'Love bug' uncovers gaps in fed security

Many agencies have improved their ability to identify and contain computer

viruses, but a breakdown in communications across government continues to

hamper security efforts, according to a recent report.

Had the federal government done a better job of coordinating their response

to the recent "love bug" virus, agencies would have done an even better

job at minimizing the damage, according to the General Accounting Office,

which studied the response of 20 federal agencies and the government's central

security organizations.

The GAO found fundamental problems in the government's response to the

e-mail-borne "love bug" virus, said Jack Brock, director of governmentwide

and defense information systems at GAO.

A central concern is that the government's designated cybersecurity

groups did not coordinate their efforts to effectively alert agencies to

the virus. The fact that the National Infrastructure Protection Center,

the Federal Computer Incident Response Capability and the Defense Department's

Joint Task Force for Computer Network Defense did not have any set way to

confirm reports of a virus meant that most agencies got the official warning

hours too late, Brock said.

"Agencies did not receive adequate warning," Brock told Sen. Robert

Bennett's (R-Utah) Senate Banking Subcommittee on Financial Institutions.

Agencies did not always help their cause either. In one case, the Customs

Service, part of the Treasury Department, received an Air Force Computer

Emergency Response Team (AFCERT) advisory early in the morning and were

able to stop the virus from severely affecting their systems. But Customs

did not share the alert with any of the other Treasury bureaus, according

to GAO.

So although most agencies were able to minimize the damage, the love

bug incident shows that government systems are not truly secure, Brock said.

"The federal government as a whole needs to do a whole lot better," he said.

"There's a lot of room for improvement here."

The virus also brought several other problems to the surface. GAO found

that the Commerce Department had to delay cleanup and containment efforts

because the technical support staff had not yet arrived at work when users

started reporting the virus. NASA and the Justice Department also had trouble

passing warnings between offices when e-mail went down because the backup

communications systems had not been fully tested.

But other agencies could not handle the sheer number of infected e-mails

they received. Some, such as the Department of Health and Human Services,

were so severely affected that agency officials feared they would not be

able to perform critical functions because all resources were tied up dealing

with the virus.

This situation could possibly cause more problems in the future. Viruses

have been getting more harmful each time they are released on the public

and the government. The love bug virus was a relatively unsophisticated

one, launching only if users opened the e-mail attachment. Some viruses

are more dangerous, launching themselves the moment an e-mail is opened.

"The ILOVEYOU virus demonstrates several weaknesses in our government's

ability to detect and respond to fast-moving cyber events in a coordinated

and efficient manner," Bennett said. "I think perhaps today we may be laying

the foundation for a series of hearings about the coordination of critical

infrastructure responsibility."

Still, the news is not all bad, according to GAO. Some agencies, such

as the Federal Emergency Management Agency, reported success in blocking

virus-infected e-mails by restricting the packet size allowed through its

firewalls until it could download the antivirus vendors' patches. Other

agencies found they had done a good enough job educating employees that

most did not open the suspicious-looking e-mail attachments.

"We are having problems, but we are making progress," said John Hamre,

president and chief executive officer of the Center for Strategic and International

Studies and former deputy secretary of Defense. "It isn't just a grim picture

all around."