[ISN] Feds urge secrecy over network outages

From: InfoSec News (isn@private)
Date: Thu Jun 24 2004 - 04:35:02 PDT

  • Next message: InfoSec News: "[ISN] Security qualification makes the grade"

    By Kevin Poulsen
    June 23 2004
    Giving the public too many details about significant network service
    outages could present cyberterrorists with a "virtual road map" to
    targeting critical infrastructures, according to the U.S. Department
    of Homeland Security, which this month urged regulators to keep such
    information secret.
    At issue is an FCC proposal that would require telecom companies to
    report significant outages of high-speed data lines or wireless
    networks to the commission. The plan would rewrite regulations that
    currently require phone companies to file a publicly-accessible
    service disruption report whenever they experience an outage that
    effects at least 30,000 telephone customers for 30 minutes or more.  
    Enacted in the wake of the June 1991 AT&T long-distance crash, the FCC
    credits the rule with having reversed a trend of increased outages on
    the phone network, as telecom companies used the disclosures to
    develop best practices and learn from each others' mistakes.
    The commission is hoping for similar results on the wireless and data
    networks that have become integral to the U.S. economy and emergency
    response capability. The proposal would expand the landline reporting
    requirement to wireless services, and generally measure the impact of
    a telecom outage by the number of "user minutes" lost, instead of the
    number of customers affected.
    It would also require telecom and satellite companies to start issuing
    reports when high-speed data lines suffer significant outages:  
    specifically, whenever an outage of at least 30 minutes duration
    affects at least 1,350 "DS3 minutes." A DS3 line carries 45 megabits
    per second, the equivalent of 28 DS1 or T1 lines.
    The reports would include details like the geographic area of the
    outage, the direct causes of the incident, the root cause, whether not
    there was malicious activity involved, the name and type of equipment
    that failed, and the steps taken to prevent a reoccurrence, among
    other things.
    To the Department of Homeland Security, that's a recipe for disaster.  
    "While this information is critical to identify and mitigate
    vulnerabilities in the system, it can equally be employed by hostile
    actors to identify vulnerabilities for the purpose of exploiting
    them," the DHS argued in an FCC filing this month. "Depending on the
    disruption in question, the errant disclosure to an adversary of this
    information concerning even a single event may present a grave risk to
    the infrastructure."
    If the FCC is going to mandate reporting, the DHS argued, it should
    channel the data to a more circumspect group: the Telecom ISAC
    (Information Sharing and Analysis Center), an existing voluntary
    clearinghouse for communications-related vulnerability information,
    whose members include several government agencies and all the major
    communications carriers. Data exchanged within the Telecom-ISAC is
    protected from public disclosure.
    "[T]he ultimate success of our critical infrastructure protection
    effort depends, in large part, not merely on having the necessary
    information, but on having it available when and where it is most
    needed," the DHS argues.
    The FCC hasn't ruled on the matter. Telecom companies are generally
    against the proposed new reporting requirements, arguing that the
    industry's voluntary efforts are sufficient.
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Thu Jun 24 2004 - 05:53:23 PDT