Re: Hysterical first technical alert from US-CERT

[Andrew Fried <afried () cis fed gov>]

I'm a little surprised by some of the critical reactions to the 
US-Cert's issuance of the MyDoom alerts.

Being in the federal sector, I can tell you that the predecessor to 
US-CERT (FedCIRC) received ongoing criticism from the government 
computer security circles for untimely advisories.  FedCIRC was overly 
cautious about validating information before disseminating it.  The 
result was that advisories were released so long after the event that 
they proved to be of little benefit to those of us on the front lines 
trying to mitigate problems.  The joke used to be that we'd read about a 
problem on Bugtra or NANOG, then a week later see the same information 
from FedCIRC.

When DHS formed US-CERT, they held meetings around the country with a 
variety of groups, not just federal security types, and the most 
resounding request they got was to release alerts and advisories as soon 
as possible. Many suggested that late breaking advisories be labeled as 
preliminary, but released just the same.  To US-CERT's credit, they 
listened to those requests and what we saw with MyDoom was advisories 
being released within hours of the onset of an incident.

Behind the scenes, US-CERT has established a number of secure channels 
to facilitate information sharing among federal agencies.  They've 
established working groups which include private sector membership. 
They're ramping up some new initiatives that will bring much needed 
resources to the government such as labs to analyze malware.  In my 
mind, this group is trying to focus on cybersecurity needs with the same 
intensity that NASA did to get to the moon.

I'm not trying to make any sales pitch here, and want to state that I do 
not work with for DHS or US-CERT (which is part of DHS).

Andrew Fried
Senior Special Agent
Treasury Inspector General for Tax Administration