Marcus Sachs has always been in the business of protecting internet users.
As both a former White House IT security expert and now a deputy director in the Computer Science Laboratory at SRI International, where he supports the Washington, D.C. operations of the U.S. Department of Homeland Security’s Cyber Security Research and Development Center, Sachs is more than familiar with cyberspace’s many vulnerabilities, the types of attacks that can cripple it, and the need to make it more resilient.
“He’s an amplifier. Back when Code Red and Nimda hit, there was only one technical coordination point in the country that rose to the top – that was some guy at the Department of Defense taskforce on computer network operations,” says Alan Paller, director of research at the SANS Institute.
“Marcus became the coordination point. He was the only guy people called where they got more information back than they gave. He would get all this data and say: ‘That’s almost the same as what we’re finding here, but these guys have another variant of it. Let me connect you with them.’ It was amplification value…”
Now at SRI, an independent non-profit research and development outfit, Sachs is assisting Doug Maughan, program manager for DHS’ Homeland Security Advanced Research Projects Agency (HSARPA) within the Science and Technology Directorate.
In supporting Cyber Security Research and Development activities at HSARPA, which falls under Maughan’s control, Sachs is working with a number of organizations to figure out ways to protect the nation’s infrastructure and, by default, its physical assets, while helping the private and public sectors leverage the internet for secure business endeavors.
Among the projects enlisting the help of various private players, one involves CipherTrust’s Phyllis Schneck, who says that Sachs is a strategic thinker who brings a lot of knowledge and experience to the table. “I’ve always seen security as an enabler and I believe that a lot of the strategic thinking from SRI, and which I’ve seen in conversations with Marc, is to really make security an enabler for government and the private sector,” says Schneck, vice-president of strategic development for CipherTrust, which is working with SRI on a BlackBerry trial to secure communications among emergency responders (see panel, p28).
The main goal of SRI’s work with DHS and other groups is to enable citizens, businesses and government agencies to work online with less fear of financially and politically motivated crime.
Making the internet safer
Recently, we spoke with Marcus Sachs to find out exactly what SRI’s priorities are and how his work today with DHS will support future online business activity.
SC: How did you get involved with SRI and its Cyber Security R&D Center, and what are its primary goals?
Sachs: When I was working at DHS in 2003, a colleague and I strategized what would be the right role for homeland security in regard to cyber research and he developed some plans. The concept was to create a center not in Washington, but somewhere like California. It would be a place where academics would come together, people from government and industry… There would be workshops and seminars, and these would all be done in the name of homeland security, with a focus on taking what we put together in The National Strategy to Secure Cyberspace, and actually doing the research that would support all that.
That was the original concept. But by the end of 2003, it had transformed into being a person at DHS who was going to have a portfolio of cybersecurity projects and a budget. He would go along with SRI as a support contractor and set up this thing called the Cyber Security Research and Development Center.
SRI has now been supporting the Science and Technology Directorate since February 2004 and the Cyber Security R&D Center, which belongs to DHS. SRI is the main contractor providing full-time people to support the one person at DHS who has the portfolio and controls the funding [Maughan]. Of the budget they have at DHS, only a small piece goes to SRI to assist in support. The bulk goes to the organizations doing the research – universities and individuals.
SRI is just providing the leadership, the agenda. We’re working on a lot of stuff. There are half a dozen areas that we’re focused on.
One thing we’re working on is domain name system security extensions. The idea of mapping names to IP addresses dates back to a time when the internet was a lot more trusting of its users. Today, the internet is a vastly different place, but the DNS is still the same. This is an area where DHS recognized that someone needed to take leadership. It’s a fairly significant project: anything with .gov written into it will have these security extensions built-in – probably in the next year or so. We’re hoping we can get the military on board.
SC: How do the extensions work?
Sachs: When your computer does a DNS query, you open up a browser and, say, search for a bank. I’m going to trust my browser to send me to the Citibank browser, which has to trust the naming service. It implicitly trusts the local name server, but I don’t know if the local name server is returning correct data; there is no certificate attached to it. If the name server has to ask for an answer, it has no way to validate that it’s truthful. Criminals have figured this out. They can set up a fake Citibank website. They can poison your name servers and when you’re trying to go to Citibank, you will be redirected to their fake site.
We’re trying to get that little piece of the internet mechanism secured. It doesn’t happen overnight, but we’ve made a lot of progress.
For government, this is a pretty big deal – after all, .gov is where the federal Emergency Management Agency (FEMA) and the IRS sit. The last thing we need is some stupid buffoon setting up a fake government website.
SC: So are you likely to expand this security mechanism beyond federal government sites?
Sachs: Yes. The reason we’re doing the government first is because it’s a smaller zone and it shows good leadership. We are going to lead by example rather than by legislating.
SC: Are ISPs involved?
Sachs: Yes, but not as intensely. It’s more the name server community than the ISPs. When you register a name, the people you register with are the ones that need to be playing the game.
SC: What else are you working on?
Sachs: We’re working on routing infrastructures. The entire internet depends on routers, like Cisco, Juniper and others. It’s the same problem. When the routers update each other, they all trust each other. Those protocols were built in a time when everyone trusted each other. It turns out that the routing issue is a lot harder to fix than the DNS problem. It’s not unsolvable, but it’s going to take a lot more work to get it done.
Another area we’re working on is a virtual network, so researchers who are developing, say, a firewall, new IDS or anti-virus software, can put their devices into a test network that’s coast to coast. It consists of several research sites around the nation. It’s a large enough network that it sort of appears to be the internet, but it isn’t. Before, the only way to do that was to build a test network in your lab and do the best you can. With this test bed, you can replicate the internet itself.
We’re also building a database of large data sets collected from the internet. The intent is to help researchers who might be working on a new security device.
Rather than trying to connect to their own networks and pull live data in from their university network, or wherever they are doing the research, we want to provide them with real data sets that have been collected from the internet, but properly sanitized and anonymized.
Imagine your home computer, when you plug into DSL. Immediately, a flood of stuff comes at you – some is what you asked for, like email, but there’s a lot of other garbage coming at you, from scans and viruses and worms. We want to be able to download information as though it’s a computer connected to the internet, and save several days’ worth of that trash, clean it up and make it available to a researcher.
In a technical sense, this is easy. All you have to do is hook a computer up and start recording. But you end up picking up a lot of private information. We have been working on this with lawyers, the Electronic Privacy Information Center (EPIC) and the Electronic Freedom Foundation, among others.
This is going to be remarkable because we’ll be able to create anonymous data sets that actually reflect what the hostile internet looks like, but that the privacy people are OK with. Both the public and the private sector will have access to this database, but they will have to be vetted if they want to use it. If Al Qaeda wants access, we won’t grant it, but if the Atlanta Police Department wants to train some cybercops, then that’s cool.
SC: When will this be done?
Sachs: We’re getting close. We could see this come online later this year or early next year. We’re just working out the last details with the lawyers.