The Complex

The government's cyber vulnerabiity database was infected with malware (Updated)

The National Institute for Standards and Technology or NIST -- the government institute responsible for bringing together critical infrastructure providers to decide the minimum cyber security standards they should adhere to under President Obama's cyber security executive order -- had to take its list of cyber vulnerabilities offline after it was discovered to be infected with malware.

(That's a photo of NIST' advanced measurement Lab above.)

According numerous reports in the tech press, two of NIST's servers hosting the U.S. government's National Vulnerability Database were infected with malware that took advantage of security gaps in Adobe's ColdFusion software. The kicker: the site was infected for two months before the malware was noticed and NIST took it offline last Friday.

The National Vulnerability Database is supposed to be the government's resource to give the IT security community a running list of known cyber vulnerabilities.

"Currently there is no evidence that NVD or any other NIST public pages contained or were used to deliver malware to users of these NIST Web sites," a NIST spokeswoman said in a March 14 statement posted to  Google+ by Kim Halavakoski, chief security officer at Crosskey Banking Solutions, which noticed the database was offline while trying to research cyber vulnerabilities.

As noted by The Register, Adobe issued a warning about the flaw in ColdFusion on January 4 and a software patch for it on January 15.

So yeah, it looks like the government agency charged with helping develop cyber security best practices didn't follow a key best practice; regularly updating its software.

When looking for a photo for this piece, Killer Apps noticed that NIST's photo gallery is also unavailable, let's hope it wasn't infected too.

We've got a phone call in to NIST, we'll let you know when we hear back.

 UPDATE : A NIST spokeswoman just emailed Killer Apps to say that the database and several other NIST sites are back up and running.

Please note that the following web sites are now back up.  There may be some associated web sites or aliases that are not yet up, however.

http://nvd.nist.gov
http://checklists.nist.gov
http://scap.nist.gov
http://usgcb.nist.gov

NIST

National Security

General Alexander: Civil agencies should lead response to domestic cyber attacks

Army Gen. Keith Alexander, head of U.S. Cyber Command, yesterday said that civilian agencies should have the lead in responding to most cyber attacks on U.S. soil.

"From my perspective the domestic actor would be the FBI," said Alexander, responding to a question from Rep. Joe Heck about the command's role in responding to cyber attacks that originate in the United States. "We share our tools with the FBI. They work through the courts to have the authority to do what they need to do in domestic space to withstand an attack."

Cyber Command and FBI Director Robert Mueller have "come up with a way that he would do inside [the U.S.] and we would do outside," Alexander added, in testimony to a House Armed Services subcommittee.

Alexander went on to point out that DOD, the FBI, and the Department of Homeland Security are hammering out ways to share information on cyber threats extremely quickly -- figuring out where the attack is coming from; determining whether it's a criminal, espionage, or destructive attack; and allowing the appropriate agency to take the lead while receiving support from the others. 

"There may be points and times where you have, you know, significant attacks where we need to change parts of that [civilian-led response structure], but the key thing is to have him [Mueller and the FBI] do inside the country," said Alexander. "He would work with the courts as appropriate to do his portion of the mission. Outside the country, that's where we would operate." (Click here to read about the offensive cyber teams that DOD is standing up to conduct operations outside the United States.) 

It's worth noting that some of the teams that Cyber Command is establishing to "operate and defend" networks will work closely with "DHS and FBI as required," said Alexander.

Still, as Alexander noted, "the Defense Department will do its part to defend the country. It's not going to just defend itself. Our job is to defend the country and the focus would be obviously on critical infrastructure, just as it would be in kinetic and other things."

He elaborated on the key questions that govern the debate as to when the military becomes deeply involved in responding to a cyber incident. 

"The issue becomes, when does an exploit become an attack, and when does an attack become something that we respond to? Those are the policy decisions, and the red lines that go to those will be policy decisions" for the White House, said the four-star. "Our job would be to set up the options that the president and the secretary could to stop [destructive cyber attacks from an outside enemy]. And as you may recall, both the former president and the current president have both said that they would keep the options open in this area. I mean, I think that's reasonable, from using State Department to demarche, all the way over to kinetic options or cyber. So they have that whole range."

Getty Images