Interview with Stanley “Stash” Jarocki

by rthieme on August 1, 2001

Interview with Stanley “Stash” Jarocki, Board Member of the Financial Services ISAC

Interviewed by Richard Thieme

This is the transcript of the original interview which was significantly edited and reduced by Information Security Magazine as a sidebar to the interview with Ron Dick. I think Jarocki’s insights are worth preserving so the entire transcript is presented here. Whatever was kept by Information Security Magazine is copyright Information Security Magazine 2001 and whatever was left over is copyright Richard Thieme 2003.

Stash: I am Treasurer of the FS-ISAC, a Board Member, and one of the founding members of the ISAC. I actually built it.

RT: How is NIPC doing in light of its charge? What’s your experience?

Stash: Can I take the fifth amendment? (laughs) Let me back up because it’s important to understand some things. Our relationship is developing. It’s been like a courtship. Both of us have been accused of the negatives because it sells in the press but back in 1999 the working committee got together and agreed to do something as a group of people and do it by ourselves, which is a key issue. If you do it that way you can clearly define your industry and the participants will trust each other. That model came from CDC, a very simple model. The key word is “trust.” We needed to create a mechanism whereby we would exchange information in a trusted format by ourselves with little or no nudging from anybody else. That way we could actually understand what we needed to share in a way that enabled us to come out with something useful but that also factored in that we were competitors who needed to cooperate. We did something very important: we said that all information would be voluntary and anonymous, so it could not be attributed to one particular bank or another.

That said, we asked, how can we operate with government agencies? During Y2K, everyone was allowed to cooperate with everyone else as well as the government because we “Y2K”ed everybody. There’s no anti-trust because we’re exchanging information, no FOIA because a lot of it is public anyway and we will not publish things that will make people unduly afraid, and lastly, we could cooperate with the government because there was no reciprocity and liability issues were handled.

Vatis said, why not join InfraGuard, and I said, because I can’t. We can’t share all of our stuff with the government because we don’t know what laws are applicable. Now, the joke is that by the time to goes through government it’s two years later and who cares –

RT: Public companies can not risk even rumors of rumors because of potential exposure.

Stash: Correct. It’s a matter of perception. Back in 1983, there was an incident with a major bank due to a programmer’s mistake which doubled payouts. It started on Friday and by Monday people didn’t have any money. They didn’t lose money, the bank was able to correct the error and make things whole, but Citibank gained 100,000 new customers because the perception was, “you’re not handling my money correctly.”

NIPC at first was very aggressive, but our problem as an ISAC was that data was shared among the membership. We guaranteed that the information came from a member but no one would know who. The rule was, anything that depicts criminal acts, we found the appropriate SARs and everybody was happy, so there was no attempt to break any laws and we maintained the legal structure to which we were bound by regulations. We also had the capability of storing information and letting members know. The financial sector is a 24/7 operation, so we realized we had a flash message system so that what we had been doing informally and as friends we could now do formally and hit all of our members with a single message.

The next thing we said to NIPC (October 1, 1999) was that we would pursue what was possible in court. We needed laws. We talked with DOJ and tried to work out the details because there were a lot of legal issues we needed to cover and we needed to address congressional perception. So we said we would do it, but Y2K was around the corner. It was a very positive exchange but this was 1999 and Y2K took priority.

Our issue was, once we knew our legal position, we wanted to be able to share three forms of data, and we still haven’t resolved this. The first set of data is intelligence data that is meaningful to us but may require clearance to get it. We would want to get out the information that said technically what was going on, we don’t care about the source. Intelligence deals with sources but all I care about are techniques.

The second set of data says what we share together as banks. The third set of data is data that could potentially be judicial. If it looks like a case, and over time NIPC became the FBI for all intents and purposes, rather than being housed by the FBI, if they felt it was appropriate, they could put a judicial jacket around it, say it was a case file, and nobody could get at it. That was our main issue. We said we can’t share data that you may put a jacket around so we can’t get our own data. If I go to the FBI today and say I have a case and need information and they go by law and do it the right way and get a grand jury subpoena and grab everything and then I come down and say I want to see it, they can say, sorry, it has a grand jury subpoena around it and you’re not cleared. You can’t see your own data.

RT: Different MOs determine different behaviors.

Stash: And there’s something else. Their paychecks are geared to the number of cases they solve. One of their metrics is, look at how good I am. If the volume of cases and solutions are high, you look better at budget time. That’s a significant driving force. I worked in government and I understand that process.

We said we potentially have an impasse. Dick Clarke had said essentially for two years that the government would give us everything and never expected anything back. That was our working premise. NIPC was always saying what are you going to give us, and we would say, what are you going to give us? Nothing came our way.

RT: The computer security community often critiques them for working that way. It all flows downhill.

Stash: Yes, and I want to know what’s going to come back up. So we courted each other for about a year, and with Ron Dick, I think we have a different profile. The profile now is much more like the original conversation that we had, which is positive. I have been lobbying for an exchange of data in a positive sense. I suggested a simple solution: lets pick, say, a dozen things we’re concerned about, like buffer overflows, viruses, IP addresses that attack me – basically IDS information – and let’s expand that list. We can also share the data schema of our databases, so effectively, the language we use across all of our databases is consistent. That way we mean the same thing by “incident” or “vulnerability.” We’ll have the same taxonomy. Then we’ll establish a protocol which is proper. If I refuse to allow you to look at my database, you won’t let me look at yours. So I have to do it first, because we need to build trust, just like at CDC. If I have information that fits our list, we can use these dozen items to get a success story going.

We agreed that all announcements would be simultaneous. Over the past months, NIPC has come to us with things like the Microsoft stuff that affects the financial community. How can we best publicize it in a way that makes sense? So we worked with them on announcements, and that’s positive case number one. We’ve had several others. We know we understand the judicial system but we have to learn to use and understand the same language.

So what we do needs to be legal – it needs to be appropriate, so our members are in agreement with it – and it must maintain the privacy of my client base and the confidentiality of my client. So we are writing furiously between us to choose the items, we have a schema for the database which is positive, and we said, give us raw feeds of published data, which sounds small but really is a big deal because it lets me analyze the data differently than if I did not have the raw data. So that’s positive.

RT: So how far have we moved, on a scale of 1 to 100? I understand how much energy and work it takes to move ahead, but it does sound like baby steps..


interview resumed on June 19, 2001

Stash: We also defined an escalation process so that if they found something, they would feed it to the Board of the ISAC. We agreed to be on 24/7 call so we can do joint things. We were really trying to decide on the protocol we needed to make things happen.

We also had to make something else crystal clear. When it came to computer crime or fraud, the financial sector said up front, we are still going to do everything we are legally bound to do. We are not hiding any cases. They said they were willing to give us information, but also said they would like to announce they were doing certain things at certain times. So we established a protocol so that if they wanted to make an announcement about the financial service sector, several of us would be sounding boards so they would not publish something that did not make sense in terms of our vocabulary. We don’t expect them to be financial services experts. So that’s a done deal. And it’s working. It also stops yellow journalism which does not gain anybody anything.

The second part was, what information can we catalog or share? We looked at the big schema and said, we’ll definitely share virus information. Let’s share data about hardware issues like buffer overflows. And let’s share IP addresses of attackers and put them into your database. What we need are the algorithms, and since I came from government, I know the government has good fast algorithms. We have in effect shaken hands on that and we’re also asking, how do we connect the wire form here to there? Maybe it’ll be virtual, but we’re working out the logistics of exchanging information. We are not going to give them access to the database. It’s not legal and not appropriate. This same condition has been worked out with the Joint Technical Task Force for Computer Network Ops and the U. S. Secret Service. Some, of course, are more enthusiastic than others, but I am emphatically happy with what’s happening. Treasury has always been a strong supporter but now they’re even stronger. Secret Service is absolutely wonderful. So potentially we have a positive story to tell but it’s taken a while.

RT: A letter from the NSC, signed by Andricos but strongly influenced, we think, by Dick Clarke, says, “… some CIP functions might be better accomplished by distributing the tasks across several existing agencies…. Other functions could be shifted to federal

agencies that do not have the policy and legal impediments that are inherent in the NIPC.”

Stash: I agree. Here’s the problem: I think we need Swiss oriented agencies, they have to be neutral. When NIPC started out, they were neutral. But I asked, how do I differentiate between InfraGuard and the FBI? I wanted neutral territory. I have to give Dick a lot of credit because he’s trying to create that, but it’s going to be a hard row to hoe.

RT: How do you see this evolving? Where will responsibilities shift or boundaries change in order for the work of the NIPC to align better with what really needs to be done?

Stash: How do we balance all of this? I think there’s a way to balance it. We need to get all of us responsible for data in the room, throw out all politicians and ruling bodies, come up with our schemas and tack them on the wall, then ask, what can we really share? For some information, we’ll have to say, this is judicial, this is commercial and sensitive, this is intelligence, this is public domain, and map it all. I am trying to describe a real way to share information, but first you have to do data definitions. Until we accept that, we ain’t going anywhere. More importantly, I need to know where all of our databases are.  Given XML and a bunch of wires, we could stick them all together and have some fun. On a technical basis, I don’t think there’s a problem. If we share quality technical information from databases, then what happens? Look at it this way. Me and the cracker out there are in a horse race. The cracker is ahead of me by five furlongs. I want to wind up with a photo finish. Maybe he or she wins some of the time. The issue becomes, what happens? They tell me I have not really solved the problem, but yes I did. I took a five furlong lead and shortened it down to a photo finish. I significantly reduced my risk and expenditures and now we have a fighting chance and I am not spending hundreds of thousands if not millions of dollars on virus control.

RT: Risk management is defined in nanoseconds. To the degree that you can shorten the time between an attack or intrusion and your response, you reduce your risk. Those are the numbers that matters.

Stash: Correct. Plus my feeling is that the bad guys at large are testing this stuff. So I want NIPC and the Secret Service and others to look for anomalies. Crackers are out there testing and if I can find out what they’re testing ahead of time, I can figure out something that makes sense.

RT: You’re plugged into the gray and black worlds –

Stash: Sure, most of us have aliases, because we played too. So we’re getting there. I want to share data with the analysts so we can – say, something simple, just share IP addresses. My server at home was getting whacked through a university known as a haven for kiddies to play. They found who was doing it and took care of it. We can do that.

RT: Again and again, you and others raise the issue of definitions and vocabulary. You distinguish technical issues from legal inhibitions. I think the technology is driving boundaries and therefore organizational identities in new directions. The distinctions or definitions people are trying to use are grounded in the organizational structures of the past. That’s one reason public and private entities are feeling so much stress trying to communicate and cooperate. Looking out ahead, do you see realistic change in that direction, to take this dynamic into account?

Stash: In light of that, I don’t think we can sit around waiting. Dick Clarke said at our last meeting, there are all these databases, so why don’t we share? I said, you tell me. You’re leading it and in two years you couldn’t make the sharing happen. We don’t know where the thing sits and we’re at a loss because we’re not using the same terminology. We really need to sit down all of the owners of the databases and do it, but there’s another key issue: once we have a new set of definitions, we need to go to the legal profession and come up with a taxonomy that makes sense.

RT: Which is not going to be easy. I spoke recently to senior lawyers at Treasury about that, and one said I was telling lawyers to be pulled forward into the future when their points of reference are precedents in the past.

Stash: Correct. And once you define it, there’s another issue: we need to go to law makers and say, pass some laws aligned with our definitions.

RT: So people who think at light speed and work on the front lines are going to get Congress to realign legal structures so they fit the real world? That’s the huge gap where security breaks down.

Stash: Right. And there’s one more past that which we can’t get them to do. If we’re going to share as ISACs at the lowest level, they need to Y2K us in a couple of ways. FOIA  is kind of a joke but I’d like to have it because it makes a lot of managers happy.

I’d also like to have the ability to go there and say, were going to work together as an organization and we need some way to connect on an extranet so the classic hacker can not get in and see my cookbook. I am determined not to write the cookbook for the hacker and the cybergalaxy. Third, we need to make everyone free from liability as we did during Y2K. We know we’re doing things wrong. We’re not doing it maliciously or negligently, we simply built a system that has flaws in it, like Y2K. So get rid of the frivolous lawsuits while we’re fixing it.

Look at the security problem from a larger perspective. If we got together and said let’s create new access controls and build secure pipelines using crypto, you think we couldn’t solve this? But instead, all of us are doing the same problems over and over again and it’s a waste. At FS-ISAC we went over a list of four hundred research projects and the duplication and millions of dollars being wasted was a scandal. We tell Congress to stop it but they say, well, we get different advice.

RT: A congressional staffer told me of a committee chair who oversaw some of these issues but had never used a laptop. They set up a network using powerbooks and invited him to begin, and he stood there looking down at the laptop and finally said, “Hello? Hello?”

Stash: Yes. And emails are wonderful but they give secretaries the passwords and they print everything out.

I think we’re almost at the altar but we haven’t consummated the first night. We’re so close – I’ve got a drop dead date in August by which I will have all of this stuff up and running. And I will. Trust me.

RT: What has driven your passion for security all these years?

Stash: I had four years at Seton Hall, a minor seminary, and I am really afraid that people who are not classically trained in theology as well as in the information age are controlling mechanisms that govern society. When a real crisis happens, they will not be prepared. I talk to the Secret Service about identity theft. People are getting the idea that identity is transferable – well, it’s not. It’s mine. Leave it alone.

Human beings are capable of destroying this society overnight. That scares me.

I was a hacker when being a “hacker” was a good thing. I tore apart computer systems and everything else. I enjoyed it because it became – really – a kind of religious experience. I lived by machines. But I think of Forbidden Planet too, where they pursued all knowledge to their ultimate detriment.

RT: Forbidden Planet was based on Shakespeare’s Tempest. That tells me we’ve been here before. Shakespeare lived on the cusp of an age defined in part by the print revolution, and when he looked ahead to the kind of humanity created by technology – humanity with individual rights, new kinds of identities – he created tragedies based on that new view of human nature. With every revolutionary change in the technology of the word, people have raised the same objections and voiced the same fears.

Stash: So we’ve been here before. But the transition is going to kill a lot of innocent people.

RT: Others like Dan Geer say you can’t do this work unless you know what’s at stake.

Stash: At NSA, we were aware of what’s at stake all the time. More recently, I was the technologist/auditor who went after the Russians during the Citicorp attack. When you spend months and months 24/7 trying to solve that kind of problem, you do go through that. You know what’s at stake.  I don’t want my colleagues to go through the same thing I did. There is absolutely no reason for us to be foolish again.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: