Slow response to Slammer worm points to NIPC woes

A slow response from the FBI to Saturday's outbreak of a virulent new computer worm may have been the result of the recent government reorganization creating the U.S. Department of Homeland Security and increased concerns about threats of cyberterrorism.

The FBI came under scrutiny after it appeared that the agency had moved slowly to respond on Saturday as the W32.Slammer worm rocketed around the world, infecting hundreds of thousands of systems within the first few hours of surfacing (see story).

The FBI's cyberthreat arm, the National Infrastructure Protection Center (NIPC), stayed silent for much of the day as prominent antivirus companies such as Internet Security Systems Inc. and Network Associates Inc.'s McAfee AVERT (Anti-Virus Emergency Response Team) division issued alerts about the spread of the Slammer worm.

Reporters who called the agency asking for comment during that time were told only that the NIPC was "monitoring the situation," but official statements weren’t forthcoming.

It wasn’t until 1:41 p.m. EST on Saturday, more than 13 hours after the initial appearance of Slammer, that the NIPC issued its first advisory on the worm on its Web page. By then, many organizations had already identified the threat and taken steps to stop it.

In a webcast yesterday hosted by the nonprofit SANS Institute that featured security experts and representatives from the federal government and Microsoft Corp., Marcus Sachs, director for communication infrastructure protection at the White House Office of Cyberspace Security, said a combination of bad timing and the recent folding of the NIPC and other government cyberagencies into the Department of Homeland Security may have played a role in the lackluster response to the outbreak.

"The worm couldn't have come at a better time," Sachs joked.

The inauguration of the new department was celebrated Friday. In addition, NIPC staffers were coordinating with other federal computer security personnel on what was described as an issue stemming from tensions with Iraq.

As a result, most NIPC researchers were home when Slammer broke, and the agency had trouble getting "the right personnel" to respond, Sachs said.

"They're going through a transition now, and I don't know where it's going to come out," said Allan Paller, research director of the Bethesda, Md.-based SANS Institute. He said indecision during the past year about the NIPC's future and senior staff defections in recent months have taken their toll.

But an NIPC spokesman denied there was any delay in responding to the Slammer threat. "The NIPC puts out alerts and advisories when it's sure that the information is correct and complete," said Bill Murray, a public affairs officer at the NIPC.

He refused to characterize the NIPC's response as either fast or slow and said it doesn’t intend to match antivirus and security companies when releasing information on emerging threats. "We believe NIPC did what it was tasked and chartered to," Murray said. “We analyzed the threat and provided accurate warnings.”

He denied any knowledge of problems stemming from the transition to the Department of Homeland Security or from work on issues related to Iraq.

The agency's response to future outbreaks would be evaluated on a case-by-case basis, he said. "We are a tool to be used, just as [security companies] are a tool to be used," Murray said.

But Paller said the NIPC could have a larger role within the Department of Homeland Security, a role that could include creating an incentive-based reporting system for new vulnerabilities, marshalling resources within the federal government to get vulnerabilities fixed and creating a centralized reporting and monitoring system to coordinate information on virus outbreaks reported by Internet backbone providers.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
 
Shop Tech Products at Amazon