The mature model at CDC could offer some wonderful guidelines for long-term planning at NIPC,

In the past 12 to 15 months, attackers have made a massive shift to attack applications. Automated patching started making it harder to find new vulnerable systems, so they went after applications that users are just not patching.

Systems integrators pick and choose the parts of the FAR they pay attention to,

It's something we call collateral damage, but I don't mean that lightly. This thing creates traffic inside a subnet, creates traffic in addition to what comes in from the outside.

Data I have says that 20% of the Internet is vulnerable to this, and that's a huge, huge percentage of the BIND servers, ... no reason why it won't skip to other Unix versions.

It wasn't just a bunch of paid consultants.

American corporations are being riddled by (computer) attacks ? they are being defended very badly.

This illustrates that even technologically savvy people have a hard time fighting off denial of service attacks.

The bottom line is that security has been set back nearly six years in the past 18 months. Six years ago, attackers targeted operating systems and the operating system vendors didn't do automated patching. In the intervening years, automated patching protected everyone from government to grandma. Now the attackers are targeting popular applications, and the vendors of those applications do not do automated patching.

It would have been terrible (without the widespread patching). That got a lot of systems fixed.