Despite fending off Melissa virus, U.S. systems still vulnerable

The wildly proliferating Melissa macro virus that the government battled late last month underscored the need for agencies to improve inadequate system security practices, according to testimony presented at a House subcommittee hearing today.

"In facing the challenges of Melissa, one thing has become clear: Our federal systems are not adequately protected," said Constance Morella (R-Md.), chairwoman of the Technology Subcommittee of the House Science Committee.

The lack of adequate information security in the public and private sectors "has the potential to dwarf the millennium bug," she said. "Many people today still think that computer security is owning a backup disk drive."

Keith Rhodes, technical director for computers and telecommunications in the General Accounting Office's Accounting and Information Management Division, said Melissa is a "symptom of broader information security concerns across government."

In January the GAO again designated information security as a governmentwide high-risk area. Some of the security weaknesses GAO has identified include the inability to detect, protect against and recover from viruses such as Melissa.

Although agencies managed to contain Melissa, it is likely that the next virus will do more damage, Rhodes said. Therefore, "it is imperative that federal agencies and the government as a whole swiftly implement long-term solutions to protect systems and sensitive data," he said in his testimony.

Long-term solutions to the problems presented by Melissa will "require fundamental changes to the way technology is developed, packaged and used," said Richard Pethia, director of the Survivable Systems Initiative and the Computer Engineering Response Team Coordination Center at Carnegie-Mellon University's Software Engineering Institute. "It is critical that systems operators and product developers recognize that their systems and products are now operating in hostile environments."