Security in the news: Events and non-events

April 1 passed without the massive attack by the much-anticipated Conficker Internet worm, but don't relax just yet.

True, the sneaky malware, which has gone through several evolutions since security experts first became aware of it, did not seize control the nation's computers, perpetrate massive identity theft and bring down the Web. But the story might not be over.

"The network of Conficker-infected machines could still spring to life and be used for nefarious deeds," reports the Associated Press. "One scary element is that Conficker's authors have given the infected PCs peer-to-peer abilities, which allows them to update each other and share malicious commands through encrypted channels."

The scope of the potential problem remains a tantalizing mystery, but a number of security experts tentatively offered their best guess-timates last week:

  • One Internet infrastructure vendor, OpenDNS, reports that 500,000 of its customers, out of 10 million worldwide, have been infected with the most recent iteration, Conficker.c, the IDG News Service reports.
  • After monitoring network activity on April 1, IBM's security experts concluded that 4 percent of Internet addresses sending out malicious data is infected with the same variant, according to Computerworld.
  • Also from Computerworld: A security company based in Vietnam pegs the number of infected PCs at 1.38 million worldwide, of which only 2.6 percent are in the United States.

So why didn't the sky fall? Was the problem overhyped? Were the emergency patches successful? Was it an April Fool's Day joke? Or is the main event still to come?

"More likely the 'it's hitting on April 1' is a misdirection -- a pay-no-attention-to-the-man-behind-the-curtain kind of deal," writes InfoWorld blogger Robert X. Cringely. "Because these days no self-respecting worm author would actually tell you when his baby was planning to strike."

Meanwhile, technology experts are carefully monitoring activity in the Senate, which is considering legislation that aims to tighten up Internet security in government and industry.

The bill would establish a new advisory office in the Executive Office of the President, propagate cybersecurity standards for the public and private sectors, and improve training and certification programs for cybersecurity.

Also, as Network World noted, the legislation would give President Obama the power to shut down Internet connections in the event of a "cybersecurity emergency."

Some security experts "don’t think such sweeping power is good news for anyone, including private networks that could be shut down by government order," writes Network World's John Fontana. "Those same networks would be subject to government mandated security standards and technical configurations."

Others are skeptical of the federal government's ability to improve Internet security through brute force. "Security is an attitude, and it's hard to legislate attitude," Brian Chess, founder and chief scientist at Fortify Software Inc., told Computerworld. "It has more to do with understanding the impact of insecure software on the organization."

Some FCW readers also have their doubts. "Whatever happened to the checks and balances that our Constitutional fathers envisioned?" one reader, signing himself as "Disgusted," commented on our April 1 Web story. "This is yet another example of a knee-jerk reaction by uninformed bureaucrats who are clueless about cybersecurity, yet fancy themselves to be experts because they personally use a Blackberry."

Another reader shared similar sentiments in more graphic terms: "Can you imagine what a disposable diaper would look like if you charged the government with developing it?"


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.