Slow Slammer response points to NIPC woes

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2003/0128slowslamm.html

By Paul Roberts
IDG News Service
01/28/03

Slow response from the FBI to Saturday's outbreak of a virulent new
computer worm may have been the result of the recent government
reorganization creating the Department of Homeland Security and
increased concerns about threats of cyberterrorism.

The FBI came under scrutiny on Monday when it appeared the agency was
asleep on its feet Saturday as the W32.Slammer worm rocketed around
the world, infecting hundreds of thousands of systems within the first
few hours of surfacing.

The FBI's cyberthreat arm, the National Infrastructure Protection
Center (NIPC), stayed silent for much of Saturday as prominent
antivirus companies such as Internet Security Systems (ISS) and
Network Associates's McAfee AVERT (Anti-Virus Emergency Response Team)  
division issued alerts about the spread of the Slammer worm.

Reporters who called the agency asking for comment during that time
were told only that the NIPC was "monitoring the situation," but
official statements were not forthcoming.

It was not until 1:41 p.m. EST (6:41 p.m. GMT) on Saturday, more than
13 hours after the initial appearance of Slammer, that the NIPC issued
its first advisory on the worm, entitled "Worm Targets SQL
Vulnerability," on its Web page. By that time, many organizations had
already identified the threat and taken steps to stop its spread.

In an Internet webcast hosted by the nonprofit SANS Institute that
featured security experts and representatives from the federal
government and Microsoft, Marcus Sachs, director for communication
infrastructure protection at the White House Office of Cyberspace
Security said that a combination of bad timing and the recent folding
of the NIPC and other government cybersecurity departments into the
new Department of Homeland Security may have played a role in the
agency's lackluster response to the Slammer outbreak.

"The worm couldn't have come at a better time," Sachs joked.

The inauguration of the new Department was celebrated on Friday. In
addition, NIPC staff were coordinating with other federal computer
security personnel on what was described as an issue stemming from
tensions with Iraq.

As a result, most of the NIPC researchers were home when Slammer broke
and the agency had trouble getting "the right personnel" to respond to
the Slammer outbreak, Sachs said.

"They're going through a transition now and I don't know where its
going to come out," said Allan Paller, research director of the SANS
Institute.

Indecision about the NIPC's future over the past year and senior staff
defections in recent months have taken their toll, according to
Paller.

But an NIPC spokesman denied that there was any delay in responding to
the Slammer threat.

"The NIPC puts out alerts and advisories when it's sure that the
information is correct and complete," said Bill Murray, a public
affairs officer at the NIPC.

Murray refused to characterize the NIPC's response on Saturday as
either fast or slow, and said that it does not intend to match
antivirus and security companies when releasing information on
emerging threats.

"We believe NIPC did what it was tasked and chartered to. We analyzed
the threat and provided accurate warnings," Murray said.

Murray denied any knowledge of problems stemming from the transition
to the Department of Homeland Security or from work on issues related
to Iraq.

The agency's response to future outbreaks would be evaluated on a case
by case basis, Murray said.

"We are a tool to be used just as (security companies) are a tool to
be used," Murray said.

But Paller sees the possibility for a wider role for the NIPC within
the Department of Homeland Security and under strong new leadership.

Among the possible new roles for the NIPC would be creating a
incentive based reporting system for new vulnerabilities, marshalling
resources within the federal government to get vulnerabilities fixed
and creating a centralized reporting and monitoring system to
coordinate information on virus outbreaks reported by Internet
backbone providers, Paller said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.