A Requiem for CIAC
Those of you who know me probably remember that my real start in the information security profession was my having founded and managed the Department of Energy’s Computer Incident Advisory Capability (CIAC)* while I worked at Lawrence Livermore National Laboratory (LLNL) back in the late 1980s. This was a real “trial by fire” job, with incredibly horrific politics both within the DOE and LLNL, new and increasingly complex incidents emerging all the time, and a shortage of resources. The team started with four full-time people, Dr. Tom Longstaff, Ana Marie de Alvare, David S. Brown, and myself (the program manager), and one part timer, Russell Brand. We worked ourselves to the bone, trying as hard as we possibly could to be of service to the entire, often quirky DOE community (which at the time included 78 DOE sites and laboratories as well as DOE headquarters). One of the best outcomes of our efforts was that we provided timely security alerts about new, significant vulnerabilities as well as ongoing incidents that could potentially adversely affect the sites we served. We crafted the bulletins such that the first part provided a higher-level perspective and analysis, something that managers could understand, while the rest of the content described procedures that system administrators could follow to patch systems or to apply workarounds until a patch was available.
For various reasons, virtually all of the original team members left CIAC by 1992. A new generation of team members and new management came, and with these changes the original vision for the CIAC effort quickly began to erode. CIAC increasingly became a political entity to the point that posturing in front of DOE managers and the DOE community itself instead of delivering useful services and obtaining more funding became the main objectives of this effort. Once when an external attacker broke into one of the systems that CIAC operated, the program manager fired the system administrator who had advised others of the break-in instead of admitting what happened and apologizing to those who were affected by this incident. CIAC members were not as technically astute, either. For example, while investigating sniffer attacks at a DOE site, a member of the CIAC team initiated a cleartext remote login to one of CIAC servers without any realization whatsoever that a sniffer might be used to capture his password. More compromises of CIAC computers occurred shortly afterwards, again followed by a gigantic cover-up. CIAC then quit producing its own bulletins, and instead plastered the CIAC logo on top of CERT/CC bulletins. CIAC obtained more funding, but produced less and less.
I observed the negative trends in the CIAC effort with dismay. Once when I approached the then program manager concerning what I perceived was happening, I was sharply rebuffed. Slowly but surely I came to the painful realization that CIAC was little more than a cash cow to LLNL, and that most of the CIAC team members were both underqualified and undermotivated. Some of the team members spent a good deal of time talking to the press, claiming that they had singlehandedly caught hackers and had gotten them arrested, something that was completely fabricated. I cannot tell you how disturbing all of this was to me—to see something that I as well as the original team members had created fall to such depths.
Last week something very significant happened—the DOE announced that CIAC would be funded only for a few more months. When I heard the news, I felt great relief, because an organization is known by its products, and CIAC quit producing anything of value years ago. I also feel good that taxpayer dollars will no longer be wasted the way they were for so many years. I suspect that DOE will turn to US CERT for its incident response services, something that at least will ultimately result in some degree of cost savings.
But before I close, I would like to pay a tribute to the original CIAC effort. What a phenomenal job Tom, Ana Maria, Dave, and Russell (and also some of the second round of team members such as Jeanie Larson, Hal Brand and Marvin Christensen) did! And we were so fortunate to be managed by some of the DOE’s best managers, particularly Phil Sibert, Phil Prysucha and Ron Shores. It was also a privilege to work with top-notch security managers at DOE sites, such as the late Charlene Douglas of Los Alamos National Laboratory, Ron Marcum of Oak Ridge National Laboratory, Bettie Meadows of the Savannah River complex, and J.D. Fluckiger of Pacific Northwest National Laboratory. Hopefully, long after CIAC is gone, people will remember at least some of the accomplishments and contributions of this team and the people who worked in connection with it.
* – The CIAC acronym was later changed to stand for the Computer Incident Analysis Center