Summary

The "ILOVEYOU" computer virus is the latest in a series of events on the Internet that have seriously disrupted computer operations in both government and private industry. Although the federal government is working to implement mechanisms to help agencies ward off such an attack, it was not effective at detecting the virus early on and warning agencies about the threat. Consequently, most agencies were affected. Some incurred damage to systems and files, and many others spent countless staff hours fending off the attack and reestablishing e-mail service. Overall, however, once they learned of the virus, agencies responded promptly and appropriately. In addition to discussing the virus, this testimony addresses its impact on federal agencies as well as measures that can be taken to mitigate the effects of future attacks, which promise to be increasingly sophisticated and damaging and harder to detect.

GAO noted that: (1) ILOVEYOU is both a virus and a worm; (2) the damage resulting from this particular hybrid is limited to users of the Microsoft Windows operating system; (3) ILOVEYOU typically comes in the form of an electronic mail (e-mail) message from someone the recipient knows; (4) as long as recipients do not run the attached file, their systems will not be affected and they need only to delete the e-mail and its attachment; (5) if opened, the ILOVEYOU can spread and infect systems by sending itself to everyone in the recipient's address book; (6) there are areas of management and general control that are integral to improving problems in information security; (7) most agencies do not develop security plans for major systems based on risk, have not formally documented security policies, and have not implemented programs for testing and evaluating the effectiveness of controls they rely on; (8) these are fundamental activities that allow an organization to manage its information security risks cost-effectively rather than by reacting to individual problems ad hoc; (9) agencies often lack effective access controls to their computer resources and, as a result, are unable to protect these assets against unauthorized modification, loss, and disclosure; (10) these controls would normally include physical protections such as gates and guards and logical controls, which are controls built into software that: (a) require users to authenticate themselves through passwords or other identifiers; and (b) limit the files and other resources that an authenticated user can access and the actions that he or she can take; (11) testing procedures are undisciplined and do not ensure that implemented software operates as intended, and access to software program libraries is inadequately controlled; (12) GAO found that computer programmers and operators are authorized to perform a wide variety of duties; (13) this, in turn, provides them with the ability to independently modify, circumvent, and disable system security features; (14) GAO's reviews frequently identify systems with insufficiently restricted access to the powerful programs and sensitive files associated with the computer system's operation; (15) such free access makes it possible for knowledgeable individuals to disable or circumvent controls; (16) service continuity controls are incomplete and often not fully tested for ensuring that critical operations can continue when unexpected events occur; and (17) agencies can act immediately to address computer weaknesses and reduce their vulnerability to computer attacks.