http://www.infoworld.com/articles/hn/xml/01/04/25/010425hnsipc.xml?p=br&s=6
By Sam Costello
Apr. 25, 2001
TWO YEARS AGO, Wes Marsh was working on an IA (information assurance)
plan for the state of Arizona. Marsh was dismayed to find his state
lacked a solid IA or information security plan. Luckily, as a state
representative, he was in a position to do something about it.
What Marsh did was introduce a bill into the Arizona state legislature
that would create the nation's first Statewide Infrastructure
Protection Center (SIPC), a move that he hopes will set an example for
other states to follow. Marsh, a Republican from central Arizona, is
also a member of the state National Guard, where he has served as a
communications officer.
With a panoply of other organizations already devoted to computer
infrastructure security activities, including the Department of
Defense, the Federal Bureau of Investigation (FBI), and the National
Infrastructure Protection Center (NIPC), a state-level organization
devoted to the same task might not seem necessary. But an SIPC is
needed, Marsh said, because information takes too long to filter down
from national organizations to the state level.
Computer infrastructure threats are monitored by, among others,
InfraGuard, a partnership between the FBI, NIPC, and more than 500
private sector companies. Security threat information, however, can
take up to two weeks to make its way from InfraGuard to the states, as
the body does not want to jeopardize possible criminal investigations,
Marsh said.
When it comes to critical systems, "you can't wait two weeks," he
said, highlighting the point by noting that the Arizona state
legislature lost its e-mail system for a full day in early February
due to the Anna Kournikova virus. The Department of Defense had
information about the virus two days before the legislature's e-mail
system crashed and if the state had warning, the outage could have
been avoided, Marsh said.
If passed into law, Marsh's bill will do two things: It will create a
computer emergency response team composed of National Guard members to
protect National Guard networks and coordinate with the Department of
Defense; and it will set up an SIPC, which will serve as the principal
point of contact and coordination for public sector bodies, and
distribute computer security information and alerts to the private
sector, as well as creating rules for implementing security measures.
The SIPC would also work with the National Guard team on security
issues.
Both InfraGuard and the NIPC support the bill (the NIPC declined to
comment for this story), and the National Security Agency, the
Department of Commerce, the Department of Defense, and the FBI have
all been briefed on the bill, Marsh said
Another supporter of the initiative is the SANS Institute, an
organization of systems administrators and security professionals that
researches and provides security alerts. SIPCs are "the right thing to
do," according to Allan Paller, director of research at SANS. SIPCs
will allow for greater tracking of Internet security issues because
they will monitor the Internet using both geography and areas of
common interest as determining factors, which will in turn result in
more of the Internet being watched and threats discovered earlier,
Paller said.
SIPCs can be thought of as the weather forecast system, Paller said,
with many groups in many places all observing the weather so as to
arrive at the best picture of the overall situation. In this case,
Arizona's SIPC will find things that one in New York wouldn't, and a
financial SIPC would find things that a university SIPC would miss, he
said.
"The reason it's a good idea is the earlier the security community
finds things, the better chance we have to minimize damage," Paller
said.
Despite this support, the bill is currently mired in state politics
and may not be passed this year, despite being passed by a 54-2 vote
(out of 60 members) in the state House of Representatives. Marsh
expects the bill will be vetoed by the governor even if it does pass
in the few weeks remaining in this Arizona legislative session.
Even if the bill is vetoed in Arizona, other states may soon see
similar plans put forward, Marsh said. Texas, Virginia, Florida, and
Washington D.C. are all evaluating plans for SIPCs, Marsh said. Texas,
rather than Arizona, could become the first state to have an SIPC, but
"we will have an SIPC here," he said.
"Eventually every state is going to have an SIPC in it," he said.
They're likely to need it, Marsh said, referring to the shortcomings
in Arizona's infrastructure planning, adding, "Arizona cannot be
unique" in this regard.
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Thu Apr 26 02:56 CDT 2001