ployed by a worms author. Another possibility has the Rapidly analyzing pathogens bulk of the worm written in a flexible language com- bined with a small interpreter. By making the worms Fighting infections commands be general modules, a huge increase in flexi- bility would be achieved Anticipating new vectors Of particular interest are new attack modules and seeds Proactively devising detectors for new vectors for new worms. If the author discovers a new security hole and creates a new attack module, this could be re- Resisting future threats ased into the worm network. Even if only a few thou sand copies of the worm remain, this is enough of an installed base for a hit-list like effect to occur upon In the remainder of this section, we discuss each of these troduction of a new attack module, quickly spreading the in turn, with our aim being not to comprehensively ex vorm back through the network amine each role, but to spur further discussio lin the community It is an interesting question whether it is possible for a worm author to release such a worm with the cryp- tographic modules correctly implemented. From expe- 7.1 Identifying outbreaks rience, if the worm author attempts to build their own cryptographic implementation, this could well suffer from a significant weakness that could be exploited for As discussed earlier in this paper, to date Internet-scale countering the worm. Yet there are a number of strong worms have been identified primarily via informal email cryptographic applications and libraries that could be discussion on a few key mailing lists. This process takes used by a worm author to provide the cryptographic hours at a minimum, too slow for even the"slower"of the rapidly-propagating worms, much less the very fast which includes an encrypted session layer, symmetric worms developed in Section 4. The use of mailing lists ciphers, hash functions, and public key ciphers and sig- for identification also raises the possibility of an attacker natures to provide for code signing targeting the mailing lists for denial-of-service in con- junction with their main attack, which could greatly de- lay identification and a coordinated response. Present 7 Envisioning a Cyber "Center for Disease able to produce a meaningful response before a fast ac- Control tive worm reaches saturation CDC Task: develop robust communication mechanisms Given the magnitude of Internet-scale threats as devel- for gathering and coordinating "field information."Such oped in the previous sections, we believe it is impera- mechanisms would likely be (i) decentralized, and(ii) tive for the Internet in general, and for nations concerned pan multiple communication mechanisms(e.g, Inter with cyberwarfare in particular, to attempt to counter the net, cellular, pager, private line) immense risk. We argue that use of biological metaphors reflected in the terms"worms"and"viruses"remains apt For flash worms, and probably Warhol worms, arg for envisioning a nation-scale defense: the cyber equiva- no human-driven communication will suffice for lent of the Centers for Disease Control and Prevention in quate identification of an outbreak before nearly the United States [CDC02], whose mission is to monitor plete infection is achieved the national and worldwide progression of various forms of disease, identify incipient threats and new outbreaks, CDC Task: sponsor research in automated mechanisms and actively foster research for combating various dis- for detecting worms based on their traffic patterns; fos- eases and other health threat ter the deployment of a widespread set of sensors. The set of sensors must be suficiently diverse or secret such We see an analogous"Cyber-Center for Disease Con- that an attacker cannot design their worm to avoid them trol"(CDC)as having six roles This requirement may then call for the development of sensors that operate within the Internet backbone, as op- posed to at individual sites, and actuators that can re- spond to various threats(see below)ployed by a worm’s author. Another possibility has the bulk of the worm written in a flexible language com￾bined with a small interpreter. By making the worm’s commands be general modules, a huge increase in flexi￾bility would be achieved. Of particular interest are new attack modules and seeds for new worms. If the author discovers a new security hole and creates a new attack module, this could be re￾leased into the worm network. Even if only a few thou￾sand copies of the worm remain, this is enough of an installed base for a hit-list like effect to occur upon in￾troduction of a new attack module, quickly spreading the worm back through the network. It is an interesting question whether it is possible for a worm author to release such a worm with the cryp￾tographic modules correctly implemented. From expe￾rience, if the worm author attempts to build their own cryptographic implementation, this could well suffer from a significant weakness that could be exploited for countering the worm. Yet there are a number of strong cryptographic applications and libraries that could be used by a worm author to provide the cryptographic framework, a good example being OpenSSL [Op01], which includes an encrypted session layer, symmetric ciphers, hash functions, and public key ciphers and sig￾natures to provide for code signing. 7 Envisioning a Cyber “Center for Disease Control” Given the magnitude of Internet-scale threats as devel￾oped in the previous sections, we believe it is impera￾tive for the Internet in general, and for nations concerned with cyberwarfare in particular, to attempt to counter the immense risk. We argue that use of biological metaphors reflected in the terms “worms” and “viruses” remains apt for envisioning a nation-scale defense: the cyber equiva￾lent of the Centers for Disease Control and Prevention in the United States [CDC02], whose mission is to monitor the national and worldwide progression of various forms of disease, identify incipient threats and new outbreaks, and actively foster research for combating various dis￾eases and other health threats. We see an analogous “Cyber-Center for Disease Con￾trol” (CDC) as having six roles: • Identifying outbreaks. • Rapidly analyzing pathogens. • Fighting infections. • Anticipating new vectors. • Proactively devising detectors for new vectors. • Resisting future threats. In the remainder of this section, we discuss each of these in turn, with our aim being not to comprehensively ex￾amine each role, but to spur further discussion within the community. 7.1 Identifying outbreaks As discussed earlier in this paper, to date Internet-scale worms have been identified primarily via informal email discussion on a few key mailing lists. This process takes hours at a minimum, too slow for even the “slower” of the rapidly-propagating worms, much less the very fast worms developed in Section 4. The use of mailing lists for identification also raises the possibility of an attacker targeting the mailing lists for denial-of-service in con￾junction with their main attack, which could greatly de￾lay identification and a coordinated response. Present institutions for analyzing malicious code events are not able to produce a meaningful response before a fast ac￾tive worm reaches saturation. CDC Task: develop robust communication mechanisms for gathering and coordinating “field information.” Such mechanisms would likely be (i) decentralized, and (ii) span multiple communication mechanisms (e.g., Inter￾net, cellular, pager, private line). For flash worms, and probably Warhol worms, arguably no human-driven communication will suffice for ade￾quate identification of an outbreak before nearly com￾plete infection is achieved. CDC Task: sponsor research in automated mechanisms for detecting worms based on their traffic patterns; fos￾ter the deployment of a widespread set of sensors. The set of sensors must be sufficiently diverse or secret such that an attacker cannot design their worm to avoid them. This requirement may then call for the development of sensors that operate within the Internet backbone, as op￾posed to at individual sites, and actuators that can re￾spond to various threats (see below)