Is government the odd man out in cyber defense?

Conficker group creates a 'new model,' but agencies contribute little

After years of lip service to public-private collaboration, the government apparently still has trouble working and playing well with others.

That is a conclusion drawn from a study, commissioned by the Homeland Security Department (DHS), of lessons learned from the Conficker Working Group (CWG). The working group is an ad hoc assemblage of more than two dozen companies, Internet registrars, universities and agencies including the FBI and DHS, that came together in 2008 to combat the Conficker worm.

“In coordinating to stop the botnet threat, the CWG became a model for cyber defense,” the report said. “Thanks to this effort, we can glean a number of valuable lessons to guide how future efforts may be initiated, organized and managed.”

According to the study, what worked was the collaboration between companies and Internet organizations. One of the things that didn’t work was the government’s collaboration.

“The group as a whole saw little participation from the government,” the report, released this month, said. “One person put it as ‘zero involvement, zero activity, zero knowledge.’ ”

Related coverage:

Group finds a way to thwart Conficker (no thanks to government)

Have agencies scrubbed the Conficker worm from their systems?

The study was conducted by the Rendon Group, and although members of the CWG were interviewed, the conclusions are not necessarily those of the working group, CWG chairman Rodney Joffe wrote on the group’s Web Site. “Nonetheless the Core Committee of the Conficker Working Group believes the report has substantial value,” he wrote.

An evaluation of the government’s performance was complicated by a lack of clear expectations, the report found. “Those interviewed did not necessarily express a clear consensus on what the government role should have been, with some expressing a desire for greater communication and collaboration while others indicated that they felt the private sector is more capable of managing the effort.”

The government did play an important role in funding research on the worm and it apparently took full advantage of the group’s work. Joffe, senior vice president at Neustar Inc., a directory services provider that administers the domain name registry for the .us country code top level domain for the Commerce Department, reported last year that agencies apparently had cleaned Conficker out of most of its infected systems. By tracking the scanning activity of the Conficker worm, Neustar found that the number of infected government systems dropped from a peak of tens of thousands to less than 40 systems in the entire federal network.

But there remains the clear perception, at least, that the government either is not able or not interested in cooperating with the private sector. This is a dangerous situation, given that every strategy, study and musing on national cybersecurity has emphasized the need for a public-private partnership in protecting our critical infrastructure.

The bulk of this infrastructure — commonly published guesstimates put it around 85 percent — is owned and controlled by private companies. The nation’s two predominant cybersecurity organizations, DHS and the National Security Agency, have acknowledged they have neither the resources to nor the responsibility for protecting privately owned networks and systems, although they are critical to national security. The solution, everyone agrees, is public-private cooperation.

There probably is blame on both sides for the lack of effective collaboration. Businesses have different goals, structures and obligations than does government. But if competing companies can come together effectively with each other, and with universities and Internet governance organizations, to combat a cyber threat, it appears that government is the odd man out. The results of the Conficker Working Group study should be carefully evaluated to determine where and how improvements can be made.


About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Tue, Feb 1, 2011 Former DHS Columbia, MD

There actually are some very capable technical people in the cyber security side of DHS, but far too few. The shortage is largely due to low wages and DHS's famously dysfunctional hiring process. However, the more serious problem is an organizational legacy of the last administration. Specifically, the political appointee who was supposed to lead government-wide efforts in "critical infrastructure protection" failed to exercise productive leadership. He actively evaded dealing with technical matters (e.g. cybersecurity), apparently because he personally lacked technical competence. Instead, his so-called "Office of Infrastructure Protection" blissfully expended its attention on physical barriers such as huge concrete flower pots. To present a facade of interacting with the private sector, he kludged together a jumble of unempowered committees which were never provided useful government information and, not surprisingly, have made zero contributions to public-private collaboration. With this failed legacy still in place, it's no wonder the private sector views DHS as a non-contributor.

Tue, Feb 1, 2011

There is more evidence in the report that the group didn't really want government involvement. While they say "Information Sharing. On government involvement and information sharing: "They have people [on the lists], it's a one way street that doesn't work." Government must share information, not just consume information. As one interviewee said, the US government "should not just leech off the process." Also of concern on this issue, one person noted, "DOD and NSA don't have taxonomy for sharing info outward.", then it goes on to say "A number of people recognized Conficker's threat in December and January. Members of USCERT were not added to the Conficker Working Group list until mid-March. A more formal early warning mechanism should be established between the informal networks of cybersecurity experts and the US government. The US government received information about Conficker through a number of informal channels, and as one interviewee stated, “informal communication worked.” However, relying on informal mechanisms to inform the government of threats may not be the best practice and may have led to different parts of the government inconsistencies." In appendix A, they list those interviewed, and the group members, and the government is not represented in either.

Tue, Feb 1, 2011

I'm not sure what to make of this -- for more information I downloaded and read the report. The Feds are mentioned very little. They were not members of the working group (pg. 19), which was pretty much a clique anyway (pg. 28), and probably didn't want them. Also it was noted in the very small section on gevernment involvement "With that said, one area the U.S. Government did participate indirectly was through malware reversal. SRI’s research is funded by the US government and played an important role in the process. Information sharing with the US Government. Most participants who commented on the issue felt information sharing between the Conficker Working Group and the government was one way, with information flowing from the group to the government, but without receiving information in return. A few said they had two-way information sharing with the government, but that was not done at the group level but through personal contacts." Earlier it says "With much of the Internet infrastructure controlled by the private sector, there is a common opinion that the market will work to take care of Internet security as a whole. This point of view suggests the government has a limited role to play in broader cybersecurity efforts such as the Conficker Working Group." and "The early members of the Conficker Working Group self-organized to deal with a specific situation they all independently recognized as a threat to the larger community. No particular institutional mechanism created or called for the group." so it is not surprising the Feds had little involvement. And I will ignore the unlearned comment about government dinosaurs, and pity the writer psychological state.

Tue, Feb 1, 2011

The government is filled with dinosaurs prepared for a future that no longer exists. They should all be extinct by now (if you believe in Darwinian theory). Government uses private industry to run its systems because those they have on hand are too old/inexperienced to do it themselves. Those native to the government are put in managerial positions to manage the private industry assets that they can't even begin to understand. Is it any wonder why there was no progress or collaboration??? You have to have something to offer when you collaborate with someone (or group of someones). If you don't have any inherent knowledge or skills to collaborate, naturally you're going to keep your mouth shut, so as not to look incompetent. (However, in this case, silence demonstrates ignorance.)

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group