May 11, 2000
Experts: Feds need to coordinate response to digital viruses
By Drew Clark, National Journal's Technology Daily
Legislators from the House Science Technology Subcommittee sought explanations from government and software industry representatives to account for the failures of anti-virus software and other protections to stop the "ILOVEYOU" computer bug that one industry expert called the most destructive yet.
Harris Miller, president of the Information Technology Association of America, called for an information security czar to coordinate the federal government's response to digital viruses.
Keith Rhodes, director of the office of information technology assessment in the General Accounting Office, agreed to a more centralized federal response to network emergencies, but said the Commerce Department's National Institute of Standards and Technology should fulfill that role.
"If a plane crashes, you have both the FBI and the National Transportation Safety Board investigate," said Rhodes. "If NIST could start to take on the role of NTSB when government networks crash, that could give us a single point of contact."
During the "ILOVEYOU" incident, GSA's Federal Computer Incident Response Capability coordinated with the FBI's National Infrastructure Protection Center and computer response centers at the Defense Department and Carnegie Mellon University to provide guidance to federal agencies.
The panelists appeared flustered when Rep. Anthony Weiner, D-N.Y., harshly criticized anti-virus makers' failure to guard against the e-mail attack.
"It must be a pretty humiliating experience for McAfee when a virus that looks a lot like the Melissa virus caused an enormous amount of damage throughout the world," said Weiner. "You come before this committee once every three to four months and say, 'we were whipped again by [virus writers] who are getting younger and less educated every time.'"
Anti-virus makers defended their products and services. "You are right that this is very similar to Melissa, but you don't know about a virus until it is unleashed," replied Sandra England, senior vice president of McAfee, the anti-virus division of Network Associates. "That is the unfortunate position we are in as an industry, in a world where an 8-year-old can write" software.
"Computers are made to run programs and viruses are programs," said Peter Tippet, chief technology officer of ICSA.net, a Web-tracking service. Tippett said that the "ILOVEYOU" virus was "the most destructive and fastest propagating virus to date," and pegged the worldwide value of lost time and resources drained by the virus at $3 billion. England estimated the cost at $7 billion, or more than half of the $12 billion in damages from all 1999 viruses.
Tippett suggested making the writing of computer viruses a crime.
But Weiner's concern was echoed by Subcommittee Chairman Connie Morella, R-Md., and Rep. Gil Gutknecht, R-Minn.
"What I have heard today is really very frustrating," said Gutknecht. "The industry itself is going to have to do a better job of solving its problem. If it doesn't, then the heavy hand of government is going to have to step in."