The face of computing changed forever on Nov. 2, 1988. At 5 PM on that Wednesday, researchers at Cornell University spotted an unknown virus on their computers. By 9 PM, the virus had spread to a dozen more universities, national laboratories, and other hosts on interconnected networks, including ARPANET, a precursor of today's Internet. By the next day, the network was so crippled by the virus that a warning message sent out by Harvard University took 26 hours to reach the Massachussetts Institute of Technology (MIT), just three miles away.
The itinerant intruder, later dubbed the "Morris worm" after its creator, a graduate student at Cornell, was later shown to have been remarkably sophisticated, exploiting four separate vulnerabilities in the network, including two Unix configuration errors, a buffer overflow bug, and a password-guessing scheme.
Today, response to that kind of attack would be performed by one or more of some 300 computer emergency response teams (CERTs) worldwide. However, over 72 chaotic hours in 1988, reaction to the worm was led by just two computer scientists at the U.S. Defense Advanced Research Projects Agency (DARPA): William Scherlis and Stephen Squires. "People at MIT, Utah, and Berkeley were trying to reverse engineer the C code of the virus so we could understand what it was doing and what its effects would be," Scherlis recalls. "Fragments of understanding were emerging in different organizations regarding the behavior of the worm, its mechanism, and how to respond, including immediate mitigation steps and corrective repairs. We helped them validate and propagate fixes across the network, and respond to queries from various stakeholders."
Six days later, Scherlis and Squires recapped response to the unprecedented attack in a confidential memo to the head of DARPA recommending the formation of a National Computer Infection Action Team (NCIAT) to be staffed around the clock to respond in "acute situations" and provide "a focal point for discussion of prevention, coordination, and awareness." The Computer Emergency Response Team at the Software Engineering Institute (SEI), a federally funded research center at Carnegie Mellon University, was established on Nov. 14 as a result.
"The Morris worm was a signal event, a tipping point, when scale overtook trust," Scherlis says. The national internetwork was some eight orders of magnitude smaller than the Internet is today, and its users at the time were collaborators who mostly knew each other. "There was a presumption of trust, so doors were often left unlocked," Scherlis says. "But at a certain point the number of users grew to include people with less than the best intentions, and there grew the possibility of errors with very pervasive effects."
The response team formed in 1988, now called the CERT Division of SEI, today has 250 people in Pittsburgh and Washington and a $70-million budget, mostly from the U.S. government. While it still performs some emergency response, its mission over the years has shifted more to readiness and research. It partners with government, industry, law enforcement, and academia "to develop advanced methods and technologies to counter large-scale, sophisticated cyber threats." Its website offers dozens of computer security training courses (as an example, "Secure Coding in C and C++"), notices of recent vulnerabilities (like "Multiple broadband routers use vulnerable versions of Allegro RomPager"), news, blogs, and podcasts about security.
In 2003, CERT at the SEI became a template for the Department of Homeland Security's (DHS) new U.S. Computer Emergency Readiness Team (US-CERT), the 24-hour operations unit of the National Cybersecurity and Communications Integration Center (NCCIC). The SEI CERT has contributed much content to US-CERT’s website, and the missions of the two organizations overlap. Says Richard Pethia, director of the SEI CERT since 1988, "A lot of the front-line response work is done by federal agencies – by the US-CERT and law enforcement agencies like the FBI and Secret Service. We help if called. We go on-site to provide technical support, like how to collect data from affected systems and how to do that in a forensically sound way."
The US-CERT created the National Cyber Awareness System, which offers four products to the public on a subscription basis: news of current activity, alerts, bulletins and tips. Yet the emergency response work of the 240-person, $100-million unit generally goes on behind the scenes to support front-line responders like the U.S. Federal Bureau of Investigation, and it rarely appears in the news. US-CERT declined several requests for interviews for this story, instead responding in writing to some written questions. It says its role has expanded since 2003 from one primarily supporting civilian U.S. agencies to working also with law enforcement, the military, the private sector, and global partners.
Because of its long history, the CERT Division at the SEI remains the primary organization for dealing with newly discovered computer and network vulnerabilities, Pethia says. "Over the years, we have developed fast, secure channels into about 800 software development organizations."
Understanding and blocking new viruses has become an "overwhelming" job, with tens of thousands of virus variations surfacing every day, Pethia says. "The US-CERT does some of it, we do some of it, some is done inside the Department of Defense and law enforcement. We have collectively developed bodies of tools to automatically analyze these things," he says.
Recalling the events of 1988, Scherlis – now director of the Institute for Software Research in the School of Computer Science at Carnegie Mellon – says, "At the very beginning, our concept of operations was focused on scalability, a major DARPA theme. Another criterion was that it had to be a safe focal point for collaboration. The concept was to create a venue where institutions could safely share information that they may not want to put into the public space."
He says the founders of the first CERT realized it would be just one of many such organizations, and that there would need to be a coordinating organization for them. In 1990, that entity became the global Forum for Incident Response and Security Teams (FIRST), whose mission was and is to share information and best practices across organizations. Today, FIRST represents 313 CERTs in 68 countries, including 72 in the U.S., some affiliated with national governments, some with specific law enforcement agencies, and some with individual companies.
In addition, there are industry-specific CERTs, like the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a DHS unit focused on control systems at chemical plants, dams, communication networks, the electric grid, and the like. "I view the proliferation of CERTs as a positive thing, a success of the scalability concept, as opposed to trying to create one team," Scherlis says. "Nobody would trust that team sufficiently."
Gary Anthes is a technology writer and editor based in Arlington, VA.