'Melissa' tests DOD procedures

When the fast-spreading Melissa virus began wreaking havoc on computer systems across the country last month, the Defense Department relied on what may become the model for designing an integrated, enterprisewide approach to information security.

To battle Melissa, DOD put into motion a clearly defined process for alerting commands at every level, blanketing the department with warnings and information on how to defeat the malicious code before it could do serious damage. Then, similar to the strategy outlined by former Gen. Colin Powell for defeating the Iraqi army during Operation Desert Storm, DOD cut the virus off and killed it.

The Melissa macro virus, which affects computers running Microsoft Corp.'s Word 97, Word 2000 and Outlook, swarmed across the Internet in late March, infecting mail servers across government agencies and throughout the public sector (see "How It Works").

Calls about a potentially dangerous virus began trickling in to the computer security hot line run by the Defense Information Systems Agency's Joint Task Force for Computer Network Defense during the early evening of March 26.

Soon, the Computer Emergency Response Team, the technical arm of the JTF-CND, contacted the federally funded Computer Emergency Response Team Coordination Center, based at Carnegie Mellon University, where they were informed that, indeed, a virus had been detected and was quickly becoming a nationwide problem.

Melissa reared its ugly head at the worst possible time for DOD, infecting e-mail systems and threatening to cause the inadvertent release of sensitive or classified information as DOD was managing nearly simultaneous military operations in the Balkans and Iraq. Although no classified information was compromised, Melissa interrupted most of DOD's administrative e-mail communications.

"Viruses are a persistent problem," said Marine Capt. Mike Neumann, a spokesman for the Marine Corps, where Melissa forced the temporary shutdown of base-to-base e-mail communications. "However, we have the processes in place to effectively deal with them."

The establishment of the JTF-CND in December and last year's designation of information operations as a core competency for the Air Force helped position DOD for Melissa's onslaught.

"For the first time, we were organized to be proactive rather than reactive," a spokesperson for the JTF-CND said. "This is why a JTF was developed - to ensure that we worked and coordinated together as a unit and not just as individual services. Overall, it was a successful joint team effort."

By late evening on March 26, the JTF-CND had taken responsibility as the lead DOD agency for coordinating a response to Melissa. The task force began contacting officials at Symantec Corp. and McAfee Associates Inc., developers of the Norton AntiVirus Solution and Total Virus Defense, respectively.

By 7 a.m. March 27, all the military services had bulletins posted on their World Wide Web sites and had log-in banners to alert users to the virus. In addition, information was made available about the antivirus software programs and what to do if users received an infected file.

By the afternoon of March 27, the JTF-CND sent the first official DOD "immediate" message dealing with a computer security issue to the four services, the commanders in chief and all DOD agencies. Immediate messages must go from sender to recipient within 30 minutes and take precedence over routine messages that may be waiting to be sent.

This designation helped ensure that all recipients received the information as soon as possible and before the bulk of the user community was able to log on to their networks, the JTF-CND spokesperson said.The JTF-CND is conducting an after-action review to determine which processes worked well and which need improvement, but, overall, the mission was a resounding success, the JTF-CND spokesperson said. "The process worked very well, and we are pleased with our ability to get in front of this situation quickly," the spokesperson said.

However, Winn Schwartau, president of security consulting company Interpact Inc. and a writer on information warfare, said the Melissa virus "represents a new class of malicious software" that DOD and industry will have to deal with again in the future and that requires a renewed focus on security policy. "It's a macro virus that ultimately is a denial-of-service attack that isn't coming from the source; [rather] it's coming from the victims," Schwartau said. "We're going to see a lot of extrapolations and derivations of this" that will require DOD to focus more heavily on policy issues, such as whether e-mail attachments will be allowed to pass through the firewall, he said. "Unless a firewall policy is in place, things are going to get through."

***

How it works

* The Melissa macro virus affects computers running Microsoft Corp.'s Word 97 or Word 2000 and Outlook.

* Melissa spreads very quickly because it is carried via e-mail as a Word file attachment.

* Once a user opens the attachment, the virus will use Outlook to send itself to the first 50 names in the recipient's Outlook address book, overloading and potentially crashing e-mail servers.

* Melissa also lowers the security settings on Word 97 and Word 2000, and in certain situations, confidential documents can be unknowingly leaked.