- The Washington Times - Friday, May 19, 2000

The government's investigative arm criticized the FBI's computer security team for waiting too long before warning government agencies of the devastating "love bug" virus on May 4.

The FBI's National Infrastructure Protection Center didn't begin notification until 7:45 a.m., two hours after learning about the problem, General Accounting Office (GAO) Director of Government and Defense Information Systems Jack L. Brock Jr. told the Senate Banking financial institutions subcommittee Thursday.

"It was too late and many agencies had already been affected," Mr. Brock said. "The [FBI computer security team] has had some success in providing early warning about impending threats … however, they had less success with the 'ILOVEYOU' virus."

Michael Vatis, director of the National Infrastructure Protection Center, declined to respond to the GAO report. The center is the government's information clearinghouse on computer threats and serves as the coordinator in response to cyber-attacks.

Philippine investigators Thursday questioned at least seven former members of a group of computer students linked to the virus. It is uncertain whether charges will be filed against suspects because the country has no law against cyber-attacks.

The GAO report noted initial estimates of damage from the virus range from $100 million to $10 billion globally.

The agency's investigation revealed that the National Infrastructure Protection Center found out about the e-mail virus at 5:45 a.m. on May 4.

It worked for the next two hours to confirm its initial information about the virus. That's because information about it came from a private group, possibly a consortium formed by U.S. banks called the Financial Services Information Sharing and Analysis Center, and it had no federal government intelligence reports about the virus.

"It's interesting that the first information about the virus came from the private sector and the bureaucracy didn't get it to the agencies for two hours. It demonstrates that the machinery is in place, but it didn't work the way it's supposed to," said Sen. Robert F. Bennett, Utah Republican and the subcommittee's chairman.

The National Infrastructure Protection Center also failed to post an alert about the e-mail virus on its Web site until 11 a.m. or provide guidance on dealing with it until it posted information on its Web site at 10 p.m., according to the GAO report.

That hampered the government's ability to defend agencies from the virus.

Lack of early warning prevented agencies from shutting down e-mail servers, and 13 agencies including the Veterans Health Administration, the Department of Labor and the Social Security Administration suffered widespread infection, Mr. Brock said.

Just two of 20 agencies surveyed by the GAO said they learned about the virus as a result of the warning system put in motion by the center.

Twelve agencies discovered it through their own employees, three found out from technology contractors, two discovered it through news reports and one agency discovered the virus when employees were in contact with colleagues in Europe.

The Veterans Health Administration was among the most damaged by the virus, receiving 7 million e-mail messages. The Department of Health and Human Services received 3 million e-mail messages.

The virus is released when attachments are opened on computers using Microsoft Outlook, a software program that runs e-mail. Once the virus infects a computer, it can destroy files on a user's hard drive and on networks to which the user is connected. The virus also sends copies of itself to all e-mail addresses listed in users' e-mail address books and erases the contents of music and photo files.

At least 1,000 files at the National Aeronautics and Space Administration were damaged by the virus, and the Social Security Administration was unable to remove the virus from its computer system for five days.

Mr. Brock said poor computer security on systems at many agencies makes the federal government susceptible to more cyber-attacks.

James Adams, chief executive officer at Alexandria, Va.-based technology security company Infrastructure Defense Inc., told the panel the federal government's approach to protecting itself from computer threats should be improved.

"Following closely last February's distributed denial-of-service attacks, the love letter virus is a clear sign that our current approach to dealing with the growing cyber-threat is simply inadequate," Mr. Adams said.

Officials recommended quicker sharing of information to better defend against future cyber-attacks.

Despite problems for the federal government, the virus caused few problems in the financial-services sector, Federal Reserve and Treasury Department officials told the panel.

The FBI's National Infrastructure Protection Center was started in February 1998 to detect and deter attacks on computer systems.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide