[ISN] Arizona may create state Internet security group

From: InfoSec News (isnat_private)
Date: Wed Apr 25 2001 - 13:38:51 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, April 25, 2001"

    By Sam Costello
    Apr. 25, 2001
    TWO YEARS AGO, Wes Marsh was working on an IA (information assurance)
    plan for the state of Arizona. Marsh was dismayed to find his state
    lacked a solid IA or information security plan. Luckily, as a state
    representative, he was in a position to do something about it.
    What Marsh did was introduce a bill into the Arizona state legislature
    that would create the nation's first Statewide Infrastructure
    Protection Center (SIPC), a move that he hopes will set an example for
    other states to follow. Marsh, a Republican from central Arizona, is
    also a member of the state National Guard, where he has served as a
    communications officer.
    With a panoply of other organizations already devoted to computer
    infrastructure security activities, including the Department of
    Defense, the Federal Bureau of Investigation (FBI), and the National
    Infrastructure Protection Center (NIPC), a state-level organization
    devoted to the same task might not seem necessary. But an SIPC is
    needed, Marsh said, because information takes too long to filter down
    from national organizations to the state level.
    Computer infrastructure threats are monitored by, among others,
    InfraGuard, a partnership between the FBI, NIPC, and more than 500
    private sector companies. Security threat information, however, can
    take up to two weeks to make its way from InfraGuard to the states, as
    the body does not want to jeopardize possible criminal investigations,
    Marsh said.
    When it comes to critical systems, "you can't wait two weeks," he
    said, highlighting the point by noting that the Arizona state
    legislature lost its e-mail system for a full day in early February
    due to the Anna Kournikova virus. The Department of Defense had
    information about the virus two days before the legislature's e-mail
    system crashed and if the state had warning, the outage could have
    been avoided, Marsh said.
    If passed into law, Marsh's bill will do two things: It will create a
    computer emergency response team composed of National Guard members to
    protect National Guard networks and coordinate with the Department of
    Defense; and it will set up an SIPC, which will serve as the principal
    point of contact and coordination for public sector bodies, and
    distribute computer security information and alerts to the private
    sector, as well as creating rules for implementing security measures.
    The SIPC would also work with the National Guard team on security
    Both InfraGuard and the NIPC support the bill (the NIPC declined to
    comment for this story), and the National Security Agency, the
    Department of Commerce, the Department of Defense, and the FBI have
    all been briefed on the bill, Marsh said
    Another supporter of the initiative is the SANS Institute, an
    organization of systems administrators and security professionals that
    researches and provides security alerts. SIPCs are "the right thing to
    do," according to Allan Paller, director of research at SANS. SIPCs
    will allow for greater tracking of Internet security issues because
    they will monitor the Internet using both geography and areas of
    common interest as determining factors, which will in turn result in
    more of the Internet being watched and threats discovered earlier,
    Paller said.
    SIPCs can be thought of as the weather forecast system, Paller said,
    with many groups in many places all observing the weather so as to
    arrive at the best picture of the overall situation. In this case,
    Arizona's SIPC will find things that one in New York wouldn't, and a
    financial SIPC would find things that a university SIPC would miss, he
    "The reason it's a good idea is the earlier the security community
    finds things, the better chance we have to minimize damage," Paller
    Despite this support, the bill is currently mired in state politics
    and may not be passed this year, despite being passed by a 54-2 vote
    (out of 60 members) in the state House of Representatives. Marsh
    expects the bill will be vetoed by the governor even if it does pass
    in the few weeks remaining in this Arizona legislative session.
    Even if the bill is vetoed in Arizona, other states may soon see
    similar plans put forward, Marsh said. Texas, Virginia, Florida, and
    Washington D.C. are all evaluating plans for SIPCs, Marsh said. Texas,
    rather than Arizona, could become the first state to have an SIPC, but
    "we will have an SIPC here," he said.
    "Eventually every state is going to have an SIPC in it," he said.
    They're likely to need it, Marsh said, referring to the shortcomings
    in Arizona's infrastructure planning, adding, "Arizona cannot be
    unique" in this regard.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 00:54:17 PDT