Errata: Richard D. Pethia of CERT Congressional Testimony

Richard D. Pethia, Directory of the CERT Coordination Center gave Congressional testimony on September 10, 2003 titled "Viruses and Worms: What Can We Do About Them?". Pethia's testimony left questions..

Blockquoted material is from the testimony.

We activated the center in just two weeks, and we have worked hard to maintain our ability to react quickly.

I think there is little room for debate when it comes to questioning CERT's response time for releasing advisories on vulnerabilities. There have been cases where CERT releases an advisory on a remote vulnerability *years* after it has been widely exploited. Even these days, they release shoddy advisories lacking technical details days/weeks after the issue is brought to light.

Today, with continued sponsorship from the Department of Defense and from the Department of Homeland Security, we continue our work and disseminate security information and warnings through multiple channels

Nice of them to remind us that our tax dollars fund them. What they neglect to tell Congress, is that these multiple channels include some that go to specific vendors/customers long before they are made public. CERT continues to distribute this advanced information knowing that there is a well established leak that in turn publishes the information anyway. These channels are maintained despite the wide exploitation of vulnerabilities affecting *millions* of computers on the net.

Impact of Worms and Viruses In the 2003 CSI/FBI Computer Crime and Security Survey... The Australian Computer Crime and Security Survey found similar... damages are estimated to be .. (Business Week, the London-based mi2g..

Great, Congress is going to listen to these extensive damage figures from an "expert" who is citing other "experts" that generate computer crime and damage figures from glorified sewing circles. The CSI/FBI survey has consistantly polled around 350 companies and asked them for incident number and damages. They don't care who answers from these organizations, nor do they care what figures they receive back. The statistical value of this survey according to some staticians/economists is basically worthless. Better yet, he goes on to cite the FUD Mongering mi2g company who is well known for their drama filled advisories and lack of ethics. (Vmyths: http://vmyths.com/resource.cfm?id=64&page=1, Forno: http://www.infowarrior.org/articles/2002-12.html, Attrition: http://www.attrition.org/errata/charlatan/mi2g-history.html).

There is nothing intrinsic about computers or software that makes them vulnerable to viruses.

...

Recommended Actions What Can the Government Do? Provide incentives for higher quality/more security products. (read the two paragraphs)

YAY, CERT finally uses its influence and voice to say something worthwhile.

Information assurance research. More awareness and training for Internet users.

Hrm, what did CERT say it did in the intro?

we identify and publish .. , conduct research .. and provide training to system administrators, managers, and incident response teams.

CERT asking for money during Congressional testimony?

It's too bad there isn't more scrutiny placed on the people who testify before Congress. Hell, even Dan "the FUDmeister" Verton issued a press release about testifying in the coming months.