CIOs mull cyberalarm net
- By Diane Frank
- May 29, 2000
The federal CIO Council has begun to develop plans for a network that will
quickly alert agencies to software virus warnings and cyber-attacks. The
security groups that issue the warnings would also know when agencies have
received the information.
The CIO Security Network could disseminate information about viruses
or cyberattacks to each agency as soon as attacks are identified, said John
Gilligan, co-chairman of the council's Security Committee and CIO at the
Energy Department. Via an intranet or wireless system, the network would
also provide CIOs and possibly agencies' top information security professionals
the ability to securely share information about cyberattacks and other security
issues, and download solutions or patches.
"We in the federal government are not structured properly to deal with
the issues critical-infrastructure protection is posing for us," Gilligan
The impetus for the council's initiative started last year after the
"Melissa" virus hit almost every agency running Microsoft Corp.'s Exchange
e-mail server. The virus was an e-mail attachment that, when opened in Outlook,
lowered the security settings on Microsoft Word 97 and Word 2000 and propagated
itself by accessing the PC user's e-mail address book and forwarding itself
to other users.
The White House set up a conference call with about 40 federal CIOs
to figure out how to better handle news about viruses and cyberattacks.
Since then, as demonstrated by the "ILOVEYOU" virus, or "love bug," this
month, the problem of communication among agencies has become even more
critical (see related story).
The love bug highlighted the challenge of informing the right IT personnel
in agencies about the virus in a timely manner. The council wants to make
sure that virus and cyberattack alerts put out by the National Infrastructure
Protection Center, the Federal Computer Incident Response Capability (FedCIRC)
and the Defense Department's Joint Task Force for Computer Network Defense
(JTF-CND) get to the right people quickly enough so that they have time
When the love bug hit May 4, many agencies were affected hours before
the NIPC, FedCIRC and the JTF-CND issued their alerts. Many agencies never
received the alerts because they had shut down their e-mail servers to get
a handle on the virus. FedCIRC had to resort to sending faxes.
"It's a matter of how to get positive confirmation that people got the
alerts," said a council staffer. "How do you disseminate information at
a high level when e-mail is not an option?"
The network would be helpful for agencies and the incident response
organizations, said Darwyn Banks, program manager for the Federal Intrusion
Detection Network and a member of FedCIRC.
Banks said the agencies hit hardest by the love bug had taken down their
e-mail systems to block the virus from entering their systems, "so we couldn't
send them the e-mail alerts."
"We had a backup in place fax machines and phones but [the alert]
ends up sitting on the CIO's fax machine, and the person who really needs
the alert doesn't get it," he said.
The CIO Council plans to work closely with FedCIRC and the other security
organizations to enhance their offerings instead of replacing them, Gilligan
said. One suggestion is to set up a virtual private network for all CIOs
and their chosen security personnel.
Also, commercially available solutions would allow a central office
to send out messages to designated people by phone, fax, e-mail and pager,
and then con- tinue sending the messages until the receiver confirms that
the message has been received, the CIO Council staff member said.
"Something like that would be invaluable to use because it puts the
emphasis on the agencies to get the information to the right people," Banks
said. "Having the CIO Council step up and say, "Hey, folks, make sure you
give [FedCIRC] the right numbers so the alerts get out to the people who
need them, when they need them' is obviously helpful."