- The new US Department of Homeland Security (DHS) received praise for the role it played in coordinating the response to the recent Sendmail vulnerability, but challenges remain as the agency defines its role in securing the nation's information technology infrastructure, according to those familiar with the Sendmail investigation.
While DHS is likely to hold off on becoming involved in all but the most serious computer security issues, its response after learning of the Sendmail vulnerability may serve as a model for future incidents and will help establish the agency's place at the vanguard of the government's response to computer threats, according to a number of security industry experts.
On Monday, Internet Security Systems (ISS) announced that a buffer overflow vulnerability was found in a number of versions of the open source Sendmail Mail Transfer Agent (MTA), ranging from the most recent release of that software to versions that first appeared in the late 1980s. The vulnerability could allow a remote attacker to gain "root" (superuser) access to a Sendmail server, according to ISS.
The Department of Homeland Security was informed of the problem by ISS on February 14, according to an email circulated by the Systems Administration, Networking and Security (SANS) Institute.
ISS first informed the National Infrastructure Protection Center (NIPC), which recently moved from the Federal Bureau of Investigation (FBI) to the DHS, according to Dan Ingevaldson, team leader of X-Force research and development at ISS.
DHS consolidates a number of different government groups responsible for tracking and preventing computer crime. In addition to the NIPC, those groups include the Federal Computer Incident Response Center, formerly part of the General Services Administration, and the US Department of Commerce's Critical Infrastructure Assurance Office.
After it was satisfied that the vulnerability reported by ISS did exist, the DHS shared information about it with other federal departments and government groups such as the Department of Defense (DoD) and the Federal CIO Council, according to Commander David Wray, spokesman for the NIPC and interim spokesman for the new Directorate for Information Analysis and Infrastructure Protection (IAIP) within the DHS.
DHS also played a key role, early on, in alerting software vendors affected by the vulnerability and encouraging those organisations to quickly develop patches, Wray says.
"It was a cooperative effort and DHS sort of led the coordination," says Wray.
The Sendmail vulnerability did not mark the first time ISS has worked with the NIPC, according to Ingevaldson.
In fact, the NIPC is a regular attendee at a daily conference call that ISS hosts to discuss emerging threat data supplied by its worldwide network of sensors.
However, the NIPC's recent inclusion in the DHS gave the organisation a larger platform from which to act.
"In the past, the NIPC did alerts in response to our stuff. But this was the first time we coordinated on a day-to-day basis. We had CIOs from federal agencies. NIPC and DHS helped to get the right people together and put weight behind what we were saying. It was an issue of scale," Ingevaldson says.
When Sendmail patches were ready, the coordinating team managed their release to the DoD, providing early protection to military sites on February 25 and 26, four days before the general public was informed, SANS says.
Warnings were more widely issued to government groups in the US and in other countries on February 27 and 28, including US Cabinet level departments, national cyber security offices in other countries and Information Sharing and Analysis Centers (ISACs) for critical infrastructure, SANS says.
Federal agencies and critical infrastructure companies began receiving word of the vulnerability on Monday, hours before ISS released its advisory, Wray says.
Those involved in the investigation says that the DHS balanced the government's need to notify key government entities with ISS's desire to get its vulnerability information released before it was leaked to the internet community.
"It was a great experience. It was interesting to find a balance between broadening prenotification and keeping people protected," says Ingevaldson. "We wanted to make sure that we coordinated with as many elements of the critical infrastructure as possible."
"We needed to recognise and honor [ISS's] need to honour their customers and provide security services. But we have a broader responsibility to ensure that the government's email service and the broader internet are secure. We worked to keep that process as closed as possible," Wray says.
For the security industry as a whole, the DHS' involvement on the Sendmail vulnerability should send the message that security vendors have another avenue through which to pursue product vulnerability issues when software vendors are unresponsive, according to one security expert.
"This is proof that those who find a vulnerability can maintain visibility and get the government to help them to get vendors to act," says Alan Paller director of research at the SANS Institute. "Guys that find vulnerabilities now have a partner rather than somebody they don't know or trust."
Still, more work is left to be done in refining DHS' role in the security community relative to industry groups like SANS and Carnegie Mellon's CERT Coordination Center.
Despite the broad mandate granted to the new department by Congress, it is likely that DHS will take a cue from its predecessor, the NIPC -- wading in only on the most critical vulnerabilities, according to Wray.
"There is going to be a threshold. The computer security industry is doing a great job taking care of most things. In the past it was when broader coordination is required that the NIPC could add value, and certainly DHS will follow that model," Wray said.
In addition, the DHS must work to establish its credibility as the government agency that will lead on cyber security issues.
"I think we'll have to develop our place. By legislation, we're tasked with a leading role. But, being ordered to fill that role doesn't make it happen overnight," Wray says.
Doing that will require a soft touch in building relationships and trust with major security industry players, he says.
"We've got to establish our bonafides and assume a leadership role. And we've got to do that in concert with industry. We can't just declare that we're it," Wray says.
To do that, the government should stay on the course that it charted on the Sendmail issue, according to Ingevaldson.
"Their role is going to be to maintain the positive movement that we've made on this project. They've got to push the process forward on issues that affect critical infrastructure and formalise what we’ve done in (the Sendmail) process. This will be used as a case study to formalize how to deal with these issues in the future," he says.