Vulnerability database hack highlights need to bolster cybersecurity

The recent hack of the National Vulnerability Database (NVD) is one more example of the need for a stronger U.S. cybersecurity strategy.

President Barack Obama pressed for such an initiative in meetings Wednesday and Thursday with corporate leaders, Bloomberg News reports. The president wants more cooperation between government and private industry to fend off cyberattacks.

The meetings, with companies including Nasdaq, Oracle, Cisco, Exxon and JPMorgan Chase & Co., occurred the same week it was disclosed that the government's NVD was taken offline after malware was discovered in two of its servers. The National Institute of Standards and Technology runs the database.

The unidentified attackers exploited a vulnerability in Adobe's Web development software ColdFusion, NIST spokeswoman Gail Porter said. The malware was inserted before Adobe issued a patch Jan. 15.

NIST discovered the malware on March 8, after suspicious activity was detected by a firewall, which led to the two servers being taken offline. One server ran the NVD while the other hosted a half dozen other sites, including,,,,, and, Porter said.

Only three of the sites,, and, were restored on a different server as of Thursday. The NVD also remained offline.

"Currently there is no evidence that NVD or any other NIST public pages contained or were used to deliver malware to users of these NIST Web sites," Porter said. NIST did not know the motive of the attackers.

Andrew Brandt, director of threat research at Solera Networks, said the NVD would be an effective platform for distributing malware to the many organizations that use the database.

[In depth: The DDoS attack survival guide, 2013 edition]

"I think in this case the motivation was to distribute malware to as wide an audience as possible," Brandt said. Having the NVD offline hampers security efforts at many organizations

Strengthening the nation's cybersecurity to protect U.S. corporations and critical infrastructure, such as the power grid, water filtration systems and energy pipelines, is a top priority of the Obama administration.

Gen. Keith Alexander, who heads the National Security Agency and the military's newly created Cyber Command, told a House committee on Tuesday that over the last six months, there has been more than 160 disruptive attacks on banks, according to reporting from The Washington Post. Government officials have said they believe the denial of service attacks have originated from Iran.

Intelligence officials have identified China as a major source of computer espionage against the U.S. Recent attacks on major U.S. news agencies have been traced to China.

The Chinese government denies being behind cyberattacks on the U.S., and claims its own military and government agencies are under constant attack.

The Obama administration has called on China to join it at the bargaining table to develop new rules governing behavior in cyberspace. At the same time, the U.S. has been strengthening its defensive and offensive tools.

Alexander told the House Armed Services Committee that 13 teams of programmer and computer experts were being formed to take offensive action against foreign nations, if the U.S. came under a major attack.

Such tough action is the best strategy for getting China to the bargaining table, said Stewart Baker, the former assistant secretary for policy at the Department of Homeland Security. Baker is now a partner at the international law firm Steptoe & Johnson.

"This is not a problem that can be solved with negotiation, at least not until China decides it can do better by negotiating than by continuing its current tactics," Baker said. "We will be negotiating from weakness until we demonstrate a capability that China fears. That means, inevitably, that we'll be in an arms race for quite a while."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Institute of Standards and TechnologyNational Vulnerability DatabaseapplicationsData Protection | Malwarelegalsoftwaredata protectioncybercrime

More about Adobe SystemsAndrew Corporation (Australia)Armed Services CommitteeBloombergCiscoNational Security AgencyOracleSolera NetworksTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts