CERT: The Next Generation - The Demise of the Internet's Last Objective and "Trusted" Organization

CERT: The Next Generation

The Demise of the Internet's Last Objective and "Trusted" Organization

Richard Forno <rforno@infowarrior.org>

21 April 2001

The Morris Worm incident of 1988 paralyzed the Internet during its days as a purely academic and research system of systems uncluttered by banner ads, instant messaging, Flash animations, and e-commerce. As a result of this first major security issue on the fledgling global network, the Department of Defense looked to establish a security capability to research and advise the network community on emerging security threats, trends, and vulnerabilities.

In 1988, the task was assigned to the Carnegie-Mellon University's Software Engineering Institute, one of the Pentagon's Federally-Funded Research and Development Centers (FFRDC). From this task CERT/CC was born. (FFRDCs are government research centers that receive federal money (taxpayer money) to support its research activities.) Once the CERT/CC was established, it became the self-declared central authority on all Internet security issues. As a result, government, the media, and IT community thus accepted the CERT/CC as the Vatican of Vulnerabilities whose imprimatur (approval) of a vulnerability by generating an advisory confirmed the issue's legitimacy in the eyes of the IT community. For small businesses without dedicated security staffs, CERT advisories are often the only security information they had access to.

However, recent announcements by the CERT/CC regarding its venture into the commercial services market raise some questions that this article will address, including how effective this new organization will be, and evaluating the legitimacy, allegiance, and effectiveness of the CERT/CC now that it is in the commercial arena instead of an academic mode supported by federal funds from the American taxpayers.

Fiddling While Our Systems Burn

According to its website, the CERT/CC "is chartered to work with the Internet community in detecting and resolving computer security incidents, as well as taking steps to prevent future incidents. In particular, our [CERT/CC] mission is to:

Provide a reliable, trusted, 24-hour, single point of contact for emergencies.

Facilitate communication among experts working to solve security problems.

Serve as a central point for identifying and correcting vulnerabilities in computer systems.

Maintain close ties with research activities and conduct research to improve the security of existing systems.

Initiate proactive measures to increase awareness and understanding of information security and computer security issues throughout the community of network users and service providers.

Reading this charter statement, CERT/CC exists to work with (and serve as the central resource for security information for) the entire Internet community, from small Mom-and-Pop ISPs (who rely on CERT notices as their major source of security information) to the largest corporations and government departments and agencies with dedicated highly-paid security staffs. When it was established in 1988, this made good sense. However, analysis of the CERT/CC's past actions lead one to question just how CERT/CC actively supports the Community on a proactive basis.

Much to the chagrin of systems administrators, the CERT/CC would traditionally alert the vendor and give them time to address a reported vulnerability before releasing any advisory to the public...a period of anywhere from 24 hours to two months. (Of course, this assumes that vendors took the impending release of a CERT advisory as motivation to quickly address a specific technical vulnerability with their products. Many did. Some didn't.) Thus, until the public advisory was released, supposedly only the CERT/CC and the affected vendor(s) would know of this issue. Then, a few days before the public advisory was released, the CERT/CC would release a draft advisory to a select group of organizations as a "heads up" advance of the official public advisory release. During this time, any number of systems were at risk of (or actually being exploited) yet their caretakers may have been unaware it was happening. Meanwhile, news and analysis of such vulnerabilities and exploits were quietly circulating around any number of e-mail and web-based forums open to the public that only those "in the know" in the security profession would regularly participate in.

How many organizations - large and small - fell victim to such vulnerabilities during CERT's self-imposed period of silence?

In its chartered role as the "central resource" for Internet security information, the CERT/CC would accept reports and information from sources around the world to grow its database of vulnerabilities and security trends. Those reports would start the vulnerability assessment process that could result in a CERT advisory. However, the CERT/CC is a Pentagon-funded program; and it's generally known that the Department of Defense (among other organizations involved with computer security) does not openly share information. When a vendor is contacted by the CERT/CC about a new vulnerability, it is nearly impossible to obtain information on the source of that information, or even who reported it to ask follow-up questions without going through the CERT/CC as middleman!

Further - and some would say more frustrating - is that given its fantastic amount of incident data and reports over the past twelve years, the CERT/CC does not publish a vulnerability database that the Internet community can use to conduct their own queries into and research on security vulnerabilities and trends. However, organizations like SecurityFocus' ARIS (Attack Registry and Intelligence Service) and SANS.ORG's GIAC (Global Incident Analysis Center) provide free incident reporting and analysis capabilities to the public, and there are any number of robust, public-access vulnerability databases, such as the SecurityFocus VDB, and the MITRE CVE.

A recent article by Brian Martin (of ATTRITION.ORG fame) discusses this issue in some detail. Martin questions the benefits of keeping the public and competent IT staffs in the dark, fiddling while their systems stand a good chance of being compromised by a known vulnerability. By withholding information reagrding a vulnerability until the vendor had a chance to work on a solution, the CERT/CC mistakenly believed it was doing the internet community a service by controlling the release of that information. An information service, frankly, that benefited no one if the disclosure of such critical vulnerabilities was delayed for a prolonged period of time.

ISA - The High-Rollers' Backroom of Security

Remember that CERT is part of the Software Engineering Institute (SEI). The SEI is a Federally-Funded Research and Development Center (FFRDC). As such, according to the General Accounting Office Report on Federally Funded R&D Centers: Information on the Size and Scope of DOD-Sponsored Centers (Letter Report, 04/24/96, GAO/NSIAD-96-54),

Unlike commercial contractors, an FFRDC accepts restrictions on its ability to manufacture products and compete for other government or commercial business. These restrictions are intended to (1) limit the potential for conflicts of interest when FFRDC staff have access to sensitive government or contractor data and (2) allow the center to form a special or strategic relationship with its DOD sponsor....the size, scope, and oversight of FFRDCs have been recurring areas of concern to Congress, federal officials, and the private sector throughout the past three decades. Since 1991, Congress reduced the funding and approved personnel ceilings for the FFRDCs, capped executives' salaries, and prohibited the creation of new FFRDCs.

In early 2001, the CERT/CC announced its partnership with the Electronics Industry Association to create the fee-based Internet Security Alliance. According to the ISA website, its mission is to serve as the "single portal for up-to-the-minute threat reports, best security practices, risk management strategies, and more, which will give them the edge in the competitive and volatile environment of the Internet." The ISA will conduct briefings, training conferences, and use "the enormous store of data made available by the CERT/CC and the analytical expertise of its CERT Analysis Center to harness this data for the benefit of ISA members....these centers have un-matched access to comprehensive data from their partners in both the public and private sectors."

Does this mean that ISA members will be able to see the "real dirt" on recent security trends and events when the CERT/CC opens up its archive of incident data to the ISA? Does it plan to sanitize such information? Shockingly, the ISA website has several forms for members to complete, yet there is no sign of a non-disclosure agreement anywhere. Given the subject matter and sensitvity of such information, a signed non-disclosure agreement should be on-file with ISA before any member is granted access to ISA meetings, communications, or archives. Further, what if any due diligence is conducted on potential members? Can anyone with some extra cash and a verifyable company name become a member? (We've already seen how easy it is for imposters to obtain digital certificates in someone else's name.) Stranger yet, what experience and interest does the EIA have in internet security matters? The alliance between the CERT/CC and EIA doesn't seem to be one of two organizations with similar goals and expertise. Through this alliance with the CERT/CC - coupled with membership by the major internet companies - does the EIA hope to start enacting security standards for the Internet? What is really going on here?

The GAO report mentioned above also states that the SEI work must be free from "real or perceived biases or conflicts of interest." (See Note 1) By participating in the commercial for-profit ISA, the CERT/CC is shedding its community objectivity regarding security matters and should now be viewed on the same level as security software vendors and the multitude of security consultancies that provide the same products, services, and capabilities that the ISA (or "CERT: The Next Generation") plans to. Will a future CERT advisory be skewed, delayed, or pander to the vendor paying the most money to get a vulnerability reported to help increase its product sales? The anti-virus vendor community is notorious for this practice! One also has to wonder if this organization - funded in a large part by the American taxpayers - is trying to have its cake and eat it too. Can the CERT/CC - as part of the SEI, a federally-funded organization - legally convert itself into a commercial, for-profit entity without being forced to relinquish its annual federal funding?

Having been around the internet security community for a while, I can confirm that what the ISA is purporting to do is exactly what the CERT/CC has done for the past twelve years. CERT/CC did research. CERT/CC issued advisories. CERT/CC held regional training conferences. CERT/CC provided advice to beleagured system administrators. However, the CERT-EIA venture will cost organizations upwards of $2500 per year for these operations-oriented services that are available for free or little cost elsewhere. For small companies without dedicated security staffs - who don't know where to look for security vulnerability information elsewhere on the Internet and thus rely on CERT advisories as their sole security information - not being able to participate in the ISA means that they are at a comparative disadvantage to larger companies that can afford such luxuries.

In an age where security is important to a company but often is forced to "do more with less" it is more likely that company security officers will spend their meager security resources not for a frivilous ISA membership but for necessary security items - new virus control software, licenses for firewall products, and other more tangible "here and now" security solutions.

Reinventing The Wheel That Spins But Goes Nowhere

The CERT-EIA Internet Security Alliance will fail to be effective for several reasons, not the least of is that this new organization is charging for services found for free (or cheaper) elsewhere. The CERT/CC is an organization focused on incident response and should be recognized for bringing a level of professionalism and analysis to the process. It should not be involved in privacy or national policy matters (leave that to the EFF, CPSR, ITAA, and other organizations), developing additional security certification programs (leave that to ISC2 and SANS), security program development outside of incident response (leave that to SANS, CSI, and MISTI) nor should it be continuing the government-induced myth of "educating senior executives" on various technology threats through any commercial, for-profit ventures. If you recall, the White House invited senior executives (CEOs and such) for a "summit" to discuss internet security following the February 2000 denial of service attacks. What was the tangible outcome of this knee-jerk photo opportunity? Free marketing for the various companies, a photo with the President, and a whispered promise of campaign contributions to the Democratic party to support the November elections. Nothing about security, however.

Few if any of the participants came away from the February "summit" any more enlightened than when they arrived at the White House, and that highlights another misconception. When will CERT, EIA, ITAA, ISA, and the government realize that the goal of security is to deal with security issues as an operational concern before it becomes a business concern requiring the attention of a CEO or Board of Directors? Senior executives and directors of all but a few companies give security a passing glance - their jobs are to run the company and set visions for increased revenue and profits, not lose sleep about what type of firewall the company needs, the alleged benefits of PKI (See Note 2), or how frequently one should scan for stacheldracht attacks. Industry efforts to deal with security matters must happen in the network control centers and CIO/CTO organizations - where the folks that are really "in the know" on what can and cannot be done with regards to security work - not the marble executive suites and panelled boardrooms of senior company leadership focussed on running a profitable enterprise.

If CERT or the ISA is going to be truly effective, and demonstrate that it is not simply toeing the "party line" by ignoring the real vulnerabilities on the Internet, it should start off and acknowledge the inherent vulnerabilities - security, operational, and otherwise - with the greatest vulnerability to our netwoked systems - namely, the standardizing of critical IT infrastructures on any closed, notoriously-insecure and unstable operating system. Until this (or any) self-proclaimed centralized security authority demonstrates its willingness to "rock the boat" and actually take a contrary position to the government and industry claims (or marketing position) on the factual (as opposed to sensationalized) matters of security, such organizations can never be taken seriously by the technical security community and will be only marginally effective to their clients.

The CERT/CC is trying to change with the times, and that is certainly understandable. All things change in time. However, if this change is predicated by the threat of losing their federal funding, it should acknowledge that fact without smoke and mirrors. Instead, by creating the ISA as a Members-Only "Backroom of Security" the CERT/CC (as ISA co-founder) becomes no different from the dozens of commercial security vendors seeking to capitalize on the hype, panic, and sensationalism surrounding information security matters. Thus, it does not serve the "Internet community" at large but rather a select group willing to ante up to its table.

Of course, there are legitimate security concerns and vulnerabilities associated with the Internet, and they must be addressed objectively, publicly, and in a timely fashion. Forums for this exist...conferences, symposia, and electronic discussion lists are some of the successful methods still in active and effective use today. CERT/CC was the last objective organizational focus point of security information - timely or not - you could count on the objectivity and trustworthiness of the Vatican of Vulnerability. By going commercial - in part or in whole - whatever trust readers and organizations place in future information published by the CERT/CC should be taken for what it really is - issued not by an objective and "trusted" third party rooted in academia but an entity now competing alongside the established commercial security vendors for your attention, loyalty, and above all, your dollars.