We've seen some big changes in the government's computer security efforts recently. On February 28, President Bush dissolved the position of White House special adviser on cybersecurity. The very next day, several government computer security agencies, including the Justice Department's National Infrastructure Protection Center (NIPC), quietly shifted their allegiances to the new Department of Homeland Security (DHS).

Two weeks before all this, a critical security vulnerability appeared in Sendmail, the most popular mail-server application. The flaw affected between 50 to 70 percent of e-mail servers worldwide. Those who knew about the security hole rushed to install patches on critical infrastructure systems before the general public--and hackers--discovered it. Despite the behind-the-scenes bureaucratic chaos, the vulnerability news didn't leak out before the government's official announcement on March 3.

No one home at Homeland Security
What's amazing to me is that all of this coordination between private vendors and the government was done without any one individual in charge. Even more impressive, the group that now handles the government's response to cyberthreats--the Directorate for Information Analysis and Infrastructure Protection (IAIP), part of the Department of Homeland Security--did the job with considerably less staff than it's budgeted to have. (The group currently has something like 100 job openings.)

Apparently less is  more, at least where Internet security and the U.S. government are concerned.

Last summer, I wrote a column stating that I thought the understaffed and underfunded DHS would be virtually useless for dealing with software vulnerabilities. But so far, I've been wrong. I'm surprised to say that the homeland security folks are doing pretty well. As long as private companies continue to play along, they should continue to do so.

What's changed since last summer? Several public figures in charge of computer security, none of whom were particularly effective, have left the government, including former NIPC director Ron Dick and his predecessor, Michael Vatis. They both generated a fair amount of criticism for either claiming credit for new vulnerabilities discovered by others or for paying too much attention to minor software flaws.

Richard Clarke, once the White House special adviser on cybersecurity, also stepped down. Chosen to create the National Strategy for the Protection of Cyberspace, Clarke's rants about the upcoming digital Pearl Harbor often detracted from the process. Indeed, the final draft of the document signed by President Bush shows the effects of strong industry lobbying and contains few of Clarke's own suggestions.

Public/private cooperation
But despite losing key leaders, as well as several potential employees to the FBI's new Cyber Division, the Department of Homeland Security handled the Sendmail vulnerability quite well.

It all started on February 14, when computer security firm Internet Security Systems (ISS) discovered the flaw. Last year, ISS prematurely went public with a vulnerability in Apache that may have led to the release of the Slapper worm a few days later. This time, however, ISS deserves credit for approaching NIPC first, then working patiently with the government while the hundreds of employees were moved from the NIPC to the IAIP.

The government insisted on making patches available before announcing the Sendmail vulnerability. These efforts appeared to have worked--even within the government itself. Various branches of the U.S. government, including the Department of Defense and the newly created public/private Information Sharing and Analysis Centers (ISAC), had access to early versions of the Sendmail patch before the public knew about the problem.

Hacker exploits the flaw
It's a good thing they did: less than a day after the DHS publicly annouced the Sendmail vulnerability, four Polish hackers released code that exploited the flaw. In essence, the flaw concerns the handling of header fields in SMTP e-mail transactions. A properly exploited buffer overflow could allow a hacker to gain root, or superuser, access to a Sendmail server. From there, a hacker could infiltrate servers deep inside corporate firewalls. More information about (and patches for) the Sendmail flaw can be found here.

Less than a day after the Sendmail flaw was announced, the DHS announced another, less serious flaw affecting the open-source intrusion-detection app Snort. Also discovered by ISS, this flaw was kept secret until patches were available--thanks again to coordination with DHS. For more about Snort and the patches for this vulnerability, go here.

While it's still too early to tell if all vulnerabilities will be dealt with as well as Sendmail's and Snort's, the IAIP is off to a surprisingly good start. The group seems to be addressing the concerns of both public and private institutions when it comes to vulnerability disclosure. As long as security companies such as ISS are willing to keep working with DHS, we all stand to benefit from this public/private cooperation.

Do you think the DHS will continue to gain the trust of security experts? Or will it prove to be yet another failure? TalkBack to me!

Senior Associate Editor Robert Vamosi covers hoaxes, viruses, and security threats for CNET Reviews. Have a question for him? Let him know!