The Recent Plane Bombing Attempt: Lack of Event Correlation Combined with Failure to Share Information
The U.S. Department of Justice recently charged a 23-year-old Nigerian with trying to blow up a Northwest Airlines airplane as the plane was close to landing on Christmas Day. The suspect, Umar Farouk Abdumutallab, reportedly claims to be an al-Qaida agent. The suspect allegedly went to a bathroom in the plane because he claimed he was sick. When he came back to his seat, he allegedly pulled a blanket over himself and then pulled out a syringe and used it to ignite explosives that he had in his underwear. According to accounts of the incident, the man’s pants and the side of the plane’s wall next to him caught on fire, but passengers and flight crew held him, took away the syringe and extinguished the fire.
The story of the attempt to blow up an airplane really has nothing to do with information security per se. Still, I chose to write about this event because it could and should have been prevented in the first place, and the lessons learned are very relevant to information security. What is incredible to me is that a little over four months ago the U.S. Central Intelligence Agency (CIA) had become aware that a Nigerian was possibly involved with terrorist circles in Yemen, although the man’s name was unknown at the time. Then three months ago Abdumutallab’s father went to the U.S, Embassy in Nigeria to report that his son was missing and to request help in finding him. The father also said that he believed that his son had ties to al-Qaida in Yemen. The CIA never put two and two together, so to speak—it was unable to correlate pieces of information that proved to be critical. President Obama reacted by saying:
“There were bits of information available within the intelligence community that could have and should have been pieced together.”
The fact that the CIA was unable to correlate the information it had received is not unique to the government arena. Organizations constantly receive fragments of information—that reconnaissance scans and probes from certain IP addresses occur, followed by attempts to exploit vulnerabilities, followed by unusual patterns of connections and/or anomalous system behavior. These organizations too often rely on point solutions such as individual firewalls, intrusion detection systems, and intrusion prevention systems to monitor network activity. In so doing they are unable to determine the context of events that occur. Dave Shackleford sums up this problem nicely in a SANS white paper available at http://www.sans.org/reading_room/analysts_program/adaptiveSec_Dec08.pdf:
“In today’s dynamic threat and network environments, standalone Intrusion Detection/Prevention Systems (IDS/IPS) cannot protect against the ever-changing attacks and vulnerabilities. The reason: Standing alone, IDS/IPS lacks the context it needs to reliably distinguish an event from a non-event and prioritize protection based on business-critical rules. Context can be helpful in determining when an event indicates a security incident, such as a deliberate remote buffer overflow exploit attempt, as well as when events are nothing more than false positives, such as poorly configured applications sending out broadcast packets.”
Perhaps even worse is the fact that the CIA kept the information about the suspect that it obtained completely to itself. Had the CIA shared this information with the Department of Homeland Security (DHS), the State Department, and other U.S. government entities, the fact that the suspect had an active U.S. visa and that he was on the passenger list for an upcoming flight to the U.S. almost certainly would have been discovered, in all likelihood leading to a precautionary cancellation of his visa and/or including him on a no-fly list. Additionally, the probability that somebody in other agencies or departments would have correlated the various bits of information obtained about the suspect would almost certainly have increased substantially.
The problem of lack of information sharing within government circles is anything but a new problem. But lack of information sharing is by no means limited to within the government. Commercial and other entities also fail to share critical information about cyberattacks that they have experienced, thereby depriving other organizations of the ability to recognize and defend against new as well as persistent types of attacks and hampering law enforcement efforts. The creation of numerous Information Sharing and Analysis Centers (ISACs) within various verticals has helped some, but has by no means solved the lack of information sharing problem.
Stating problems without solutions is a poor practice, so I’ll propose a solution to one major problem that I have discussed in this posting. How about a Presidential edict that mandates firing any government employee who is the head of any government agency or department that fails to share critical information affecting U.S. interests (such as countering terrorism) with other agencies and departments that need this information? If such an edict were put in place, I’d bet that heads of agencies and departments would do everything they could to ensure that critical information was shared. President Obama, are you listening?