Cybersecurity Advisory Council

by Martin Purschke

Many in the RHIC/AGS community know me from my work in PHENIX. Since the beginning of 2007, I have been the chairman of BNL's Cyber Security Advisory Council (CSAC). The mission of the council, which consists of about 25 members from ITD, the departments, and larger groups, is to work with and advise ITD and ensure that new rules and other changes have no adverse impact on our scientific work. (You can read the formal mission statement in the SBMS). I wanted to fill you in on what has been going on in this arena lately.

Cyber Security Issues

There have been a number of cyber security evaluations by various groups over the past year, and BNL has not been doing so well on those. The teams that came in had relatively few problems penetrating our defenses. The biggest achievement since has been the renewal of the Lab's "Authorization To Operate" from DOE, which was granted after the problems that were found got addressed. It is in our interest to score much better the next time around. CSAC's job is to make sure that we go about this without disrupting our scientific mission.

"Technical Management Requirements" Drafts

Over the last few months, the big-ticket item has been a number of so-called "Technical Management Requirements" (TMR's) from DOE, which attempt to set some ground rules for a number of things concerning computing around the National Labs. You can immediately see the problem -- one cannot easily find a "one size fits all" set of rules that addresses Labs like BNL, Fermilab, and Los Alamos at the same time. At this point in time, they are drafts, and the DOE has invited comments on them on a relatively tight schedule. ITD director Tom Schlagel has formed a "Cyber Security Policy Working Group" to evaluate their potential impact and provide those comments. The group was open to volunteers, and consists of several CSAC members and representatives from various groups in ITD. While a good number of the 25 or so TMR's are relatively benign, there are some with the potential to be extremely disruptive. Among those are TMRs with rules about remote access, foreign nationals' access, peer-to-peer networking, and some others. The individual comments from the various Labs get consolidated into one response. This process is still ongoing, but given the very strong reaction from us and the other Labs, we hope that the offending rules will just disappear.

A New Wireless Service

Around the Lab, ITD has started to upgrade the wireless service to accommodate some of the user communities' wishes. There are two main problems with the current setup, which gives you a private Internet address, much like your cable or DSL router at home does when you connect one or more PC's there. One problem is that this setup prevents more than one person on that network from getting a "Virtual Private Network" (VPN) connection to his or her home institute. After the first person has done that, all others cannot use a VPN. The second problem is that the private address defeats the journal subscription service which the Lab has paid for because that address is not recognized as belonging to BNL.

The new setup (which you can recognize by its network name "Corus") will give you more or less the same functionality as the current wireless networks, except that you get a "real" address in BNL's official 130.199.*.* address space. This will solve the VPN problem, as well as the problems accessing the subscription services. There are a few additions, such as the use of web proxies, and some additional firewall protections. Places where Corus has been deployed include the ITD building 515 so that ITD's staff can test it out, and the new Science Support Building 400. It will be deployed in other areas as well, with some priority in buildings that do not currently have wireless service.

Let me add here that the old VWZ networks have been set up with print servers as a test. This is not quite "plug and play" yet and still under construction. It is currently more for the technically-minded user. (If you want to try it: Find your IP address, and substitute the last octet with "10", e.g. 192.168.60.10. That's where you find a CUPS server for the network you are on.) A few of us are playing guinea pig for ITD in using and improving those services. Documentation will be coming. It is still unclear what the printing solution will be for the Corus network.

Desktop Video Conferencing Working Group

The above-mentioned TMR that deals with peer-to-peer networking could potentially impact the use of the Skype Voice-Over-IP service, which has changed the way that some collaborations go about their day-to-day work. You can make free PC-to-PC phone and also video calls, chat with other users, and transfer small files. That has eased the burden for many remote collaborators in other timezones which can dial into meetings for free from their home institution and also from home.

Skype has gotten some bad press lately from cyber security folks (not just ours). Its ability to go through firewalls and routers, and some not-so-good PR events lately have cast some doubts on Skype. Also, Skype has developed from a operating-system neutral to a Windows-mostly application, which cuts out many of us who do not run a Windows operating system. Skype has already been outlawed at CERN (for other reasons), which diminishes its usefulness if not all users can participate.

Scott Bradley from ITD has formed a Desktop Video Conferencing working group, which has been looking at alternatives to Skype and also at other, more full-featured conference systems. At this point in time, the use of Skype remains allowed at BNL, but there is a surprising number of alternatives which have the potential to take over the role of Skype. Skype on a Windows system currently remains the application which is easiest to use and works best, but other applications using more traditional technologies and protocols (and running on other operating systems just as well) are catching up fast. The final report from the working group can come only after the TMR issues are decided and final, but very soon an interim report will be available.

A New User Agreement

The current User Agreement that virtually all of us signed at some point (and which you can re-read here) will see some changes in the near future. The current text is quite old and needs to be updated to reflect new developments in computing and the Internet. For example, the clause outlawing the use of Ebay was inspired by the perception that Ebay was, at the time when this was written, more of a gambling site than an online shop. In the meantime Ebay has become a legitimate place to shop.

There is a new draft which was put together by the above-mentioned policy working group and which will next be reviewed by BNL's legal counsel, then by CSAC, then by the UEC. There will be ample opportunity to comment.

Contact CSAC

The members of the Advisory Committee are your representatives to address the issues and problems that might come up. If you have a problem, feel free to contact your CSAC representative (for an up-to-date list, click here), or e-mail me directly.