In Sendmail threat, beginnings of a cyber plan

Incident will be model for future occurrences

"In the past, the NIPC did alerts in response to our stuff. But this was the first time we coordinated on a day-to-day basis. We had CIOs from federal agencies. NIPC and DHS helped to get the right people together and put weight behind what we were saying. It was an issue of scale," Ingevaldson said.

When Sendmail patches were ready, the coordinating team managed their release to the DoD, providing early protection to military sites on February 25 and 26, four days before the general public was informed, SANS said.

Warnings were more widely issued to government groups in the U.S. and in other countries on February 27 and 28, including U.S. Cabinet level departments, national cyber security offices in other countries and Information Sharing and Analysis Centers (ISACs) for critical infrastructure, SANS said.

Federal agencies and critical infrastructure companies began receiving word of the vulnerability on Monday, hours before ISS released its advisory, Wray said.

Those involved in the investigation said that the DHS balanced the government's need to notify key government entities with ISS's desire to get its vulnerability information released before it was leaked to the Internet community.

"It was a great experience. It was interesting to find a balance between broadening prenotification and keeping people protected," said Ingevaldson. "We wanted to make sure that we coordinated with as many elements of the critical infrastructure as possible."

"We needed to recognize and honor (ISS's) need to honor their customers and provide security services. But we have a broader responsibility to ensure that the government's e-mail service and the broader Internet are secure. We worked to keep that process as closed as possible," Wray said.

For the security industry as a whole, the DHS's involvement on the Sendmail vulnerability should send the message that security vendors have another avenue through which to pursue product vulnerability issues when software vendors are unresponsive, according to one security expert.

"This is proof that those who find a vulnerability can maintain visibility and get the government to help them to get vendors to act," said Alan Paller director of research at the SANS Institute. "Guys that find vulnerabilities now have a partner rather than somebody they don't know or trust."

Still, more work is left to be done in refining DHS's role in the security community relative to industry groups like SANS and Carnegie Mellon's CERT Coordination Center.

Despite the broad mandate granted to the new department by Congress, it is likely that DHS will take a cue from its predecessor, the NIPC -- wading in only on the most critical vulnerabilities, according to Wray.