Cybersentries assailed again
- By Diane Frank
- May 19, 2000
Although agencies largely contained the "love bug" virus this month, a lack
of coordination among the federal organizations in charge of responding
to cyberattacks led to delay and damage, the General Accounting Office told
The findings come as several members of Congress put together a formal
request to GAO to look into the resources and capabilities of federal incident
In contrast to last year's "Melissa" virus, most agencies had basic
procedures in place to minimize the effect of an e-mail-borne virus. However,
the effects of the "love bug" were exacerbated because alerts were not issued
until hours after the virus had spread, according to Jack Brock, director
of GAO's Governmentwide and Defense Information Systems Division.
"Agencies did not receive adequate warning," Brock said in testimony
before the Senate Banking Committee's Financial Institutions Subcommittee.
A GAO review conducted over the past two weeks shows that the National
Infrastructure Protection Center, the Federal Computer Incident Response
Capability and the Defense Department's Joint Task Force for Computer Network
Defense did not send out sufficient warnings and information about the virus
until well after the damage had been done.
The first official warnings to agencies did not commence until 8 a.m.
EST, even though the first indications of the virus' potential for disruption
appeared by 3 p.m. in Asia and 9 a.m. in Western Europe. (See timeline.)
The late response resulted primarily from of lack of coordination between
the NIPC, FedCIRC and JTF-CND, Brock said. The NIPC first received warnings
from the private sector at 5:45 a.m. but did not inform FedCIRC to send
out warnings at that time because NIPC could not get confirmation of the
virus' harmful potential from law enforcement and DOD representatives until
two hours later.
"They did not want to release information until they had verified that
this was a threat," Brock said.
Only two of the 20 agencies surveyed by GAO said they got the first
warning about the virus from the NIPC and FedCIRC.
All of this evidence lends credence to the concerns of some members
of Congress who, according to Brock, are putting together a formal request
for GAO to look into the resources and capabilities of the NIPC to perform
its analysis and warning functions.