Summary

The "ILOVEYOU" computer virus is the latest in a series of events on the Internet that have seriously disrupted computer operations in both government and private industry. Although the federal government is working to implement mechanisms to help agencies ward off such an attack, it was not effective at detecting the virus early on and warning agencies about the threat. Consequently, most agencies were affected. Some incurred damage to systems and files, and many others spent countless staff hours fending off the attack and reestablishing e-mail service. Overall, however, once they learned of the virus, agencies responded promptly and appropriately. In addition to discussing the virus, this testimony addresses its impact on federal agencies as well as measures that can be taken to mitigate the effects of future attacks, which promise to be increasingly sophisticated and damaging and harder to detect.

GAO noted that: (1) ILOVEYOU is both a virus and a worm; (2) worms propagate themselves through networks, and viruses destroy files and replicate themselves by manipulating files; (3) the damage resulting from this hybrid is limited to users of the Microsoft Windows operating system; (4) ILOVEYOU typically comes in the form of an electronic mail (e-mail) message from someone the recipient knows; (5) when opened and allowed to run, the virus attempts to send copies of itself to all entries in all of the recipient's address books; (6) soon after initial reports of the virus surfaced in Asia, the virus proliferated rapidly throughout the rest of the world; (7) recognizing the increasing computer-based risks to the nation's critical infrastructures, the federal government has taken steps over the past several years to create capabilities for effectively detecting, analyzing, and responding to cyber-based attacks; (8) however, the events and responses spawned by ILOVEYOU demonstrate both the challenge of providing timely warnings against information based threats and the increasing need for the development of national warning capabilities; (9) the National Infrastructure Protection Center (NIPC) is responsible for serving as the focal point in the federal government for gathering information on threats as well as facilitating and coordinating the federal government's response to incidents impacting key infrastructures; (10) once an imminent threat is identified, appropriate warnings and response actions must be effectively coordinated among federal agencies, the private sector, state and local governments, and other nations; (11) NIPC has had some success in providing early warnings on threats, but had less success with the ILOVEYOU virus; (12) for over 2 hours after NIPC first learned of the virus, it checked other sources in attempts to verify the initial information, with limited success; (13) NIPC did not issue an alert about ILOVEYOU on its own web page until hours after federal agencies were reportedly hit; (14) agencies themselves responded promptly and appropriately once they learned about the virus; (15) GAO found that the few federal components that either discovered or were alerted to the virus early did not effectively warn others; (16) to prevent future virus attacks, agencies can teach computer users that e-mail attachments are not always what they seem and that they should be careful when opening them; and (17) agencies can ensure that up-to-date virus detection software has been installed on their systems.