US-CERT not doing its job according to OMB

   
BusinessWeek has obtained a copy of a report submitted by the Office of Management and Budget to the key Congressional Committee responsible for cyber security.  The report criticizes the US Computer Emergency Readiness Team for not being able to effectively predict attacks or communicate them to the proper agencies.  In addition US-CERT cannot hire and retain adequate staff to fulfill their mission.  

The problem is that US-CERT’s mission is rather fuzzy to begin with. The “Team” was formed in 2003 as a partnership between the Department of Homeland Security (DHS) and public and private entities to track and report on such things as vulnerabilities and new malware and exploits.  US-CERT has actually been delivering on that original mandate.  If you care to peruse their page on current activity  you can see that US-CERT is continuing the original Carnagie-Mellon CERT’s function of reporting such data.

A typical month, March 2006 resulted in the following:

Public Exploit Code for a Vulnerability in Apple Safari Browser
Public Exploit Code for Buffer Overflow Vulnerability in Microsoft Windows Media Player Plug-in for Non-IE Browsers
Public Exploit Code for Buffer Overflow Vulnerability in Microsoft Windows Media Player
Exploit for QueryInterface Vulnerability in Mozilla
XML Injection and Code Execution Vulnerabilities in Mozilla Suite
Active Exploit for Buffer Overflow Vulnerability in Winamp
Nyxem Mass-mailing Worm
Exploit for Vulnerability in VERITAS NetBackup Volume Manager Daemon
Malicious Website Exploiting Sun Java Plug-in Vulnerability
Exploit for Vulnerability in Microsoft Windows Metafile Handling

But, do a search on things such as “Titan Rain”, Sandia, Pentagon, Custom Trojan, Whitehall, Russian mafia, and you will see that US-CERT does not actually monitor the rapidly escalating state of cyber threats.  Evidently the OMB now believes that US-CERT should be more knowledgeable about the real threats for US government agencies.

Take custom Trojans for instance. A search of US-CERT returns a link to only one document that mentions them. Yet, custom Trojans are the primary weapon in China’s vast arsenal of cyber attack methodologies.  The one reference by the way only contains a slide I created in 2006 that refers to custom Trojans. 

You will note that US-CERT bulletins state:

Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, so the information should not be considered the result of US-CERT analysis.

US-CERT is primarily a clearing house for vulnerability, exploit, and malware alerts.  It is the institutionalization of alert networks created by the security research teams at the major vendors.

Another mandate of US-CERT is to create an Uber-IDS system for monitoring and reporting on network activity at US government agencies, dubbed Einstein.  According to Wikipedia only 15 of 600 agencies have deployed Einstein sensors.  Given that the sensors only gather and report on packet header information they are not going to be very effective at identifying targeted attacks without some very intelligent analysis capability.  

So, once again, OMB raises the red flag.  I believe OMB’s expectations far exceed US-CERT’s original mandate, which was to be a clearing house for “cyber threat” information and alerts.  The reason is that OMB can interpret “cyber threat” to mean, industrio-military espionage, cyber warfare, infrastructure attacks, and cyber terrorism, whereas the folks at US-CERT are busy tending to yesterday’s threats: vulnerabilities and malware.

 
US-CERT may be the core of a future cyber defense capability. But as an operational cyber defense unit of the National Cyber Security Division of DHS it does not add much value.

• Security