A fledgling nonprofit group working to develop an automated cyber-attack early warning system, the Cyber Incident Detection Data Analysis Center (CIDDAC), is about to begin a pilot project to collect data on network intrusions from a group of companies in national-infrastructure industries.
Backed by a grant from the U.S. Department of Homeland Security, CIDDAC has set up an operations center at the University of Pennsylvania's Institute of Strategic Threat Analysis and Response laboratory. Around 30 organizations will eventually participate in the project, although some are still being selected, according to CIDDAC Executive Director Charles "Buck" Fleming. He expects to have useful data from the pilot test in about five months.
CIDDAC has been two years in the making. Fleming, the former president of Philadelphia-based Linux services company LinuxForce Inc., says that after the Sept. 11, 2001, terrorist attacks he began talking with others in the IT industry about the need for protections against a terrorist attack on the nation's electronic infrastructure. CIDDAC's focus is on linking together organizations in industries such as banking, electrical power, gas and oil, telecommunications and transportation.
CIDDAC doesn't disclose the names of its members, and none are yet willing to publicly identify themselves, according to CIDDAC representatives. However, the organization's board of directors includes executives from Liberty Bell Bank, the Federal Reserve Bank of Philadelphia, gas company Air Products and Chemicals Inc. and energy consultancy Kema Inc., according to CIDDACs Web site.
The center will use a network of sensors, dubbed RCADSs (Real-Time Cyber Attack Detection Sensors), to gather information on intrusions and attempts. Because of concerns about corporate data privacy, the RCADSs will sit outside corporate production systems. When threats are detected, the identity of the reporting company will remain confidential. The goal is to issue real-time alerts to other member companies about attack attempts, in hopes that they will be able to head off further intrusions if a large-scale, coordinated attack is under way.
CIDDAC will also pass collected information on to law enforcement agencies, but Fleming emphasized that serving private-sector alert needs is the group's priority. "Our purpose is first to add a dimension of protection to the private sector that currently doesn't exist," he said. Eventually, CIDDAC plans to collect annual membership fees from its members; for now, pilot project participants have contributed to its funding.
Several other organizations already focus on real-time alert detection, such as the CERT (Computer Emergency Response Team) Coordination Center and the SANS (System Administration, Networking, and Security) Institute's Internet Storm Center, Fleming said. CIDDAC isn't yet working with others in the security community.
CIDDAC so far seems to be off the security industry radar: A CERT spokeswoman declined to comment on whether CERT has talked with CIDDAC, while independent, highly connected security consultant and writer Bruce Schneier said he had never heard of CIDDAC. Building a critical mass of companies participating in its detection network will be critical to CIDDAC's success. Fleming said recruitment will be easier after CIDDAC has data from its pilot project to work with.
For now, after two years of behind-the-scenes work, he's pleased to be taking the first step toward bringing the project online.