CIOs mull cyberalarm net

The federal CIO Council has begun to develop plans for a network that will quickly alert agencies to software virus warnings and cyber-attacks. The security groups that issue the warnings would also know when agencies have received the information.

The CIO Security Network could disseminate information about viruses or cyberattacks to each agency as soon as attacks are identified, said John Gilligan, co-chairman of the council's Security Committee and CIO at the Energy Department. Via an intranet or wireless system, the network would also provide CIOs and possibly agencies' top information security professionals the ability to securely share information about cyberattacks and other security issues, and download solutions or patches.

"We in the federal government are not structured properly to deal with the issues critical-infrastructure protection is posing for us," Gilligan said.

The impetus for the council's initiative started last year after the "Melissa" virus hit almost every agency running Microsoft Corp.'s Exchange e-mail server. The virus was an e-mail attachment that, when opened in Outlook, lowered the security settings on Microsoft Word 97 and Word 2000 and propagated itself by accessing the PC user's e-mail address book and forwarding itself to other users.

The White House set up a conference call with about 40 federal CIOs to figure out how to better handle news about viruses and cyberattacks. Since then, as demonstrated by the "ILOVEYOU" virus, or "love bug," this month, the problem of communication among agencies has become even more critical (see related story).

The love bug highlighted the challenge of informing the right IT personnel in agencies about the virus in a timely manner. The council wants to make sure that virus and cyberattack alerts put out by the National Infrastructure Protection Center, the Federal Computer Incident Response Capability (FedCIRC) and the Defense Department's Joint Task Force for Computer Network Defense (JTF-CND) get to the right people quickly enough so that they have time to react.

When the love bug hit May 4, many agencies were affected hours before the NIPC, FedCIRC and the JTF-CND issued their alerts. Many agencies never received the alerts because they had shut down their e-mail servers to get a handle on the virus. FedCIRC had to resort to sending faxes.

"It's a matter of how to get positive confirmation that people got the alerts," said a council staffer. "How do you disseminate information at a high level when e-mail is not an option?"

The network would be helpful for agencies and the incident response organizations, said Darwyn Banks, program manager for the Federal Intrusion Detection Network and a member of FedCIRC.

Banks said the agencies hit hardest by the love bug had taken down their e-mail systems to block the virus from entering their systems, "so we couldn't send them the e-mail alerts."

"We had a backup in place — fax machines and phones — but [the alert] ends up sitting on the CIO's fax machine, and the person who really needs the alert doesn't get it," he said.

The CIO Council plans to work closely with FedCIRC and the other security organizations to enhance their offerings instead of replacing them, Gilligan said. One suggestion is to set up a virtual private network for all CIOs and their chosen security personnel.

Also, commercially available solutions would allow a central office to send out messages to designated people by phone, fax, e-mail and pager, and then con- tinue sending the messages until the receiver confirms that the message has been received, the CIO Council staff member said.

"Something like that would be invaluable to use because it puts the emphasis on the agencies to get the information to the right people," Banks said. "Having the CIO Council step up and say, "Hey, folks, make sure you give [FedCIRC] the right numbers so the alerts get out to the people who need them, when they need them' is obviously helpful."