On Tuesday morning, the Web site of the CERT Coordination Center at Carnegie Mellon University in Pittsburgh was flooded with traffic, the beginning of a distributed denial-of-service (DDoS) attack. The flood began at about 11:30 EDT and lasted well into Thursday, although CERT was able to restore the majority of its service by Wednesday afternoon.
Also on Tuesday, the General Accounting Office issued a scathing report on the state of the FBI's National Infrastructure Protection Center. The NIPC, which is tasked with disseminating early-warning reports on virus and computer attacks and providing detailed analyses of such incidents, is failing on both counts, the report said, due mainly to a lack of trained staff.
The NIPC's shortage of personnel--and the poorly defined roles of the staff it does have--are preventing it from fulfilling its main objective, which is to protect the nation's information systems from attacks by issuing early warnings of threats. Instead, NIPC has become more reactionary in nature.
"The analytical and information-sharing techniques that are needed to protect the nation's critical infrastructures have not yet been achieved," the report says. "The NIPC has developed only limited capabilities for strategic analysis of threat and vulnerability data. Accordingly, the NIPC is not able to provide timely information on changes in threat conditions or warnings of imminent attacks."
The NIPC earlier this spring drew criticism in some security circles for issuing a warning about string of attacks against e-commerce sites by a group of eastern European crackers. The attacks were well-known and had been ongoing for several months, leading some in the security industry to criticize NIPC for its slow reaction.
As for CERT, the irony of a federally funded security research facility falling victim to a DDoS attack was not lost on many security professionals.
"It's not surprising, but the frequency with which these things still occur is amazing," said Ted Julian, co-founder of Arbor Networks Inc., of Waltham, Mass., which makes an anti-DDoS product. "[CERT] obviously has no lack of security or expertise, so why were they down for so long? There's obviously something very wrong."
Aside from the public-relations consequences of the attack on CERT, the fact that a quasi-government agency staffed with dedicated security professionals could be brought to its knees for such a long period of time shows that no matter how many precautions you take, there is no such thing as an absolutely secure network.
"This scenario is what keeps smart network engineers up at night," said Julian. "If they can be hit, what chance do the rest of us mortals have?"´