Agencies return Anna's serve

Bug swatted, but lack of coordination still plagues feds

FedCIRC

Although federal agencies escaped major harm last week when the latest e-mail virus zipped through the United States, they still have far to go in organizing the response to cyberattacks across the government.

As a whole, federal agencies seemed better prepared to react to the "Anna Kournikova" virus that started spreading through the United States the morning of Feb. 12 than they had been with the similar "ILOVEYOU" virus last May. That virus hit almost every federal agency, overloaded many e-mail servers and caused some to shut down for days.

With "Anna," named for the tennis player, the Federal Computer Incident Response Capability saw only a few agencies reporting infections. And those that were infected reacted quickly and killed the virus before it caused any disruptions, said David Jarrell, director of FedCIRC, the government's central organization for cyberattack response. "I think we had a much better response. We didn't have any reports of anyone getting overwhelmed by this," Jarrell said. "The government saw considerably less impact and was better prepared to handle it."

But although the impact was slight this time, agencies still lag in coordinating their anti-hacking efforts. A new policy issued late last year by the Office of Management and Budget and the federal CIO Council called for creating a single standard to coordinate cross-agency security by ensuring that FedCIRC be made aware of all incidents and actions.

But FedCIRC has seen a tepid response. "We have had a couple of reports, but not many," Jarrell said. "We can preach until we're blue in the face, but there is no way to make them report."

Almost every department and agency has signed an agreement with FedCIRC, providing points of contact and outlining how they will interact with the organization, according to a staff member on the CIO Council's Security, Privacy and Critical Infrastructure Committee. But there is no way to enforce those agreements, especially since the new administration has yet to name a deputy director for management at OMB, the staffer said.

Some of the agencies affected by the latest virus did submit reports to FedCIRC, including the Energy and Education departments.

Because Energy had measures in place to detect and block the virus, the headquarters were "barely affected. Four sites were affected in the field and six other sites saw it but blocked it before it got the machines," said Hope Williams, an Energy spokeswoman.

At Education, the CIO's office sent an alert out across the department and notified FedCIRC, but by the time those steps were taken, both knew of the virus' existence, said CIO Craig Luigart.

Other agencies, such as the Treasury Department, did not report to FedCIRC but warded off harm because "we did the stuff we were supposed to do," a department official said. In the wake of the love bug last year, Treasury implemented the security patch issued by Microsoft Corp., and as a result, nothing major happened, the official said.

Some agencies, including the National Archives and Records Administration and the State Department, saw no signs of the virus.

The new virus employed the same method as the love bug, attacking the Microsoft Outlook and Outlook Express e-mail applications. It is a VB Script attachment that, when executed, infects the system and then e-mails itself to every person in that user's address book.

The e-mail's subject reads "Here you have, ;0)" and the message reads "Hi: Check This!" The attachment is "Anna Kournikova.jpg.vbs."

However, the virus does not mutate as quickly or as often as the love bug did, and organizations now know what to look for, making it relatively easy to block, said Liam Yu, product manager in Network Associates Inc.'s Anti-Virus Emergency Response Team research lab.

"People are prepared not only to react, but they also know what to do," Yu said.

The Education Department credited the lack of major disruptions to a better-trained user base and improved monitoring procedures. The agency's operations team noticed the virus at about 9 a.m. and soon wrote customized VBS blocking scripts that prevented further infected e-mail messages from being delivered to agency in-boxes, Luigart said.

The U.S. Postal Service got through safely thanks to its three-level defense system to prevent virus infections, said the agency's virus expert, Wayne Grimes. Incoming e-mails are scanned at a firewall to turn away any with suspicious attachments. Opened files are scanned before being written to disks to ensure they do not contain viruses. And the subject lines and text of all incoming and outgoing e-mail messages are scanned for patterns that suggest a virus.

FCW staff contributed to this article.

MORE INFO

An OMB/CIO Council memo requires agencies to take three steps when an

externally generated security incident occurs:

1. Report incident to FedCIRC.

2. Make sure alerts and warnings from FedCIRC go to the appropriate

people at each agency.

3. Acknowledge to FedCIRC, when necessary, that those people received

the messages and detail the corrective actions taken. n

Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.