to
their IT networks. But there's a problem: Most companies aren't eager
to share their adventures in cybersecurity with each other or the

Keeping this in mind, several Philadelphia-area businesses and
organizations are testing out a new model called the Cyber Incident
Detection & Data Analysis Center, or CIDDAC, which lets private-
sector entities anonymously share cyberthreat and attack data with
their peers and government agencies such as the Homeland Security
Department and the FBI without that data being subject to law-
enforcement audits.

CIDDAC arose out of the deficiencies in the different organizations
already working on cybersecurity, says Brad Rawling, a CIDDAC board
member. A major sticking point that has hindered other attempts to
create cyberattack-reporting infrastructures is the concern by
businesses and other organizations that their proprietary information
will be made public. Once information about a company's inner
workings and security issues is documented by the government, that
proprietary information may become fair game for Freedom Of
Information Act requests by the press and public. CIDDAC circumvents
this sticky situation because it's not a government entity and it
doesn't provide specific information to members or law enforcement
about the identity of the organization reporting a cyberattack.

Participation in CIDDAC is voluntary. Since its April debut, the
effort has been funded with about $100,000 in contributions from
members, as well as $200,000 from the Homeland Security Department's
Science and Technology Directorate. CIDDAC is searching for an
additional $400,000 in funding to move it from the pilot stage to a
point where data can be collected and shared and the program can
sustain itself. Membership will cost $10,000 per year and will
include one sensor, a year of monitoring service, and access to
CIDDAC reports.

CIDDAC's services are expected to be fully functional by the end of
the year. The organization is piloting its sensor technology and
reporting system at test locations in Philadelphia, southern New
Jersey, and North Carolina. The next phase of testing, as CIDDAC
receives production models of its network sensors over the next month
and a half, will include as many as 10 large companies and
institutions that have volunteered to participate and to whom CIDDAC
has promised anonymity.

The University of Pennsylvania has donated lab space, E-mail listserv
services, and Internet access via its Institute of Strategy Threat
Analysis and Response for the CIDDAC's pilot phase, although the
initiative may have to look elsewhere for a permanent home.

A company called AdminForce Remote LLC has developed the underlying
real-time cyberattack-detection sensor technology that CIDDAC uses to
gather information from its members' networks, and AdminForce
chairman and CEO Charles Fleming serves as CIDDAC's executive
director. Board members include Liberty Bell Bank chief technology
officer Brian Schaeffer, Federal Reserve Bank of Philadelphia
directory of information security Keith Morales, Air Products and
Chemicals Inc. computer crime investigator Lance Hawk, and Kema Inc.
senior principal consultant Scott Mix. FBI special agent John Chesson
and Homeland Security Department director of privacy technology Peter
Sand have served as advisers to the CIDDAC effort.

As envisioned, a CIDDAC member connects AdminForce's sensors within
their corporate network. If an intruder attempts to hack or penetrate
the system, this intrusion-monitoring device sends a message to law
enforcement and to other CIDDAC participants but protects the
identity of the reporting entity. CIDDAC's plan is to provide members
with trend-analysis information about specific intrusion activity
that they can use to assess risks to their own networks.

CIDDAC's arrival is timely. This year's FBI Computer Security
Institute computer crime and security survey results, based on the
responses of 700 computer security practitioners in U.S. companies,
government agencies, financial institutions, medical institutions,
and universities, indicates that the percentage of organizations
reporting computer intrusions to law enforcement continues to
decline. Only 20% of organizations reported cyberattacks to law
enforcement, while only 12% reported such attacks to legal counsel.
The key reason cited for not reporting intrusions to law enforcement
is the concern for negative publicity.

FBI Director Robert Mueller has acknowledged this reluctance that
organizations have to air their dirty cyber laundry in public, thus
hurting their image and giving rivals an edge. Mueller made these
comments earlier this month at a conference hosted by InfraGard, an
FBI program begun in 1996 in Cleveland as a local effort to gain
support from the IT industry and academia for the FBI's cybersecurity
investigative efforts. The program expanded nationally through the
late 1990s.

At the conference, Mueller likened a malicious command sent over a
network to harm a power station's control computer to being as deadly
as a backpack full of explosives.

The FBI is expected to receive CIDDAC-generated law-enforcement
incident reports when different criminal thresholds are exceeded.
Homeland Security is likewise expected to be a consumer of CIDDAC
reports. The FBI will use CIDDAC incident reports to initiate
preliminary investigations to determine the magnitude of the
cyberthreat, Rawling says. Such reports could be used as a basis to
justify opening a criminal or intelligence case, for example, but are
not expected to be used as evidence to be presented in a court of
law. "The FBI must use the tools they have to build a case without
revealing the identity of the source," Rawling adds.

CIDDAC is by no means the only organization established to provide
business-technology managers with information about cyberthreats. The
new effort most closely resembles the SANS Institute's Internet Storm
Center, although that service has no direct link with federal law
enforcement. CIDDAC also is targeting large companies with similar IT
security needs. Internet Storm Center uses the DShield distributed
intrusion-detection system technology to collect data from users'
intrusion-detection logs and disseminate this information to other
users. DShield is a piece of freeware maintained by the SANS
Institute. The Internet Storm Center, a free service, lets users
submit firewall logs anonymously, but they must register with the
SANS Institute to view an archive of firewall logs they submitted to
the DShield database in the past 30 days and get confirmation of log

You are subscribed as eugen at
To manage your subscription, go to

Archives at:

----- End forwarded message -----
Eugen* Leitl <a href="">leitl</a>
ICBM: 48.07100, 11.36820  
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

More information about the cypherpunks-legacy mailing list