Raymond G. Kammer
Director
National Institute of Standards and Technology
U.S. Department of Commerce
before the
House Science Subcommittee on Technology
April 15, 1999
Thank you Madam Chairwoman and members of the Subcommitte for inviting me here today to testify on the critical issue of computer security and, in particular, matters relating to computer virus protection and the Melissa computer virus. NIST's Information Technology (IT) Laboratory provides technical leadership for the nation's measurement and standards infrastructure for IT. One component of our IT Laboratory focuses exclusively on security issues. Today I'd like to give you a brief overview of NIST's computer security activities, including those focused on threats from malicious code such as the Melissa virus, and then share with you what we know about the specifics of the Melissa virus, its impact, and practices we recommend to guard against such threats.
Let me commend the Committee for focusing on the issue of computer security. As you recognized in calling today's hearing, security is a critical component necessary to meet the needs of both industry and government in achieving economic and social benefits from applications of IT, including the important area of electronic commerce. I will not dwell on threats to computer systems, other than to note that they are wide-ranging and increasing. They include such threats and risks as: sabotage, loss of infrastructure support, malicious hacking, industrial and state-sponsored espionage, human error, fraud, and viruses as well as other types of malicious code. Although the Melissa virus and others may be the subject of today's headlines, viruses are not inherently a greater threat to computer security than other threats. It is important that we maintain a proper perspective in developing computer security solutions and not target the problem-of-the-moment, to the exclusion of equal or greater threats. We believe our program at NIST takes such a balanced view.
NIST has several initiatives underway to strengthen the IT security infrastructure of the U.S. economy. An example of NIST's leadership in computer security is the Cryptographic Module Validation Program (CMVP), established in 1995, which validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-1 (Security Requirements for Cryptographic Modules), and other cryptography based standards. The goal of the CMVP is to promote the use of validated products and provide Federal agencies with a security metric to use in procuring equipment containing cryptographic modules. The program validates a wide variety of modules including Public / Private Key encryption products, secure radios, tokens, and others.
Another successful effort is the Common Criteria (CC) for Information Technology Security Evaluation. The CC is the new standard for specifying and evaluating the security features of computer products and systems. CC has formed the basis for the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency to establish an IT product security evaluation program supported by a number of accredited, independent testing laboratories. The evaluation results will help consumers to determine whether the IT product or system is secure enough for their intended application and whether the security risks implicit in its use are tolerable.
NIST also enhances the critical infrastructure by providing tools, techniques and methods to make software more reliable and, thus, less prone to failures. NIST addresses software reliability by: 1) developing conformance tests which significantly improve the quality of implementations of publicly available standards and specifications; 2) developing diagnostic testing tools which allow programmers to "debug" their programs; and 3) working with formal methods to allow software developers to more accurately specify their software systems and automatically generate tests from formal specifications. All these programs, although not specifically targeted at viruses and malicious code, will improve the integrity and reliability of software and make the threat imposed by viruses a more manageable one.
NIST efforts in Next Generation Internet security technology are focused on technical areas that hold promise for the most significant, far-reaching improvements to the security and integrity of the Internet Protocol Suite (IPS). NIST is actively working with industry to design, develop, standardize and test new protocols that will make authentication, confidentiality, and integrity services inherent parts of all networks based on Internet protocols. One area that we have targeted is the research and development of Internet Protocol Security (IPsec) technology. If successful, IPsec has the potential of making security services part of the ubiquitous Internet infrastructure and thus transparently available to all Internet applications and users. NIST is also working to develop the technology to manage such basic security services on a global scale. Our work in the research, development and testing of key management systems and distributed certificate infrastructures will enable the automated configuration and use of security protocols.
The main focus of today's hearing is the recent outbreak of the Melissa virus. I'd like to share with you some background on the Melissa virus, its impact, and measures we can take to limit the damage from similar virus programs. The Melissa virus is a small program (also known as a "macro program") embedded in a Microsoft Word document. This document is included in an attachment to a somewhat innocuous sounding email message ("Here's the file you requested..."). (The document itself contains a list of pornographic web sites, but this has nothing to do with the virus itself.) This program may be activated when the recipient opens the file using Microsoft Word 97 or Word 2000. If so activated -- and if the recipient also uses Microsoft Outlook for email -- the program will use Outlook's address book mechanisms to send copies of itself to as many as 50 other Internet users. The virus also disables the macro warning that Microsoft Word provides when opening a document with macros. This puts the victim at an even greater risk of macro virus infection in the future. Also, once your computer has been infected with the Melissa virus, all subsequent documents that you create or edit will be infected, and if sent to and opened by another computer user, the virus will have spread again.
The Melissa virus is considered a Denial of Service attack because it poses a threat to systems' availability due to the large potential volume of email that may overwhelm routers and servers. The Melissa virus also poses a threat to the confidentiality of information. Since documents are randomly emailed out, some may be those you wish to keep confidential. The virus was one of the fastest spreading viruses we have seen because of the user confidence created when an email is received from someone you trust, and the automated emailing from the user's address book. One organization of 500 employees reportedly experienced 32,000 email messages in 45 minutes due to the virus, essentially shutting down legitimate uses of email. Email systems at several large companies were also reported to have been overwhelmed and unavailable to users for up to a day. The impact across the federal government was varied, but in general, the virus was quickly contained and damage to Federal systems was minimized. Effective alerts from organizations such as DOE's Computer Incident and Advisory Capability (CIAC), Carnegie Mellon University's Computer Emergency Response Team Coordination Center (CERT), and the Federal Computer Incident Response Capability (FedCIRC) also helped to keep damage minimized. These response centers began receiving reports of the virus on Friday, March 26. By Monday, March 29, FedCIRC reported that over 200 organizations were affected. Virus detection software manufacturers were responsive in updating their software to detect and remove the virus although at times it was difficult to access their sites due to the high traffic from system administrators trying to download updates. By Wednesday, March 31, the virus was essentially contained.
NIST recommends that organizations should, as a matter of standard practice, employ virus protection measures on both their servers and on users' computers. Such measures require continual updates due to new viruses. Also, every organization should have -- in place and tested -- emergency procedures designed to identify major virus "attacks" and initiate appropriate measures to protect the other users on the organization's network, e.g., by temporarily isolating the infected machine or network.
It is worth noting that any user who had not disabled (or ignored) the macro virus warning that is
the "out of the box" configuration of Microsoft Word, would not have activated the program and
thus become a victim. This illustrates the importance of users who are informed, alert, and
cautious regarding such potential security threats -- in other words, organizations should give
high priority to user training and motivation, even while beefing up other technical protective
measures. Although email filters are now being used to prevent infected email from entering an
organization's network, minor changes in the email message or document that comprise the virus
could slip through undetected. It is evident that such "mutated" versions of the Melissa virus had
started to make the rounds.
At NIST our defense against virus attacks occurs at various levels and is continually being refined and upgraded. We know from experience that we must be even more vigilant. Our front line of defense is on the NIST firewall where virus detection and eradication is enabled for certain types of network traffic. We also protect our servers, especially central email servers, with various virus detection programs. We also have procured a site-license for a commercial anti-virus software package that NIST staff can install on their desktop PCs through an automated download and installation procedure. But the most important measure is education. Computer users must understand how viruses can enter their computers and the simple precautions users can implement for viewing and opening email attachments and other files on their computers. These techniques include using email viewers to preview documents and disabling macros when unknown documents are first opened. At NIST we were fortunate to have experienced limited exposure to the Melissa virus. (Thirty emails were detected to have the Melissa virus and rendered harmless.) In part, this is due to our limited use of the Microsoft Outlook email client but also our proactive measures in virus detection prevented the virus from spreading throughout our domain.
As I stated before, one of the most important aspects of information security is a need for greater awareness and aggressive implementation of effective IT security principles and practices. In 1998, NIST published an IT Bulletin advising users of information technology of five principles of risk management. These principles are: 1) Assess risk and determine needs; 2) Establish a central management focus; 3) Implement appropriate policies and related controls; 4) Promote awareness; and 5) Monitor and evaluate policy and control effectiveness. We also outlined 16 best practices to support these principles. Computer security must be taken more seriously throughout the United States, since the risks from various IT security threats will undoubtedly continue to increase for the foreseeable future.
The Internet is an inherently dangerous environment. Measures to strengthen security through increased user identification methods meet with great resistance from privacy advocates. There are three main components of an effective Internet security strategy. First is technology. We need to continue to develop standards and methods for developing higher software quality. We also need to continue to develop and improve the technologies available to detect security breaches and protect system resources. NIST is very active in these areas as I pointed out earlier in my testimony. Second, we must establish and implement effective security and administration practices. NIST is also active in developing and distributing information on recommended security practices, but it is ultimately up to the local resources in any organization to commit to and implement an effective plan. Third, we must continue to develop laws appropriate to IT security and enforce them diligently.
Internet security is everyone's business. Risks abound at all levels of usage from routine computer usage of office applications, to the increasingly popular implementations of Linux with its many inherent security risks, to financial systems and basic social infrastructure systems such as electric power and telecommunications. We must keep in mind that while viruses are threats to security, they are by no means the only ones. NIST, along with other government agencies and private industry, must continue to aggressively pursue a comprehensive program of research, measurements and standards to assure a highly secure information infrastructure in support of our country's ever increasing reliance on computers and network technologies.
I want to thank you again for the opportunity to speak before the Subcommittee on NIST's computer security activities and the recent virus concerns. We at NIST look forward to working with your committee and others in the Congress on this important issue.