http://www.infoworld.com/articles/hn/xml/01/04/25/010425hnsipc.xml?p=br&s=6 By Sam Costello Apr. 25, 2001 TWO YEARS AGO, Wes Marsh was working on an IA (information assurance) plan for the state of Arizona. Marsh was dismayed to find his state lacked a solid IA or information security plan. Luckily, as a state representative, he was in a position to do something about it. What Marsh did was introduce a bill into the Arizona state legislature that would create the nation's first Statewide Infrastructure Protection Center (SIPC), a move that he hopes will set an example for other states to follow. Marsh, a Republican from central Arizona, is also a member of the state National Guard, where he has served as a communications officer. With a panoply of other organizations already devoted to computer infrastructure security activities, including the Department of Defense, the Federal Bureau of Investigation (FBI), and the National Infrastructure Protection Center (NIPC), a state-level organization devoted to the same task might not seem necessary. But an SIPC is needed, Marsh said, because information takes too long to filter down from national organizations to the state level. Computer infrastructure threats are monitored by, among others, InfraGuard, a partnership between the FBI, NIPC, and more than 500 private sector companies. Security threat information, however, can take up to two weeks to make its way from InfraGuard to the states, as the body does not want to jeopardize possible criminal investigations, Marsh said. When it comes to critical systems, "you can't wait two weeks," he said, highlighting the point by noting that the Arizona state legislature lost its e-mail system for a full day in early February due to the Anna Kournikova virus. The Department of Defense had information about the virus two days before the legislature's e-mail system crashed and if the state had warning, the outage could have been avoided, Marsh said. If passed into law, Marsh's bill will do two things: It will create a computer emergency response team composed of National Guard members to protect National Guard networks and coordinate with the Department of Defense; and it will set up an SIPC, which will serve as the principal point of contact and coordination for public sector bodies, and distribute computer security information and alerts to the private sector, as well as creating rules for implementing security measures. The SIPC would also work with the National Guard team on security issues. Both InfraGuard and the NIPC support the bill (the NIPC declined to comment for this story), and the National Security Agency, the Department of Commerce, the Department of Defense, and the FBI have all been briefed on the bill, Marsh said Another supporter of the initiative is the SANS Institute, an organization of systems administrators and security professionals that researches and provides security alerts. SIPCs are "the right thing to do," according to Allan Paller, director of research at SANS. SIPCs will allow for greater tracking of Internet security issues because they will monitor the Internet using both geography and areas of common interest as determining factors, which will in turn result in more of the Internet being watched and threats discovered earlier, Paller said. SIPCs can be thought of as the weather forecast system, Paller said, with many groups in many places all observing the weather so as to arrive at the best picture of the overall situation. In this case, Arizona's SIPC will find things that one in New York wouldn't, and a financial SIPC would find things that a university SIPC would miss, he said. "The reason it's a good idea is the earlier the security community finds things, the better chance we have to minimize damage," Paller said. Despite this support, the bill is currently mired in state politics and may not be passed this year, despite being passed by a 54-2 vote (out of 60 members) in the state House of Representatives. Marsh expects the bill will be vetoed by the governor even if it does pass in the few weeks remaining in this Arizona legislative session. Even if the bill is vetoed in Arizona, other states may soon see similar plans put forward, Marsh said. Texas, Virginia, Florida, and Washington D.C. are all evaluating plans for SIPCs, Marsh said. Texas, rather than Arizona, could become the first state to have an SIPC, but "we will have an SIPC here," he said. "Eventually every state is going to have an SIPC in it," he said. They're likely to need it, Marsh said, referring to the shortcomings in Arizona's infrastructure planning, adding, "Arizona cannot be unique" in this regard. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERVat_private with a message body of "SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 00:54:17 PDT