CERT: The Next Generation
The Demise of the Internet's Last Objective and "Trusted" Organization
Richard Forno <firstname.lastname@example.org>
Article 2001-03 (c) 2001. All rights reserved. (article courtesy
of Richard Forno)
21 April 2001
The Morris Worm incident of 1988 paralyzed the Internet during
its days as a purely academic and research system of systems uncluttered
by banner ads, instant messaging, Flash animations, and e-commerce.
As a result of this first major security issue on the fledgling
global network, the Department of Defense looked to establish a
security capability to research and advise the network community
on emerging security threats, trends, and vulnerabilities.
In 1988, the task was assigned to the Carnegie-Mellon University's
Software Engineering Institute, one of the Pentagon's Federally-Funded
Research and Development Centers (FFRDC). From this task CERT/CC
was born. (FFRDCs are government research centers that receive federal
money (taxpayer money) to support its research activities.) Once
the CERT/CC was established, it became the self-declared central
authority on all Internet security issues. As a result, government,
the media, and IT community thus accepted the CERT/CC as the Vatican
of Vulnerabilities whose imprimatur (approval) of a vulnerability
by generating an advisory confirmed the issue's legitimacy in the
eyes of the IT community. For small businesses without dedicated
security staffs, CERT advisories are often the only security information
they had access to.
However, recent announcements by the CERT/CC regarding its venture
into the commercial services market raise some questions that this
article will address, including how effective this new organization
will be, and evaluating the legitimacy, allegiance, and effectiveness
of the CERT/CC now that it is in the commercial arena instead of
an academic mode supported by federal funds from the American taxpayers.
Fiddling While Our Systems Burn
According to its website, the CERT/CC "is chartered to work with
the Internet community in detecting and resolving computer security
incidents, as well as taking steps to prevent future incidents.
In particular, our [CERT/CC] mission is to:
Reading this charter statement, CERT/CC exists to work with (and serve
as the central resource for security information for) the entire Internet
community, from small Mom-and-Pop ISPs (who rely on CERT notices as
their major source of security information) to the largest corporations
and government departments and agencies with dedicated highly-paid
security staffs. When it was established in 1988, this made good sense.
However, analysis of the CERT/CC's past actions lead one to question
just how CERT/CC actively supports the Community on a proactive basis.
- Provide a reliable, trusted, 24-hour, single point of contact
- Facilitate communication among experts working to solve security
- Serve as a central point for identifying and correcting vulnerabilities
in computer systems.
- Maintain close ties with research activities and conduct
research to improve the security of existing systems.
- Initiate proactive measures to increase awareness and understanding
of information security and computer security issues throughout
the community of network users and service providers.
Much to the chagrin of systems administrators, the CERT/CC would
traditionally alert the vendor and give them time to address a reported
vulnerability before releasing any advisory to the public...a period
of anywhere from 24 hours to two months. (Of course, this assumes
that vendors took the impending release of a CERT advisory as motivation
to quickly address a specific technical vulnerability with their
products. Many did. Some didn't.) Thus, until the public advisory
was released, supposedly only the CERT/CC and the affected vendor(s)
would know of this issue. Then, a few days before the public advisory
was released, the CERT/CC would release a draft advisory to a select
group of organizations as a "heads up" advance of the official public
advisory release. During this time, any number of systems were at
risk of (or actually being exploited) yet their caretakers may have
been unaware it was happening. Meanwhile, news and analysis of such
vulnerabilities and exploits were quietly circulating around any
number of e-mail and web-based forums open to the public that only
those "in the know" in the security profession would regularly participate
How many organizations - large and small - fell victim to such
vulnerabilities during CERT's self-imposed period of silence?
In its chartered role as the "central resource" for Internet security
information, the CERT/CC would accept reports and information from
sources around the world to grow its database of vulnerabilities
and security trends. Those reports would start the vulnerability
assessment process that could result in a CERT advisory. However,
the CERT/CC is a Pentagon-funded program; and it's generally known
that the Department of Defense (among other organizations involved
with computer security) does not openly share information. When
a vendor is contacted by the CERT/CC about a new vulnerability,
it is nearly impossible to obtain information on the source of that
information, or even who reported it to ask follow-up questions
without going through the CERT/CC as middleman!
Further - and some would say more frustrating - is that given its
fantastic amount of incident data and reports over the past twelve
years, the CERT/CC does not publish a vulnerability database
that the Internet community can use to conduct their own queries
into and research on security vulnerabilities and trends.
However, organizations like SecurityFocus' ARIS
(Attack Registry and Intelligence Service) and SANS.ORG's GIAC
(Global Incident Analysis Center) provide free incident reporting
and analysis capabilities to the public, and there are any number
of robust, public-access vulnerability databases, such as the SecurityFocus
and the MITRE CVE.
A recent article
by Brian Martin (of ATTRITION.ORG fame) discusses this issue in
some detail. Martin questions the benefits of keeping the public
and competent IT staffs in the dark, fiddling while their systems
stand a good chance of being compromised by a known vulnerability.
By withholding information reagrding a vulnerability until the vendor
had a chance to work on a solution, the CERT/CC mistakenly believed
it was doing the internet community a service by controlling the
release of that information. An information service, frankly, that
benefited no one if the disclosure of such critical vulnerabilities
was delayed for a prolonged period of time.
ISA - The High-Rollers' Backroom of Security
Remember that CERT is part of the Software Engineering Institute
(SEI). The SEI is a Federally-Funded Research and Development Center
(FFRDC). As such, according to the General Accounting Office Report
on Federally Funded R&D Centers: Information on the Size and
Scope of DOD-Sponsored Centers (Letter Report, 04/24/96, GAO/NSIAD-96-54),
Unlike commercial contractors, an FFRDC accepts restrictions
on its ability to manufacture products and compete for other government
or commercial business. These restrictions are intended to (1) limit
the potential for conflicts of interest when FFRDC staff have access
to sensitive government or contractor data and (2) allow the
center to form a special or strategic relationship with its DOD
sponsor....the size, scope, and oversight of FFRDCs have been recurring
areas of concern to Congress, federal officials, and the private
sector throughout the past three decades. Since 1991, Congress
reduced the funding and approved personnel ceilings for the
FFRDCs, capped executives' salaries, and prohibited the creation
of new FFRDCs.
In early 2001, the CERT/CC announced its partnership with the Electronics
Industry Association to create the fee-based Internet Security Alliance.
According to the ISA website, its mission is to serve as the "single
portal for up-to-the-minute threat reports, best security practices,
risk management strategies, and more, which will give them the edge
in the competitive and volatile environment of the Internet." The
ISA will conduct briefings, training conferences, and use "the enormous
store of data made available by the CERT/CC and the analytical expertise
of its CERT Analysis Center to harness this data for the benefit of
ISA members....these centers have un-matched access to comprehensive
data from their partners in both the public and private sectors."
Does this mean that ISA members will be able to see the "real dirt"
on recent security trends and events when the CERT/CC opens up its
archive of incident data to the ISA? Does it plan to sanitize such
information? Shockingly, the ISA website has several forms for members
to complete, yet there is no sign of a non-disclosure agreement
anywhere. Given the subject matter and sensitvity of such information,
a signed non-disclosure agreement should be on-file with ISA before
any member is granted access to ISA meetings, communications, or
archives. Further, what if any due diligence is conducted on potential
members? Can anyone with some extra cash and a verifyable company
name become a member? (We've already seen how easy it is for imposters
to obtain digital certificates in someone else's name.) Stranger
yet, what experience and interest does the EIA have in internet
security matters? The alliance between the CERT/CC and EIA doesn't
seem to be one of two organizations with similar goals and expertise.
Through this alliance with the CERT/CC - coupled with membership
by the major internet companies - does the EIA hope to start enacting
security standards for the Internet? What is really going on here?
The GAO report mentioned above also states that the SEI work must
be free from "real or perceived biases or conflicts of interest."
(See Note 1) By participating in the commercial for-profit ISA,
the CERT/CC is shedding its community objectivity regarding security
matters and should now be viewed on the same level as security software
vendors and the multitude of security consultancies that provide
the same products, services, and capabilities that the ISA (or "CERT:
The Next Generation") plans to. Will a future CERT advisory be skewed,
delayed, or pander to the vendor paying the most money to get a
vulnerability reported to help increase its product sales? The anti-virus
vendor community is notorious for this practice! One also has to
wonder if this organization - funded in a large part by the American
taxpayers - is trying to have its cake and eat it too. Can the
CERT/CC - as part of the SEI, a federally-funded organization -
legally convert itself into a commercial, for-profit entity without
being forced to relinquish its annual federal funding?
Having been around the internet security community for a while,
I can confirm that what the ISA is purporting to do is exactly what
the CERT/CC has done for the past twelve years. CERT/CC did research.
CERT/CC issued advisories. CERT/CC held regional training conferences.
CERT/CC provided advice to beleagured system administrators. However,
the CERT-EIA venture will cost organizations upwards of $2500 per
year for these operations-oriented services that are available for
free or little cost elsewhere. For small companies without dedicated
security staffs - who don't know where to look for security vulnerability
information elsewhere on the Internet and thus rely on CERT advisories
as their sole security information - not being able to participate
in the ISA means that they are at a comparative disadvantage to
larger companies that can afford such luxuries.
In an age where security is important to a company but often is
forced to "do more with less" it is more likely that company security
officers will spend their meager security resources not for a frivilous
ISA membership but for necessary security items - new virus control
software, licenses for firewall products, and other more tangible
"here and now" security solutions.
Reinventing The Wheel That Spins But Goes Nowhere
The CERT-EIA Internet Security Alliance will fail to be effective
for several reasons, not the least of is that this new organization
is charging for services found for free (or cheaper) elsewhere.
The CERT/CC is an organization focused on incident response and
should be recognized for bringing a level of professionalism and
analysis to the process. It should not be involved in privacy or
national policy matters (leave that to the EFF, CPSR, ITAA, and
other organizations), developing additional security certification
programs (leave that to ISC2 and SANS), security program development
outside of incident response (leave that to SANS, CSI, and MISTI)
nor should it be continuing the government-induced myth of "educating
senior executives" on various technology threats through any commercial,
for-profit ventures. If you recall, the White House invited senior
executives (CEOs and such) for a "summit" to discuss internet security
following the February 2000 denial of service attacks. What was
the tangible outcome of this knee-jerk photo opportunity? Free marketing
for the various companies, a photo with the President, and a whispered
promise of campaign contributions to the Democratic party to support
the November elections. Nothing about security, however.
Few if any of the participants came away from the February "summit"
any more enlightened than when they arrived at the White House,
and that highlights another misconception. When will CERT, EIA,
ITAA, ISA, and the government realize that the goal of security
is to deal with security issues as an operational concern before
it becomes a business concern requiring the attention of a CEO
or Board of Directors? Senior executives and directors of all but
a few companies give security a passing glance - their jobs are
to run the company and set visions for increased revenue and profits,
not lose sleep about what type of firewall the company needs, the
alleged benefits of PKI (See Note 2), or how frequently one should
scan for stacheldracht attacks. Industry efforts to deal with security
matters must happen in the network control centers and CIO/CTO organizations
- where the folks that are really "in the know" on what can and
cannot be done with regards to security work - not the marble executive
suites and panelled boardrooms of senior company leadership focussed
on running a profitable enterprise.
If CERT or the ISA is going to be truly effective, and demonstrate
that it is not simply toeing the "party line" by ignoring the real
vulnerabilities on the Internet, it should start off and acknowledge
the inherent vulnerabilities - security, operational, and otherwise
- with the greatest vulnerability to our netwoked systems - namely,
the standardizing of critical IT infrastructures on any closed,
notoriously-insecure and unstable operating system. Until this (or
any) self-proclaimed centralized security authority demonstrates
its willingness to "rock the boat" and actually take a contrary
position to the government and industry claims (or marketing
position) on the factual (as opposed to sensationalized) matters
of security, such organizations can never be taken seriously by
the technical security community and will be only marginally effective
to their clients.
The CERT/CC is trying to change with the times, and that is certainly
understandable. All things change in time. However, if this change
is predicated by the threat of losing their federal funding, it
should acknowledge that fact without smoke and mirrors. Instead,
by creating the ISA as a Members-Only "Backroom of Security" the
CERT/CC (as ISA co-founder) becomes no different from the dozens
of commercial security vendors seeking to capitalize on the hype,
panic, and sensationalism surrounding information security matters.
Thus, it does not serve the "Internet community" at large but rather
a select group willing to ante up to its table.
Of course, there are legitimate security concerns and vulnerabilities
associated with the Internet, and they must be addressed objectively,
publicly, and in a timely fashion. Forums for this exist...conferences,
symposia, and electronic discussion lists are some of the successful
methods still in active and effective use today. CERT/CC was the
last objective organizational focus point of security information
- timely or not - you could count on the objectivity and trustworthiness
of the Vatican of Vulnerability. By going commercial - in part or
in whole - whatever trust readers and organizations place in future
information published by the CERT/CC should be taken for what it
really is - issued not by an objective and "trusted" third party
rooted in academia but an entity now competing alongside the established
commercial security vendors for your attention, loyalty, and above
all, your dollars.
Note 1: The Department of Defense oversees
the Federally Funded R&D Centers like the CMU Software Engineering
Institute. The 1995 Report of the DOD Internal Advisory Group on Federally
Funded Research and Development Centers defines the characteristics
of the special or strategic relationships of FFRDCs as ìunique competence
and quality, close integration, objectivity and independence, and
Note 2: Check out the article "PKI:
A Matter of Trusting Trust" at infowarrior.org. This article
describes in simple detail why PKI as currently marketed and implemented