• United States

Slow Slammer response points to NIPC woes

Jan 28, 20034 mins

Slow response from the FBI to Saturday’s outbreak of a virulent new computer worm may have been the result of the recent government reorganization creating the Department of Homeland Security and increased concerns about threats of cyberterrorism.

The FBI came under scrutiny on Monday when it appeared the agency was asleep on its feet Saturday as the W32.Slammer worm rocketed around the world, infecting hundreds of thousands of systems within the first few hours of surfacing.

The FBI’s cyberthreat arm, the National Infrastructure Protection Center (NIPC), stayed silent for much of Saturday as prominent antivirus companies such as Internet Security Systems (ISS) and Network Associates’s McAfee AVERT (Anti-Virus Emergency Response Team) division issued alerts about the spread of the Slammer worm.

Reporters who called the agency asking for comment during that time were told only that the NIPC was “monitoring the situation,” but official statements were not forthcoming.

It was not until 1:41 p.m. EST (6:41 p.m. GMT) on Saturday, more than 13 hours after the initial appearance of Slammer, that the NIPC issued its first advisory on the worm, entitled “Worm Targets SQL Vulnerability,” on its Web page. By that time, many organizations had already identified the threat and taken steps to stop its spread.

In an Internet webcast hosted by the nonprofit SANS Institute that featured security experts and representatives from the federal government and Microsoft, Marcus Sachs, director for communication infrastructure protection at the White House Office of Cyberspace Security said that a combination of bad timing and the recent folding of the NIPC and other government cybersecurity departments into the new Department of Homeland Security may have played a role in the agency’s lackluster response to the Slammer outbreak.

“The worm couldn’t have come at a better time,” Sachs joked.

The inauguration of the new Department was celebrated on Friday. In addition, NIPC staff were coordinating with other federal computer security personnel on what was described as an issue stemming from tensions with Iraq.

As a result, most of the NIPC researchers were home when Slammer broke and the agency had trouble getting “the right personnel” to respond to the Slammer outbreak, Sachs said.

“They’re going through a transition now and I don’t know where its going to come out,” said Allan Paller, research director of the SANS Institute.

Indecision about the NIPC’s future over the past year and senior staff defections in recent months have taken their toll, according to Paller.

But an NIPC spokesman denied that there was any delay in responding to the Slammer threat.

“The NIPC puts out alerts and advisories when it’s sure that the information is correct and complete,” said Bill Murray, a public affairs officer at the NIPC.

Murray refused to characterize the NIPC’s response on Saturday as either fast or slow, and said that it does not intend to match antivirus and security companies when releasing information on emerging threats.

“We believe NIPC did what it was tasked and chartered to. We analyzed the threat and provided accurate warnings,” Murray said.

Murray denied any knowledge of problems stemming from the transition to the Department of Homeland Security or from work on issues related to Iraq.

The agency’s response to future outbreaks would be evaluated on a case by case basis, Murray said.

“We are a tool to be used just as (security companies) are a tool to be used,” Murray said.

But Paller sees the possibility for a wider role for the NIPC within the Department of Homeland Security and under strong new leadership.

Among the possible new roles for the NIPC would be creating a incentive based reporting system for new vulnerabilities, marshalling resources within the federal government to get vulnerabilities fixed and creating a centralized reporting and monitoring system to coordinate information on virus outbreaks reported by Internet backbone providers, Paller said.