WASHINGTON (05/12/2000) - Shortly after the Melissa virus struck a year ago, Keith Rhodes, who heads the U.S. General Accounting Office's information technology division, warned Congress that the next virus would be faster and do more damage. He was right.
But Rhodes didn't gloat when he appeared last week before the U.S. House Subcommittee on Technology in the wake of "The Love Bug." Instead, he renewed his criticism that the government isn't responding quickly enough to computer threats.
"Like Melissa more than a year ago, little information was available early enough for agencies to take proactive steps to mitigate the damage," said Rhodes. The FBI's National Infrastructure Protection Center didn't issue a notice about the virus until 11 a.m. on May 4, well after the virus had done much of its damage, he said.
Although some federal agencies appeared to respond quickly to the problem, the virus did cause damage. Most notably, the U.S. Department of Defense said some of its classified systems were infected.
At the U.S. Department of Commerce, other than some interruptions of e-mail service, the virus affected only 500 of 40,000 end users in varying degrees, said CIO Roger Baker. "It didn't bring us down," he said.
"The human systems reacted pretty well to this one. People saw it early, reacted to it early and took some fairly substantial actions to keep it from spreading," said Baker. Those actions included cutting off attachments from e-mail.
The U.S. Department of Veterans Affairs was "pretty widely hit" by the virus, which forced a shutdown of e-mail systems, said one IT worker. But turning off the e-mail system Thursday also cut off the chief means for warning employees about the danger.
"We learned some lessons in our incident response. One is you can't always rely on e-mail to communicate with people," the IT worker said. Telephones and fax machines were used as backup methods to contact employees.
"The Love Bug's" legacy will last long after it has been deleted from most systems. It has spurred renewed calls for tougher computer crime legislation and for someone in government to oversee information security.
The government needs a single "cyberczar," said Harris N. Miller, president of the Information Technology Association of America in Arlington, Virginia. This individual could play a role similar to the one former federal Y2k chief John Koskinen had in organizing a government response to the year 2000 problem, Miller said. The government needs someone who has "the authority and the ear of the president and can coordinate responses across government agencies," he added.
In Congress, a bill introduced by U.S. Sens. Charles Schumer (Democrat-New York) and Orrin Hatch (Republican-Utah) just a few weeks before the virus struck would make it illegal to forge or alter a header to avoid identifying the sender. The bill also includes provisions intended to improve the ability of federal, state and local agencies to prosecute computer criminals.
But Mark Gembecki, president of information security firm WarRoom Research Inc. in Linthicum, Maryland, said new laws won't help unless companies, despite being fearful of exposing their security problems, are willing to seek law enforcement help.
"If you can't even address that, why are you bothering to pass another law?
You're adding one more thing out there that is not going to be enforced," said Gembecki.