To Congress: Better Internet threat response needed now

The WMF bugs prove that early-warning security systems are sorely lacking

Thanks to all the readers responding to last week’s column who submitted recommendations as to where I could send an early warning threat notification. Unfortunately, none of them would really meet more than 1 percent of the audience I was hoping to warn.

We can quarrel about whether the WMF exploit needed an immediate worldwide warning, but the whole process reminded me that we have no mechanism in place for when such a warning is needed. Why not put in place the processes to handle rapid confirmation and warning when a real critical threat does make its presence known in the future?

I have written many letters to government officials throughout the years but have never received a real response; as far as I know, I have never affected a piece of legislation, but that doesn't mean that my letters can't one day make a difference.

For that reason, I decided to write the letter below to various members of Congress. I sent this to President Bush, Vice President Cheney, Senator John McCain, Congressman Tom Davis, the U.S. Department of Homeland Security, US-CERT, and multiple members of the House Subcommittee on Economic Security, Infrastructure Protection, and Cyber Security.

As Margaret Meade said, "Never doubt that a small group of thoughtful, committed people can change the world; indeed, it is the only thing that ever has."


Request: Creation of an official, centralized body to coordinate a rapid response to critical Internet infrastructure threats.

My background: I’m a 20-year computer security professional, author of over 150 national magazine articles and five books on computer security, and an InfoWorld magazine columnist.

On December 27, 2005, I became one of the first people to recognize a significant new threat to the Microsoft Windows operating system (now known as the WMF flaw). After validating the threat and its potential consequences to our nation’s Internet infrastructure, I set about notifying as many organizations and people as I could.

In days when a single Internet worm can infect millions of computers and networks in 8 minutes (such as the SQL Slammer worm), I was hoping to accomplish three things within minutes:

-- notification to the directly impacted vendor so they could address the threat,

-- fast notification (i.e., early warning) to other legitimate and popular computer security organizations and vendors who are in a position to best protect consumers,

-- early warning notification to as many Internet users as I could.

Currently, there is no way to accomplish what should be a routine response to critical Internet infrastructure threats. Most, if not all, official bodies took over 24 hours to respond to the threat and notify consumers.

The DHS’s official recommendation is to report Internet threats to CERT. However, decades of experience have shown me that although CERT is an incredible organization, it does not excel at the points listed above. In the case of WMF, my gut feeling was validated when CERT’s first warning came out over 24 hours later.

Today, an illegal spammer’s e-mail can circle the globe in under an hour, but in our current state of un-preparedness we cannot utilize the same speed to do good with our official Internet coordinating bodies. Sadly, most consumers already think such an entity already exists; they are unfortunately mistaken.

I sincerely and respectfully ask for the following:

-- Create a new subcommittee or use an existing subcommittee to address the current state of early warning of threats on the Internet, focusing on the three issues stated above;

-- Obligate the subcommittee to make recommendations for further consideration by Congress;

-- If so called for, establish a new mechanism that allows for the central reporting, confirmation, and rapid warning of critical legitimate threats to our Internet infrastructure;

-- Communicate, and regularly re-communicate, the new reporting structure to the appropriate groups and consumers on the Internet;

-- Conduct periodic tests (perhaps once per year) to gauge the effectiveness of the program.

Early warning can be accomplished: Several pseudo-professional bodies, like DShield, responded to the WMF threat within hours and sent frequent public updates as new information came in. I personally notifed several national mailing lists and official reporting entities. You can read more about my experience in my InfoWorld column.

It is my belief that a new organization may not be needed; CERT or other official bodies can handle these issues effectively if their priorities and processes are re-engineered.

Many entities, like CERT, may respond that their current processes already provide adequate early warning and threat mitigation, but the facts do not bear out those conclusions. CERT and its processes were designed in the days when a 24-hour response was good enough. Since it was created, several Internet worms (Nimda, Blaster, Code Red, Sobig, etc.) have occurred with continuing regularity. The only thing that has changed is that threats are now more criminal in nature, and foreign governments are becoming involved at an ever-increasing rate.

In my mind, I see our current official Internet preparedness much like FEMA’s preparedness for Hurricane Katrina: Everyone has the best of intentions, but the actual readiness is not there.

Luckily, the WMF exploit did not spread as widely or quickly as feared (although it did infect millions of computers in under 24 hours). My greater fear is the near-certainty that a faster-spreading, more damaging threat will be released upon the Internet in the next few months or years, and we will be no better able to respond to it than we were in 1988, the year of the first Internet worm and the creation of our current official bodies.

I would be glad to participate in any way that I can.


Roger A. Grimes