National Vulnerability Database break-in comes as President Obama presses for stronger cybersecurity this week with corporate leaders
The recent hack of the National Vulnerability Database (NVD) is one more example of the need for a stronger U.S. cybersecurity strategy.
President Barack Obama pressed for such an initiative in meetings Wednesday and Thursday with corporate leaders, Bloomberg News reports. The president wants more cooperation between government and private industry to fend off cyberattacks.
The meetings, with companies including Nasdaq, Oracle, Cisco, Exxon and JPMorgan Chase & Co., occurred the same week it was disclosed that the government's NVD was taken offline after malware was discovered in two of its servers. The National Institute of Standards and Technology runs the database.
The unidentified attackers exploited a vulnerability in Adobe's Web development software ColdFusion, NIST spokeswoman Gail Porter said. The malware was inserted before Adobe issued a patch Jan. 15.
NIST discovered the malware on March 8, after suspicious activity was detected by a firewall, which led to the two servers being taken offline. One server ran the NVD while the other hosted a half dozen other sites, including manufacturing.gov, E3.gov, greensuppliers.gov, emtoolbox.nist.gov, nsreserve.gov, and stonewall.nist.gov, Porter said.
Only three of the sites, manufacturing.gov, E3.gov and greensuppliers.gov, were restored on a different server as of Thursday. The NVD also remained offline.
"Currently there is no evidence that NVD or any other NIST public pages contained or were used to deliver malware to users of these NIST Web sites," Porter said. NIST did not know the motive of the attackers.
Andrew Brandt, director of threat research at Solera Networks, said the NVD would be an effective platform for distributing malware to the many organizations that use the database.
[In depth: The DDoS attack survival guide, 2013 edition]
"I think in this case the motivation was to distribute malware to as wide an audience as possible," Brandt said. Having the NVD offline hampers security efforts at many organizations
Strengthening the nation's cybersecurity to protect U.S. corporations and critical infrastructure, such as the power grid, water filtration systems and energy pipelines, is a top priority of the Obama administration.
Gen. Keith Alexander, who heads the National Security Agency and the military's newly created Cyber Command, told a House committee on Tuesday that over the last six months, there has been more than 160 disruptive attacks on banks, according to reporting from The Washington Post. Government officials have said they believe the denial of service attacks have originated from Iran.
Intelligence officials have identified China as a major source of computer espionage against the U.S. Recent attacks on major U.S. news agencies have been traced to China.
The Chinese government denies being behind cyberattacks on the U.S., and claims its own military and government agencies are under constant attack.
The Obama administration has called on China to join it at the bargaining table to develop new rules governing behavior in cyberspace. At the same time, the U.S. has been strengthening its defensive and offensive tools.
Alexander told the House Armed Services Committee that 13 teams of programmer and computer experts were being formed to take offensive action against foreign nations, if the U.S. came under a major attack.
Such tough action is the best strategy for getting China to the bargaining table, said Stewart Baker, the former assistant secretary for policy at the Department of Homeland Security. Baker is now a partner at the international law firm Steptoe & Johnson.
"This is not a problem that can be solved with negotiation, at least not until China decides it can do better by negotiating than by continuing its current tactics," Baker said. "We will be negotiating from weakness until we demonstrate a capability that China fears. That means, inevitably, that we'll be in an arms race for quite a while."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Copyright 2009 IDG Magazines Norge AS. All rights reserved
Postboks 9090 Grønland - 0133 OSLO / email@example.com / Telefon 22053000
Ansvarlig redaktør Morten Kristiansen / Utviklingsansvarlig Ulf H. Helland / Salgsdirektør Jon Thore Thorstensen