A long-simmering dispute flared into public view earlier this week
when UK company Next Generation Security Software announced it was
severing its relationship with the CERT Coordination Center.
The row began when vulnerability research companies claimed that
the US government-sponsored internet security-reporting centre
passed vulnerability information to third parties.
The dispute between Next Generation and CERT arose over a batch of
six software vulnerabilities that the company shared with CERT at
the same time as it disclosed them to the software supplier
affected, according to Next Generation co-founder Mark
Litchfield.
Before a patch was issued or the public notified about the
vulnerability, the supplier was approached by two US government
agencies concerning the undisclosed vulnerability. Litchfield
claimed the agencies had said that CERT had informed them about the
flaw.
CERT's vulnerability disclosure policy, which is posted on its
website, clearly states that the organisation distributes
vulnerability information before public disclosure. Recipients of
that information include CERT sponsors, software suppliers
unaffected by the vulnerability, members of the Internet Security
Alliance and owners of critical infrastructure.
Litchfield acknowledged that he was not fully aware of the
disclosure policy and had not carefully read the information posted
on the CERT Web site.
Still, the CERT policy, especially the disclosure of information to
members of the Internet Security Alliance (ISAlliance), a
public-private trade group, rubbed Litchfield the wrong way.
"I saw it as a betrayal in trust. My expectation was that we'd let
CERT know about it so that they'd do their own internal research on
the issue, do further checks, then write their own advisory and
publish it."
An effort to have CERT sign a non-disclosure agreement with Next
Generation in exchange for continued vulnerability reports was
rebuffed, Litchfield said.
"As a policy, we've decided that it's not in the public interest to
hide vulnerability information from people who need that to defend
critical infrastructure," said Jeffrey Carpenter, manager of the
CERT Coordination Center, which is at the Software Engineering
Institute at Carnegie Mellon University in Pittsburgh.
While companies such as Next Generation profit from the
vulnerabilities they discover, Carpenter said CERT has a greater
mission to serve the Internet community by passing along
vulnerability information to affected companies.
But by sharing information with the fee-paying members of the
ISAlliance, Litchfield insisted CERT was going beyond its duty to
notify affected organizations.
Instead, he argued, CERT is, essentially, selling an early look at
vulnerability information to third parties, some of which are
potential Next Generation competitors.
CERT denied any conflict of interest between its role as an
independent reporting organisation and its practice of disclosing
vulnerability information to ISAlliance members and the US
government.
Many ISAlliance members are critical infrastructure owners,
including financial institutions, telecommunications companies and
software vendors, though membership is not limited to such
organisations, Carpenter said.
In addition, a strict security screening process and nondisclosure
policy prevents ISAlliance members from circulating the
vulnerability information they receive from CERT outside of their
organisation, said Larry Clinton, deputy executive director and
operations officer of the ISAlliance.
In theory, that should keep information that was confidentially
disclosed to CERT from being spread by other companies. Most
security companies are not taking any chances, however.
"When the ISAlliance was formed, a big part of the value of that
was its relationship with CERT and that if you joined you got
detailed vulnerability information," said Chris Wysopal, director
of research and development at @stake.
"From that point on, most of the people I talk to - other security
researchers at other companies - decided not to give any
information to CERT unless they needed help [disseminating it],"
Wysopal said.
He added that Next Generation's announcement regarding CERT, while
more public, is not an uncommon position in the security community.
"What we have done, because we are a small company with limited
resources, is to contact CERT only with widespread issues," Wysopal
said.
Litchfield said Next Generation has not decided whether it will use
CERT to disseminate information about widespread
vulnerabilities.
The rift between the security researchers and CERT could threaten
to make the reporting organisation irrelevant.
Compared with the period before the announcement of the ISAlliance
relationship, recent CERT alerts are based more often on
information publicly available elsewhere than on information
disclosed exclusively to CERT, Wysopal said.
Clearly, the loss of information from Next Generation will be
sorely felt. The company's researchers found a number of
high-profile software vulnerabilities in recent years, including
the Microsoft SQL Server vulnerability exploited by the Slammer
worm that appeared last Saturday.
Next Generation shared a number of those vulnerabilities with CERT
at the same time they were disclosed to the affected software
supplier.
CERT offered little comment on the Next Generation decision to stop
reporting vulnerabilities. "That's their decision to make,"
Carpenter said.
CERT, which receives funding from the US Department of Defense, has
been under pressure from the federal government in recent years to
increase its interactions with the private sector and to get help
funding its operation.
CERT's response was to partner with the Electronic Industries
Alliance, a federation of trade associations, and form the
ISAlliance.
"The ISAlliance was formed to promote security improvement across
the Internet and to enable CERT to provide important information to
critical infrastructure operators within the private sector." CERT
said in a statement.
"The funds that CERT receives from the ISAlliance directly support
this interaction."
At the same time as it has had to look for private sector help,
however, the organisation has had to keep up with an ever-growing
number of software vulnerabilities and high-profile attacks
stemming from those vulnerabilities.
CERT recorded just over 9,800 incidents in 1999. By 2002, that
number grew to more than 82,000 separate incidents.
"We do the best we can with the funding we have. We'd always like
to have more," said William Pollak, manager of communications at
CERT.
While not opposed to private funding of CERT per se, security
researchers would like to see CERT find a way to fund its
operations that does not conflict with its mission as an
independent reporting body.
One way might be for CERT to use its research talent and
established vulnerability rating and publishing system to analyse,
package and distribute vulnerability information after it has been
publicly released.
"They have a good methodology for creating a risk rating and doing
the formatting and analysis. They could be a third party between
the vendor and the researcher and could sell that extra
information," Wysopal said.
Litchfield gave CERT credit for the work that it has done
publicising vulnerability information, especially in cases where a
vulnerability affects a wide array of products.
However, security researchers need to be better informed about how
vulnerability information will be handled when they give it to
CERT, he said.
"My basic concern was to make sure other independent researchers be
aware that this is CERT's policy, because we weren't aware. If
someone had made us aware, we would have stopped informing CERT
ages ago."