One if by phone, two if by fax
- By Diane Frank
- Sep 04, 2000
Recognizing that e-mail is not the best tool for alerting agencies about
e-mail-borne viruses, the federal government is developing a system to send
out emergency security notices via phone and fax.
The federal government, along with the rest of the world, has experienced
a rash of e-mail viruses this year, including the "ILOVEYOU" virus in May
that affected thousands of systems at almost every agency when users opened
a Visual Basic script attachment.
When the love bug hit, many agencies shut down their e-mail servers
in an attempt to contain the virus. But the Federal Computer Incident Response
Capability, which resides at the General Services Administration and serves
as the civilian government's security alert center, typically relies on
e-mail to send its alerts to agencies.
Lacking that outlet, FedCIRC officials found themselves trying to get
in touch with agencies one at a time using a list of phone and fax number
contacts. During this time-consuming process, the virus continued to spread.
"Really, for the love bug, minutes made a difference," said John Gilligan,
co-chairman of the CIO Council's security committee.
The new phone/fax system, which will be completely automated, will be
able to handle up to 96 simultaneous lines and deliver 800 faxes each hour.
The system will work from a database of agency contact names, numbers
and addresses that have been organized into groups based on the types of
systems each contact uses. This determines the types of alerts and fixes
each user needs, and will make it easier for FedCIRC to target notifications
so that security administrators are not bombarded by alerts that do not
apply to their networks, said Dave Jarrell, program manager at FedCIRC.
The system will also recognize whether it is connecting to a fax or
phone line so it can send the appropriate message. And should it reach an
administrator's voice mail, the system will continue to try to contact that
user until the message is relayed to an actual person.
The impact of the love bug made it obvious that something had to change,
said Jean Boltz, assistant director of governmentwide and defense information
systems at the General Accounting Office.
After the virus, GAO and Congress criticized FedCIRC and other cyber-
incident warning organizations, such as the FBI's National Infrastructure
Protection Center and the Defense Department's Joint Task Force for Computer
Network Defense, for not having effective methods for sharing information
in a timely manner. The phone/fax system should be an improvement, but only
time will tell, Boltz said.
"It certainly sounds like it would provide them with greater capabilities
than they have currently...but there is no way to tell if it will help until
it has been tested," she said.
The hardest part of the equation is entirely out of FedCIRC's hands,
Jarrell said. FedCIRC will maintain the database of contact information,
but each agency is responsible for notifying the organization of changes
in personnel, phone and fax numbers, and e-mail addresses. Often, FedCIRC
does not find out about such changes until a virus alert does not get through
to a user. "Every time I send out a bulletin, I get 30 to 40 bounce-backs,"
One unresolved issue is funding, which has not yet been approved by
Congress. The system itself will cost less than $100,000, with about another
$150,000 needed annually for maintenance and staffing. Although there is
no way to tell when the next virus will attack, Jarrell said, the system
should be deployed as soon as possible. However, GSA will not be able to
move forward until the fiscal 2001 budget is approved, he said.
FedCIRC is also looking into getting a low-power AM radio frequency
so the organization can broadcast alerts to federal employees in the Washington,
D.C., area. One of the hardest things for security administrators to do
is inform all the users about a virus-laden e-mail that must not be opened.
The radio station would serve as an around-the-clock status check for
federal and private-sector employees to check every morning, Jarrell said.