Re: Hysterical first technical alert from US-CERT
I'm a little surprised by some of the critical reactions to the
US-Cert's issuance of the MyDoom alerts.
Being in the federal sector, I can tell you that the predecessor to
US-CERT (FedCIRC) received ongoing criticism from the government
computer security circles for untimely advisories. FedCIRC was overly
cautious about validating information before disseminating it. The
result was that advisories were released so long after the event that
they proved to be of little benefit to those of us on the front lines
trying to mitigate problems. The joke used to be that we'd read about a
problem on Bugtra or NANOG, then a week later see the same information
from FedCIRC.
When DHS formed US-CERT, they held meetings around the country with a
variety of groups, not just federal security types, and the most
resounding request they got was to release alerts and advisories as soon
as possible. Many suggested that late breaking advisories be labeled as
preliminary, but released just the same. To US-CERT's credit, they
listened to those requests and what we saw with MyDoom was advisories
being released within hours of the onset of an incident.
Behind the scenes, US-CERT has established a number of secure channels
to facilitate information sharing among federal agencies. They've
established working groups which include private sector membership.
They're ramping up some new initiatives that will bring much needed
resources to the government such as labs to analyze malware. In my
mind, this group is trying to focus on cybersecurity needs with the same
intensity that NASA did to get to the moon.
I'm not trying to make any sales pitch here, and want to state that I do
not work with for DHS or US-CERT (which is part of DHS).
Andrew Fried
Senior Special Agent
Treasury Inspector General for Tax Administration