'Love bug' uncovers gaps in fed security
- By Diane Frank
- May 29, 2000
Many agencies have improved their ability to identify and contain computer
viruses, but a breakdown in communications across government continues to
hamper security efforts, according to a recent report.
Had the federal government done a better job of coordinating their response
to the recent "love bug" virus, agencies would have done an even better
job at minimizing the damage, according to the General Accounting Office,
which studied the response of 20 federal agencies and the government's central
The GAO found fundamental problems in the government's response to the
e-mail-borne "love bug" virus, said Jack Brock, director of governmentwide
and defense information systems at GAO.
A central concern is that the government's designated cybersecurity
groups did not coordinate their efforts to effectively alert agencies to
the virus. The fact that the National Infrastructure Protection Center,
the Federal Computer Incident Response Capability and the Defense Department's
Joint Task Force for Computer Network Defense did not have any set way to
confirm reports of a virus meant that most agencies got the official warning
hours too late, Brock said.
"Agencies did not receive adequate warning," Brock told Sen. Robert
Bennett's (R-Utah) Senate Banking Subcommittee on Financial Institutions.
Agencies did not always help their cause either. In one case, the Customs
Service, part of the Treasury Department, received an Air Force Computer
Emergency Response Team (AFCERT) advisory early in the morning and were
able to stop the virus from severely affecting their systems. But Customs
did not share the alert with any of the other Treasury bureaus, according
So although most agencies were able to minimize the damage, the love
bug incident shows that government systems are not truly secure, Brock said.
"The federal government as a whole needs to do a whole lot better," he said.
"There's a lot of room for improvement here."
The virus also brought several other problems to the surface. GAO found
that the Commerce Department had to delay cleanup and containment efforts
because the technical support staff had not yet arrived at work when users
started reporting the virus. NASA and the Justice Department also had trouble
passing warnings between offices when e-mail went down because the backup
communications systems had not been fully tested.
But other agencies could not handle the sheer number of infected e-mails
they received. Some, such as the Department of Health and Human Services,
were so severely affected that agency officials feared they would not be
able to perform critical functions because all resources were tied up dealing
with the virus.
This situation could possibly cause more problems in the future. Viruses
have been getting more harmful each time they are released on the public
and the government. The love bug virus was a relatively unsophisticated
one, launching only if users opened the e-mail attachment. Some viruses
are more dangerous, launching themselves the moment an e-mail is opened.
"The ILOVEYOU virus demonstrates several weaknesses in our government's
ability to detect and respond to fast-moving cyber events in a coordinated
and efficient manner," Bennett said. "I think perhaps today we may be laying
the foundation for a series of hearings about the coordination of critical
Still, the news is not all bad, according to GAO. Some agencies, such
as the Federal Emergency Management Agency, reported success in blocking
virus-infected e-mails by restricting the packet size allowed through its
firewalls until it could download the antivirus vendors' patches. Other
agencies found they had done a good enough job educating employees that
most did not open the suspicious-looking e-mail attachments.
"We are having problems, but we are making progress," said John Hamre,
president and chief executive officer of the Center for Strategic and International
Studies and former deputy secretary of Defense. "It isn't just a grim picture