CERT looks to cash in on security data
For 13 years the CERT Coordination Center -- originally called the Computer Emergency Response Team -- has been the Internet security watchdog. But CERT's decision to sell sensitive information raises the question of whether CERT is abandoning its mission.
CERT, which is federally funded and operates under the aegis of the Software Engineering Institute (SEI) at Carnegie-Mellon, has advised the public on everything from Internet virus outbreaks to denial-of-service attacks and software vulnerabilities.
When it identified a problem, CERT shared the information with the Department of Defense and posted its famous "CERT advisories" on the Web. If a product was involved, CERT gave the vendor 45 days to fix it before announcing the vulnerability to the world.
But now CERT plans to sell this sensitive information to those willing to pay big bucks (and be sworn to secrecy). To get this info, you have to pay $2,500 to $70,000 to join the Internet Security Alliance (ISA), a group just formed by CERT, SEI and the Electronic Industries Alliance trade association. Nasdaq and the Mellon Financial Group are said to be among the founding ISA members.
Why should we taxpayers pony up $3.5 million -- which is what we gave CERT last year via the Defense Information Systems Agency and General Services Administration -- if CERT is now selling information?
CERT Coordination Center team leader Shawn Hernan says CERT's employees already do paid work for corporations and this simply represents a broadening of those activities.
Of course CERT has every right to try to get the earliest drop on security bugs and sell them. But the question is, should taxpayers subsidize this? Why not have the federal agencies that need the data join as ISA members instead of the government funding CERT?
Hernan says, "CERT is going to be able to do a lot more than it has in the past with this funding. We're not trying to double-dip the federal government."
CERT's not a crook. In fact, the American public owes CERT a debt of gratitude for its work over the years. But the old CERT is gone. The Internet, too, was once subsidized by the federal government until it became apparent the world would pay for IP services. That day may be approaching for CERT, too.
Network World
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
