One if by phone, two if by fax

Recognizing that e-mail is not the best tool for alerting agencies about

e-mail-borne viruses, the federal government is developing a system to send

out emergency security notices via phone and fax.

The federal government, along with the rest of the world, has experienced

a rash of e-mail viruses this year, including the "ILOVEYOU" virus in May

that affected thousands of systems at almost every agency when users opened

a Visual Basic script attachment.

When the love bug hit, many agencies shut down their e-mail servers

in an attempt to contain the virus. But the Federal Computer Incident Response

Capability, which resides at the General Services Administration and serves

as the civilian government's security alert center, typically relies on

e-mail to send its alerts to agencies.

Lacking that outlet, FedCIRC officials found themselves trying to get

in touch with agencies one at a time using a list of phone and fax number

contacts. During this time-consuming process, the virus continued to spread.

"Really, for the love bug, minutes made a difference," said John Gilligan,

co-chairman of the CIO Council's security committee.

The new phone/fax system, which will be completely automated, will be

able to handle up to 96 simultaneous lines and deliver 800 faxes each hour.

The system will work from a database of agency contact names, numbers

and addresses that have been organized into groups based on the types of

systems each contact uses. This determines the types of alerts and fixes

each user needs, and will make it easier for FedCIRC to target notifications

so that security administrators are not bombarded by alerts that do not

apply to their networks, said Dave Jarrell, program manager at FedCIRC.

The system will also recognize whether it is connecting to a fax or

phone line so it can send the appropriate message. And should it reach an

administrator's voice mail, the system will continue to try to contact that

user until the message is relayed to an actual person.

The impact of the love bug made it obvious that something had to change,

said Jean Boltz, assistant director of governmentwide and defense information

systems at the General Accounting Office.

After the virus, GAO and Congress criticized FedCIRC and other cyber-

incident warning organizations, such as the FBI's National Infrastructure

Protection Center and the Defense Department's Joint Task Force for Computer

Network Defense, for not having effective methods for sharing information

in a timely manner. The phone/fax system should be an improvement, but only

time will tell, Boltz said.

"It certainly sounds like it would provide them with greater capabilities

than they have currently...but there is no way to tell if it will help until

it has been tested," she said.

The hardest part of the equation is entirely out of FedCIRC's hands,

Jarrell said. FedCIRC will maintain the database of contact information,

but each agency is responsible for notifying the organization of changes

in personnel, phone and fax numbers, and e-mail addresses. Often, FedCIRC

does not find out about such changes until a virus alert does not get through

to a user. "Every time I send out a bulletin, I get 30 to 40 bounce-backs,"

he said.

One unresolved issue is funding, which has not yet been approved by

Congress. The system itself will cost less than $100,000, with about another

$150,000 needed annually for maintenance and staffing. Although there is

no way to tell when the next virus will attack, Jarrell said, the system

should be deployed as soon as possible. However, GSA will not be able to

move forward until the fiscal 2001 budget is approved, he said.

FedCIRC is also looking into getting a low-power AM radio frequency

so the organization can broadcast alerts to federal employees in the Washington,

D.C., area. One of the hardest things for security administrators to do

is inform all the users about a virus-laden e-mail that must not be opened.

The radio station would serve as an around-the-clock status check for

federal and private-sector employees to check every morning, Jarrell said.