Stuart Murdoch, founder and CEO of Surevine, dissects the Morris Worm’s legacy and explores how the attack changed global cyber incident response.

It’s been 30 years since the Morris Worm swept across the internet. In this article we will detail how the worm changed and, in many ways, created cyber incident response infrastructure.

CERT - national incident response

The Computer Emergency Response Team Coordination Centre (CERT / CC) was the first of many new organisations set up as an immediate response to the Morris Worm. The Defense Advanced Research Projects Agency (DARPA), part of the US Department of Defense, funded the establishment of CERT / CC, which was housed in the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh, Pennsylvania.

The CERT Coordination Centre was established to centralise responses to major incidents in the US. CERT / CC was the first national organisation and it has codified standards by which other similar organisations operate. Indeed, they license their CERT trademark to organisations that meet their standards.

In the UK, a number of organisations used the CERT brand, including CareCERT for the NHS, and MOD-CERT for the Ministry of Defence. Both the GovCert and CERT-UK brands have disappeared, having been merged into the UK National Cyber Security Centre (NCSC). It acts as the national Computer Security Incident Response Team (CSIRT).

Over time CERT has established three key responsibilities:

  • Coordinating incident response to major national incidents.
  • Assigning unique identifiers (CVEs) to product vulnerabilities.
  • Setting standards for other CERTs.

FIRST - international collaboration

Whereas CERT / CC coordinated the response to national incidents, FIRST (Forum of Incident Response and Security Teams), managed incident response across a wider geographies and time-zones. By 1992, FIRST had its first international members from Europe. At the time of writing it has 442 members from 90 countries.

Members of FIRST, which include most National CSIRTs, have to meet certain standards and are subject to inspection by FIRST. Members have a mandatory requirement to publicly share contact information. This makes their jurisdiction clear. For example, the UK NCSC is listed as having jurisdiction of the .gov.uk domain. It also ensures they can be contacted in the event of an incident.

FIRST, as an organisation, was founded to facilitate coordination across teams and between nations. It has gone on to convene meetings of those CSIRTs, which amongst other things, set standards for the way in which CSIRTs collaborate and cooperate across borders on incident response.

ISACs - sector-specific information sharing

Funded by the US government, CERT / CC was established as a national organisation. FIRST, by comparison, facilitates international collaboration amongst similar national/state level CSIRTs.

In 1998, President Clinton enacted a Presidential Decision Directive (PDD) in which he ‘strongly encouraged’ the ‘creation of a private sector Information and Sharing and Analysis Centre’ (ISAC). The PDD was an initiative to encourage the private-sector to collaborate in securing critical national infrastructure.

Whilst the PDD mentioned only one ISAC, many were soon created, including the Financial Services ISAC (FS-ISAC). Sebsequently, many sector-specific ISACs were formed.

The National Council of ISACs, in the US, currently has a membership of 21 sector-specific ISACs. The FS-ISAC is the largest of the ISACs, with over 7,000 member organisations. This, by some estimates, is more than all of the other ISACs combined.

CiSP - cyber security information sharing in the UK

In 2013, the year following the London Olympic Games, the UK launched a national cyber security information sharing partnership - CiSP. This was, from the outset, intended to be cross-sector, with ISAC-style sector-specific sharing happening within the umbrella of CiSP.

Warning and Advisory Access Points (WARPs) are a collaboration mechanism established by the UK’s CPNI. WARPs preceded the launch of CiSP and were, for the most part, moved to the CiSP platform at an early stage. WARPs tended to have been formed to enable regional coordination on matters of security in the UK.

Information Exchanges, another mechanism for collaboration on security matters in the UK, which also preceded CiSP, tended to be specific to key critical national infrastructure sectors. Around a dozen information exchanges were in existence at the time of writing. They have dedicated spaces for collaboration as part of the CiSP community.

The CiSP, originally set up by the UK Cabinet Office, became the responsibility of CERT-UK and when that was subsumed into the NCSC, it became the responsibility of the NCSC.

CiSP now has over 12,000 users and over 4,000 member organisations from over 25 industry sectors. It is the world’s most significant, cross-sector cyber security information sharing partnership.

The UK government, when forming the CiSP community, was able to look to each of these previously categorised organisations and take on appropriate elements of each them. Like CERT / CC it was a national organisation (being the responsibility of CERT-UK and now the NCSC).

Like FIRST, it fostered collaboration across multiple regions in the UK, with regional WARPs and Regional Organised Crime Units (ROCUs) collaborating on the platform. Additionally, as previously mentioned, sector-specific collaboration, similar to that which occurs in an ISAC, is achieved in CiSP Nodes.

ISAOs - non-sectoral information sharing in the USA

President Obama, in 2013’s Executive Order 13691 called for the establishment of Information Sharing and Analysis Organisations (ISAOs). He did so, following the launch of the CiSP in the UK, in order to address two key aspects of the way the ISACs operated in the US:

To facilitate ‘horizontal’ collaboration where ISACs had gravitated to a ‘vertical’ industry sector-specific model.

To increase the amount of sharing with the federal government. This had been called for in Clinton’s PDD but the results weren’t what the federal government had hoped for. ISAOs remain a relatively recent innovation, and the contribution they might make to the overall landscape of information sharing remains to be seen.

Current developments: mandatory incident reporting

Most of the mechanisms listed above have enabled voluntary collaboration on cyber security matters: members pay to join the FS-ISAC and membership of CiSP in the UK is free. Members join to benefit from, and contribute to, increased cyber security for their organisation, their sector and the wider economy.

The game is however changing. With the EU NIS Directive having been transposed into law in each of the EU member states earlier in 2018, cyber security incident reporting has, for operators of essential services, become mandatory.

Similar initiatives mandating the reporting of cyber-incidents are being introduced elsewhere. New York, the home of Wall Street, has introduced such regulations for financial services organisations. Something similar exists for Department of Defense suppliers too.

Mandatory reporting is a compliance activity, which, if ignored, could possibly result in prosecution. Voluntary reporting often attracts liability protection with the Cybersecurity Information Sharing Act (CISA) in the USA and certain Freedom of Information Act protections for users of the CiSP in the UK.

However, the increase in mandatory reporting runs the risk of detracting from the successes achieved by those established voluntary mechanisms for collaboration.

Conclusions

The official response to the Morris Worm laid the foundation for the growing global infrastructure for cyber incident response. Most incident response organisations’ lineage can be traced back to those early initiatives for national, international and sector-specific coordination.

Whilst many of those organisations are publicly funded, the impetus behind their founding - and participation in them - has been driven by the private sector to voluntarily collaborate. This collaboration often sees competitors working together for the good of their sector and the wider economy.

Tendencies to increase mandatory incident reporting must build on this foundation in order that incident reporting doesn’t degrade to a compliance exercise. It needs to minimise the burden of reporting and reinforce liability protections for those voluntarily collaborating.

In summary, the mechanisms which were put in place in response to the Morris Worm provide the foundation of global incident response today. We need to build on these. They’ve helped to keep us safe and one step ahead of cyber threats for the last 30 years.

Stuart Murdoch is Founder and CEO of Surevine, developers of Threatvine, the collaboration platform used by CiSP in the UK. This article is based on material from a chapter by the author in the forthcoming Oxford Handbook of Cyber Security to be published by Oxford University Press.

Read our related article: The Morris worm at 30