Thanks to all the readers responding to last week’s column who submitted recommendations as to where I could send an early warning threat notification. Unfortunately, none of them would really meet more than 1 percent of the audience I was hoping to warn.
We can quarrel about whether the WMF exploit needed an immediate worldwide warning, but the whole process reminded me that we have no mechanism in place for when such a warning is needed. Why not put in place the processes to handle rapid confirmation and warning when a real critical threat does make its presence known in the future?
I have written many letters to government officials throughout the years but have never received a real response; as far as I know, I have never affected a piece of legislation, but that doesn't mean that my letters can't one day make a difference.
For that reason, I decided to write the letter below to various members of Congress. I sent this to President Bush, Vice President Cheney, Senator John McCain, Congressman Tom Davis, the U.S. Department of Homeland Security, US-CERT, and multiple members of the House Subcommittee on Economic Security, Infrastructure Protection, and Cyber Security.
As Margaret Meade said, "Never doubt that a small group of thoughtful, committed people can change the world; indeed, it is the only thing that ever has."
Request: Creation of an official, centralized body to coordinate a rapid response to critical Internet infrastructure threats.
My background: I’m a 20-year computer security professional, author of over 150 national magazine articles and five books on computer security, and an InfoWorld magazine columnist.
On December 27, 2005, I became one of the first people to recognize a significant new threat to the Microsoft Windows operating system (now known as the WMF flaw). After validating the threat and its potential consequences to our nation’s Internet infrastructure, I set about notifying as many organizations and people as I could.
In days when a single Internet worm can infect millions of computers and networks in 8 minutes (such as the SQL Slammer worm), I was hoping to accomplish three things within minutes:
-- notification to the directly impacted vendor so they could address the threat,
-- fast notification (i.e., early warning) to other legitimate and popular computer security organizations and vendors who are in a position to best protect consumers,
-- early warning notification to as many Internet users as I could.
Currently, there is no way to accomplish what should be a routine response to critical Internet infrastructure threats. Most, if not all, official bodies took over 24 hours to respond to the threat and notify consumers.