'Melissa' a sign of problems to come, panelists told

The government's encounter with the widespread "Melissa" macro virus late last month should serve as a warning to agencies without adequate system security practices in place, government officials told a House subcommittee last week.

Melissa is a "symptom of broader information security concerns across government," said Keith Rhodes, technical director for computers and telecommunications in the General Accounting Office's Accounting and Information Management Division, testifying last week before the House Science Committee's Technology Subcommittee.

In January, GAO again designated information security as a governmentwide high-risk management concern. Among the security weaknesses GAO and agency inspectors general have identified are the inability to detect, protect against and recover from viruses such as Melissa.

Although agencies managed to contain Melissa, it is likely that the next virus will do more damage, Rhodes said. Therefore, the government must put in place "long-term solutions to protect systems and sensitive data," he told the subcommittee.

"It is also critical that the federal government establish reporting mechanisms that facilitate analyses of viruses and other forms of computer attacks and their impact," Rhodes said.

Raymond Kammer, director of the National Institute of Standards and Technology, said it is important to keep in mind that Melissa presents only one type of threat to agency systems. He said agencies should "maintain a proper perspective" in developing security products and policies and should not focus only on "the problem of the moment."

One of the most important aspects of information security, Kammer said, "is a need for greater awareness and aggressive implementation of effective" security practices and policies. NIST has several initiatives under way to promote better security practices, including a certification program that validates commercial security products for use by government agencies, he said.

Cooperation Key to Containment

Cooperation and communication between government and private organizations also is essential if the damage posed by threats like Melissa on the national information infrastructure are to be contained, said Michael Vatis, director of the FBI's National Infrastructure Protection Center. "Information sharing," he said, "is an effective means to countering malicious viruses on the Internet."

This cooperation, however, is not consistent, Rhodes said. Governmentwide, "there is still a tremendous amount of cooperation needed," he said.

"In facing the challenges of Melissa, one thing has become clear: Our federal systems are not adequately protected," said Rep. Constance Morella (R-Md.), the Technology Subcommittee's chairwoman. "Melissa serves agencies and organizations with a much-needed wake-up call as to how easily something like this can cripple their operations."

The lack of adequate information security in the public and private sectors "has the potential to dwarf the millennium bug," she said. "Many people today still think that computer security is owning a backup disk drive."

Long-term solutions to the problems presented by Melissa will "require fundamental changes to the way technology is developed, packaged and used," said Richard Pethia, director of the Survivable Systems Initiative and the Computer Emergency Response Team Coordination Center at Carnegie Mellon University's Software Engineering Institute. "It is critical that systems operators and product developers recognize that their systems and products are now operating in hostile environments. If the only defense we have is reacting, we will always be at risk for some damage."