Early last week Hannaford Bros. Corp., which operates close to 300 supermarkets in New England and Florida, announced that cyber-thieves had compromised more than four million of its customers’ credit and debit card numbers over a four-month period beginning last December.
If you paid close attention, you learned that Hannaford believed the data was stolen during the card-verification process. And you may have heard experts in information security — “infosec,” as they call it — speculate that someone may have violated company policy, or that the supermarket chain failed to comply with data-security standards developed by the credit-card industry.
If you wanted a more technical understanding, you probably looked on the Internet, where the talk was of sniffers and firewall configurations and access-control measures.
If even that failed to satisfy your curiosity, you might consider joining the Vermont chapter of InfraGard, a nonprofit organization with an unusual charter: to help the Federal Bureau of Investigation keep an eye on the infrastructure systems that are most vital to American life and the economy.
FBI Director Robert Mueller, in a November 2007 speech on cyber-security at Penn State University, described InfraGard as a “more localized example” of the federal government’s many partnerships with private industry. “From computer security to the chemical sector,” InfraGard members, representing Fortune 500 companies down to small businesses, are collecting and sharing information about threats to the nation’s critical infrastructure. Mueller, who two years earlier had given the keynote address at InfraGard’s annual meeting, estimated that about 21,000 people belonged to the organization. “That amounts to 21,000 partners in our mission to protect America,” he said.
There are more than 80 InfraGard chapters, each aligned with an FBI field office. Somewhere between 80 and 200 people comprise Vermont InfraGard, and almost all of them are in the “infosec” business. That means they tend to compartmentalize their lives, and share information, on a need-to-know basis.
InfraGard isn’t a secret organization; it clearly exists where you’re most likely to find it — on the Internet. But, because it operates between the criminal and the crime fighter, discretion is a necessary qualification for full-fledged membership, which requires an FBI background check. Chapter by-laws bind InfraGard members to honor each other’s confidentiality and refrain from discussing the organization’s business outside official forums, such as meetings and pre-arranged presentations.
The preferred means of communication among members is a secure computer network monitored by the FBI. According to Gary Kessler, a founder of Vermont InfraGard, that doesn’t mean those communications would be of interest, or use, to most people.
“Quite frankly, we do most of the sharing amongst ourselves,” says Kessler, who teaches information assurance at Champlain College in Burlington. “Our FBI folks are seeing our emails, and they may or may not respond to it. More commonly, we’ll get something from another InfraGard chapter, something on the national level, with maybe some details, where vetted InfraGard members can see it.”
In these times of heightened government surveillance, it’s easy to be wary of an organization like InfraGard, which, according to the FBI, has been involved in about 95 criminal investigations nationwide. After all, skeptics point out, InfraGard is just one of the many ways in which government has enjoined private citizens and corporations in the global “war on terror.” And the fact that relatively few people beyond the immediate or intellectual confines of the organization have even heard of InfraGard is beside the point.
“I don’t know that much about this, and I’m not sure anybody really does, and I think that’s part of the problem,” says Allen Gilbert, executive director of the ACLU of Vermont. “We all sense the government is using various means to collect more and more information about people and about concrete things, like critical infrastructure.
“What we don’t know,” Gilbert adds, “is how much is going on and how it’s all connected.”
M.E. Kabay, director of the Master of Science in Information program at Norwich University’s School of Graduate Studies, “utterly repudiates” the implication that InfraGard is a threat to civil liberties. Kabay, who teaches a course on “computer security response-team management,” says InfraGard members are representatives of specific organizations who specialize in a field in which, often, the less said, the better.
“I don’t have to tell anyone who is responsible for a specific function in my organization,” says Kabay, who is also the graduate school’s chief technical officer. “It’s basically nobody else’s business. I teach management and security, and I argue very, very strongly against publishing the complete directory of employees, their titles and phone numbers. I don’t allow out-of-office messages, especially if you’re out of the office on vacation.”
That kind of information, Kabay argues, can be used to gain unauthorized access to a network, leading to sabotage, the theft of intellectual property or huge financial losses. Likewise, an open-source discussion about specific attacks and defenses can be helpful to cyber-intruders. “They have computers, too, and they’re smart,” Kabay says. “They can deduce weaknesses and, in fact, can invent ways of exploiting vulnerabilities.”
The current president of Vermont InfraGard is Rich Parker, the chief engineer at Vermont Public Radio in Colchester. Parker isn’t the group’s first member to compare the organization to a neighborhood watch, and he won’t be the last. “The local police might contact a neighborhood watch group,” Parker explains, “and let them know to be on the lookout for a middle-aged man, 5-foot-8-inches, slightly balding, driving around a certain neighborhood in a gray Pontiac, stopping and talking to unaccompanied children.
“Now, would it be appropriate to post that information at the corner café,” Parker continues, “where the suspicious person, or a person working with them, would see it and where it might warn them to change cars or appearance or neighborhoods?”
No, he says, it wouldn’t. The best scenario would be for police to approach a “known, trusted group of individuals” who would help spread word of a threat and be the eyes and ears of law enforcement.
Back in 1999, Gary Kessler, that said, Parker says, “If the police came to the group and said, ‘We’re asking you to let us know if you observe your neighbors involved in any political activities of the following kinds,’ of course, most of us would just tell them to go pound sand.”
A computer forensics expert and member of the state’s Internet Crimes Task Force, began urging his information-technology “buddies” to start thinking seriously about the threat of cyber-crime. The response was underwhelming. “Everybody said, ‘You’re crazy,’” Kessler recalls. “‘It’s 1999, we’re worried about Y2K.’”
The birth of the millennium came and went, but a few months in, after a series of network-security breaches — including well-publicized intrusions at AOL and Yahoo — Kessler’s idea gained traction. In September 2000, he invited information-technology people from private business, state government, academia, the military and the health-care industry to a meeting at a Burlington hotel. Kessler also invited a local FBI agent, Tom Leene, who called a couple of agents over from the regional office in Albany to give a presentation.
That’s when Kessler first heard about InfraGard, which began in 1996 in the Cleveland FBI field office as a way to gain support from business and academia in the war on cyber-crime. In May 1998, President Bill Clinton signed Presidential Decision Directive 63, officially inviting the private sector to help law enforcement protect eight specific infrastructure “sectors”: telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services and government continuity.
M.E. Kabay, who testified before Congress in support of Clinton’s final directive, says coordinating private and governmental resources to secure the nation’s most vital operations was long overdue. For one thing, those operations were increasingly linked and controlled by computer networks that were astonishingly vulnerable.
“The Internet originated in the 1960s,” Kabay says. “It was never intended to be secure. We face vulnerabilities because of our dependency on relatively weakly protected networks.”
The FBI’s National Infrastructure Protection Center took responsibility for InfraGard in the wake of PDD-63. Each FBI field office was charged with designating a special agent to coordinate interest in the organization, and local chapters began to form across the country. Members, collectively called the Alliance, are represented by an elected board of directors, and each chapter chooses its own officers.
Kessler, who is secretary of Vermont InfraGard, says there are different ways of looking at the chapter’s membership. Fewer than 100 have signed a Secure Access Agreement, which precipitates an FBI records check for signs of involvement in terrorism or espionage, the criminal use of a telecommunications system or the mishandling of classified information. Vermont InfraGard’s mailing list includes about another 100 people who have opted not to sign the agreement, Kessler says, although they enjoy some rights of membership.
“The Vermont chapter, being the feisty group that we are, have always said we put this together for our own mutual benefit, for information sharing and protection,” Kessler says. “And if people want to belong and not be vetted by the FBI, we’re OK with that — unless it matters.”
One place where it matters is InfraGard’s secure website, a private portal to recent and ongoing cyber attacks and protective measures that have been employed against specific intrusions. Much of the time, the list’s members are watching their own networks, picking up cases of port-scanning, which hackers use to locate network vulnerabilities, or tracking large amounts of spam from an unusual source and, according to Kessler, “giving each other a heads-up.”
Since 2003, when the National Infrastructure Protection Center was moved to the U.S. Department of Homeland Security, InfraGard members have received daily, open-source reports from DHS about imminent threats. When a significant security breach occurs, Kabay says, it’s important that the communication about it be restricted to those who can prove “they are who they say they are and work for the people they claim they work for.” Defending against a cyber attack on an insecure network runs the risk of tipping off the attackers to potential lines of defense.
“The last thing you want to do is say, ‘Oh, look, I’m being attacked,’” Kabay says. “You want to keep a lid on it and let people you trust know you have a problem so you can get a wide range of technical information and recommendations.
“It could take hours or days to track the actual origins of an attack,” he continues, “and if someone else was victim to the same criminal organization, it’s possible we could save time by sharing information and going to law enforcement with the right information quickly.”
While it’s hard to argue with that logic, it’s clear that, since Sept. 11, 2001, the private sector has been encouraged to carry out more functions of law enforcement. Meanwhile, considering the federal government’s illegal wiretaps, fraudulent national security letters and corporate immunity for violations of customers’ privacy rights, its commitment to due process has been called into question by the guardians of civil liberty.
The ACLU and the Electronic Privacy Information Center (EPIC) have both criticized so-called Information Sharing and Analysis Centers, which have been springing up around the country since the late 1990s. There are currently 11 ISACs, whose purpose is to “collect, distribute, analyze and share sensitive information” about threats to specific U.S. industries.
Likewise, plans to create a nationwide network of “fusion centers” designed to “integrate public safety and private-sector entities” with law enforcement have raised suspicions among civil libertarians. According to EPIC, the information collected in fusion-center databases — Vermont’s is in Williston under the direction of the Vermont State Police — would come from an expanding array of sources: banking institutions, the criminal justice system, schools and universities, hospitals, public-health agencies and primary-care physicians, hotels and restaurants, postal and shipping services, private security firms and social services.
“After 9/11, law enforcement felt that there was lots of information out there, but it wasn’t collected in a place that could provide for effective retrieval and aggregation to get profiles and leads on people who might be trying to commit any of a number of crimes,” Gilbert explains. “I’d be curious to know if any of the data or information that InfraGard might be able to provide is ending up in these fusion centers. My guess is that it is.”
Meanwhile, beginning with the first Cyber Security Enhancement Act in 2002, private companies have been granted greater license to disclose customer records in life-threatening situations. The Act has also expanded law enforcement’s surveillance powers by authorizing the use of pen registers, which record all numbers dialed from a particular phone, and trap and trace devices that mine signals from a telecommunication system.
Gilbert says the ACLU is also worried about the government secrecy surrounding all the information sharing. The organization has been challenging proposed exemptions to the Freedom of Information Act for “critical infrastructure” and “cyber-security,” which would presumably prohibit from disclosure information that may have originated with InfraGard. And, the ACLU says, it’s unclear whether information gathered in “real time” by FBI monitoring of web traffic — a.k.a. surveillance — would be subject to privacy laws.
While Kessler says the FBI’s claim that InfraGard has contributed to some 95 criminal investigations is “wholly believable,” he argues that the organization is “not a corporate pipeline to the cops.”
“The FBI could no sooner get student information from Champlain College,” Kessler says, “than they could from a college where there was no individual with InfraGard membership.”
Although M.E. Kabay subscribes to The Progressive, he hasn’t yet seen the March issue’s cover story on InfraGard, entitled “The FBI Deputizes Business,” by Progressive Editor Matthew Rothschild.
Prompted by a reporter, Kabay dials up the magazine’s website to scan the article in his Norwich office. When he gets to the part where Rothschild suggests that InfraGard members have the authority to “shoot to kill” in the event of martial law, Kabay can’t contain his astonishment.
“What on Earth is he talking about?” Kabay wonders out loud. “They have permission to shoot to kill?!”
The FBI quickly published a response to Rothchild’s piece, saying the agency has not “deputized” InfraGard members. Moreover, InfraGard members possess “no extraordinary powers and have no greater right to ‘shoot to kill’ than other civilians.”
Kabay says InfraGard members are all “people of good will” who appreciate having an FBI agent who will take their calls when they suspect a serious breach of infrastructure security is about to occur.
“We’re a defensive organization,” Kabay says. “We don’t harm anybody else. We don’t attack anybody else. We are a threat to no one except criminals.”
Kabay is, in fact, a member of the ACLU who believes the Bush administration’s record on due process is abysmal. He has written about the danger of overzealously pursuing cyber-crime, most recently when a federal judge upheld the right of a Vermont man, who had been accused of possessing child pornography, to refuse to divulge the password to his encryption software. Kabay lauded the judge’s decision. “Oh, my,” he says as he skims Rothchild’s story. “I must write to The Progressive.”
It’s not clear how many Americans, beyond the established champions of civil liberties, actually care about government intrusion. According to a May 2006 poll by ABC News and the Washington Post, most Americans agree that surveillance of telephone records is an acceptable way for the federal government to investigate possible terrorist threats. Sixty-five percent of respondents said that terrorism investigations should not be hindered by government concerns over personal privacy intrusions.
Gilbert, of the Vermont ACLU, isn’t entirely surprised by this ambivalence. He said Vermonters, who “love to say they value privacy rights,” have shown a willingness to allow government to collect personal information. A case in point is the state’s database on prescription drug use. The goal, Gilbert explains, is to get help for people who appear to be abusing the drugs. However, prosecutors could also access the database, which is controlled by the state health department, to investigate crimes.
“In a lot of other states these things have become huge bones of contention,” Gilbert says. “Some legislatures have said, ‘Get out of here, we’re not going to do this.’ In Vermont, people thought it was an OK idea. It was astounding to me that people were so accepting of this.”
Gilbert believes it may be because Vermont is small and people are more trusting. When government officials say personal information will be kept secure and remain confidential, Vermonters tend to take them at their word.
When the FBI first proposed a Vermont InfraGard chapter, Gary Kessler recalls, potential members exhibited a “natural nervousness” over the idea. He describes the Vermont chapter as “ex-patriot hippies” who take their professional responsibilities, but not themselves, seriously. “We wanted to be sure that if we can get together and do stuff and help the FBI, then fine,” Kessler recalls, “as long as we could still maintain what we felt our charter was: that we are a Vermont group, concerned with helping Vermonters.”
Information security is a serious business that seems to grow more serious by the day. A 2005 computer-crime survey by the FBI found that 90 percent of American businesses and private-sector organizations have been victims of cyber-security breaches. One in five companies reported more than 20 incidents in 2005 alone, and two-thirds of all attacks led to some financial loss.
And the damage isn’t necessarily over when the breach is corrected. TJX, a Framingham, Mass.-based retailer, spent close to $250 million to settle several lawsuits following the theft of information from 45.7 million credit and debit cards. Not surprisingly, within days of Hannaford’s announcement, lawyers in Philadelphia and Maine filed class-action lawsuits on behalf of customers in states where the chain does business.
One potential victim of the Hannaford breach is Rich Parker. He may be president of Vermont InfraGard, but Parker had no advance warning that he might be the victim of cyber-crime. He found out his card had been “compromised” by calling his bank and asking.
“You’d probably be quite surprised,” Parker says, “at how little special access to information we [in InfraGard] really have.”