Appendix C Emergency Response Teams
In the aftermath of the Internet worm incident has come a flurry of attempts to anticipate the next occurrences of a virus, propagating Trojan horse, or other widespread attack. As a result, several emergency response teams offering 24-hour service have been established, including the following:
The Computer Emergency Response Team (CERT): Formed by the Defense Advanced Research Projects Agency and centered at the Software Engineering Institute at Carnegie Mellon University, CERT provides access to technical experts around the country. CERT is intended to provide both incident-prevention and incident-response services. It was an outgrowth of the November 1988 Internet worm incident, which was managed and resolved by an informal network of Internet users and administrators. CERT was established to provide the capability for a more systematic and structured response; in particular, it is intended to facilitate communication during system emergencies. Another role that has evolved is communication with vendors about software weaknesses or vulnerabilities that have emerged through practical experience with attacks on systems. CERT draws on the computer system user and development communities, and it also coordinates with the National Institute of Standards and Technology and the National Security Agency. It sponsors workshops to involve its constituents in defining its role and to share information about perceived problems and issues (Scherlis et al., 1990).
The Defense Data Network (DDN) Security Coordination Center (SSC): Created by the Defense Communications Agency at SRI International to serve the (unclassified) DDN community as a clearinghouse for host and user security problems and fixes, the SSC expands on the
functions provided by SRI through the Network Information Center (NIC) that has served Milnet users but was not set up to address security problems. Interestingly, the SSC was launched after DARPA's CERT in recognition of the fact that there was no central clearing-house to coordinate and disseminate security-related fixes to Milnet users (DCA, 1989).
The Computer Incident Advisory Capability (CIAC): This capability was established by Lawrence Livermore National Laboratory to provide CERT-type services for classified and unclassified computing within the Department of Energy (DOE). The scale of DOE computer operations and attendant risks provided a strong motivation for an agency-specific mechanism; the DOE community has over 100,000 computers located at over 70 classified and unclassified sites. Like the Defense Communications Agency, DOE saw that a "central capability for analyzing events, coordinating technical solutions, ensuring that necessary information is conveyed to those who need such information, and training others to deal with computer security incidents is essential." DOE was able to draw on an established research capability in the computer security arena, at Lawrence Livermore National Laboratory (Schultz, 1990).
Because of the rapidity with which computer pest programs can spread both within the United States and worldwide, it is vital that such efforts be well informed, coordinated with one another, and ready to mobilize rapidly in emergencies. Note that none of these systems has yet been tested with a full-scale emergency on the scale of the Internet worm.