Testimony of Michael A. Vatis, Director, National Infrastructure
Protection Center, FBI
Before the House
Science Committee, Subcommittee on Technology
April 15, 1999
"Melissa Macro Virus"
INTRODUCTION
Chairwoman Morella and Members
of the Subcommittee: Thank you for inviting me here today
to discuss with you the Melissa Macro Virus and the NIPC response
to this virus. As we continue into the information age, our
society is increasingly dependent on computer systems and
on communication sent by e-mail over the Internet. When those
systems and services are disrupted, it can have severe repercussions
on our ability to transact business in both the government
and private sectors. The recent virus demonstrates that even
an event that causes no direct loss or destruction of data
can still have substantial repercussions.
WHAT IS THE MELISSA VIRUS
AND WHY IS IT SO SERIOUS?
The Melissa virus is a macro
virus spread through a Microsoft Word 97 or Word 2000 e-mail
attachment that, when opened, reveals a list of passwords
for pornographic websites, but also activates a macro through
the Microsoft Outlook program and e-mails itself to the first
fifty names in the address book of the infected computer.
The message's subject header reads "Important Message
From [and name of someone you know]," and the body begins
"Here is that document you asked for ... don't show anyone
else ;-)."
What is of great concern about
this particular virus is its ability to propagate itself rapidly
across a vast number of systems in the commercial, government,
and military realms in a relatively short period of time.
Steven R. White, senior manager for antivirus research at
IBM, has warned, "Because of the way Melissa virus spreads,
it represents a new page in the history of viruses."
The Melissa Virus used the Internet to cause widespread infection
rapidly and exploited a known vulnerability in the macro command
language common to Microsoft applications. Many people had
macro virus protection turned on, which protected their computers
from infection. In essence, when someone received the document
containing Melissa, the virus protection feature would ask
the user if they wished to run a macro. If the user said "no,"
then Melissa would not be activated and not infect their computer.
Because of this, many computers that were attacked did not
succumb to infection.
This rapid distribution of the
virus degraded or disrupted computer networks by means of
an overload in e-mail servers and resulted in a denial of
service on some networks, as they had to be shut down while
the virus was purged from the system. Another serious concern
with Melissa is that once it successfully entered a system,
macro virus protection settings in affected systems were disabled,
thus conceivably allowing for future, more damaging macro
viruses to infect these systems without detection. There is
a fear that these macro commands can be used to have a victim
computer send by e-mail sensitive or classified documents
on the victims hard-drive to others without the knowledge
of the victim. Further, the Melissa virus, with modifications,
could be designed to destroy or alter data, which could have
catastrophic effects on businesses, government agencies, and
individuals.
Eleven years ago the Morris
Worm was released onto the Internet, but at that time only
6,000 or so computers were impacted. Today millions of computers
are hooked up to the Internet, including, I suspect, almost
everyone's in this room. The potential for damage just from
the number of potential affected users is vast. The Melissa
virus exploited a known vulnerability. If a virus attacked
computers attached to the Internet utilizing an unknown vulnerability,
the results could be devastating. Commerce could be significantly
affected either because no information could be passed using
the Internet or because information passed over the Internet
might be considered unreliable. Many businesses now rely on
the Internet as a primary or even sole carrier of information.
E-commerce would be the most affected as many on-line stores,
brokerage firms and corporations would be unable to continue
using the Internet to process business orders and correspondence.
If the Internet ceased to function, the losses could ultimately
be measured in tens of billions rather that millions of dollars.
WHAT IS THE ROLE OF THE NIPC
IN SUCH A CRISIS?
The NIPC was established last
year as the government's focal point for detecting, warning,
analyzing, investigating, and responding to cyber threats
against the critical infrastructures of the United States.
These infrastructures are telecommunications, banking and
finance, health services, water, energy, transportation, emergency
law enforcement services, and government operations. Our role
is to prevent or detect cyber intrusions and attacks by gathering
information about threats and incidents from sources that
are uniquely available to the government (such as law enforcement
and intelligence sources), and combining that information
with information provided voluntarily by the private sector
and obtained from open sources, conducting analysis, and disseminating
those analyses and warnings to all relevant consumers via
our classified and unclassified warning networks. We also
regularly produce a publication called "CyberNotes,"
that provides information on cyber vulnerabilities, hacker-exploit
scripts, hacker trends, virus information, and other information
to security and information systems professionals to help
them better protect their systems. If an attack does occur,
the NIPC's role is to coordinate crisis response and investigation.
However, we are not the nation's super systems administrator,
responsible for securing everyone's systems against intruders
or providing the latest software patches to fix vulnerabilities.
That role must be filled by the systems administrators in
private sector companies, the Chief Information Officers in
government agencies, and by the software and hardware security
communities.
THE NIPC AND THE MELISSA
VIRUS
The role I described is precisely
what the NIPC did with respect to the Melissa virus as we
reviewed the first reports of the virus in the late afternoon
on March 26. During the evening, the Center received calls
from government agencies, including the National Security
Council (NSC) and the Department of Defense (DoD), informing
us of a virus. We immediately began looking into the matter
and called the Computer Emergency Response Team (CERT) at
Carnegie Mellon University to determine if the virus was affecting
the private sector. Based on the information we received about
the speedy propagation and the effects of the virus on the
victims, I decided that a warning should be issued to alert
businesses, government agencies, and individuals in an effort
to contain the damage and limit further spread of the virus.
The NIPC Watch began preparing a warning message on the Melissa
Macro Virus and was augmented to a 24 hour posture.
Just after midnight, our Watch
and Warning Unit transmitted a warning message to federal,
state, and local law enforcement and federal agencies. The
warning gave a basic description of the virus and provided
some pointers to web sites for further information on how
to detect and clean up macro type viruses. Warnings also were
transmitted to the private sector via InfraGard, a new public-
private initiative designed to share information about cyber
threats and incidents, and FBI's Awareness of National Security
and Response (ANSIR) program, which provides a vehicle for
delivering messages about national security or other threats
to approximately 100,000 U.S. companies. The NIPC also sent
a copy of its warning to the CERT. In addition, we posted
a warning on the NIPC web page, which we regularly updated
and which was referenced by news organizations as a place
to look for more information.
Because of our concern that
the virus's effects would potentially increase on Monday,
March 29 as people returned to work and checked their office
e-mail, we decided on Sunday to issue a press release. The
purpose of the release was to disseminate the warnings about
the Melissa virus as broadly as possible before Monday. On
Sunday and Monday, news stories about the virus and how to
avoid or eliminate it were published in traditional media
and posted on Internet news sites. The rapid proliferation
of information from the Center, the CERT, and from many individuals
in the computer security community, likely significantly limited
the damage from Melissa by alerting people not to open suspicious
mail messages with attachments, which was found to launch
the virus. Additional news reports and updates appeared throughout
the week. The NIPC Watch also maintained contact with DoD
and CERT regarding the spread of the virus and their response.
Each of the FBI's 56 field offices
around the country now has a computer intrusion squad or team.
Several FBI field offices launched investigations of the virus
and shared information on reports from victims within their
areas. The NIPC acted as a central point of contact for the
field offices on their response to the virus and also provided
technical assistance to field offices working leads on the
case. As is now well known, the FBI's Newark Field Office
worked closely with the New Jersey State Police on the case.
A tip received by the New Jersey State Police from America
Online, and their follow-up investigation, led to the April
2 arrest of David L. Smith. Search warrants were executed
in New Jersey by the New Jersey State Police and FBI Special
Agents from the Newark field office. The outstanding work
of the N.J. State Police demonstrates the value and importance
of cooperation among federal, state and local law enforcement
agencies in addressing cyber crime. We have accordingly made
it a top priority to work with closely with state and local
law enforcement to train their investigators on computer investigations,
to share information about threats and incidents, and to help
them protect their systems from cyber attack.
Mr. Smith was charged under
New Jersey State law with the second degree offenses of interruption
of public communication, conspiracy to commit the offense
and the attempt to commit the offense, third degree theft
of computer service, and third degree damage or wrongful access
to computer systems. If Smith is convicted, he faces a maximum
penalty of $480,000 in fines and 40 years in prison.
In terms of federal law, Title
18, United States Code, section 1030(a)(5)(A), criminalizes
"knowingly caus(ing) the transmission of a program, information,
code, or command, and as a result of such conduct, intentionally
caus(ing) damage without authorization to a protected computer."
Subsection (e)(8) of the same law defines "damage"
as "any impairment to the integrity or availability of
data, a program, a system, or information." The penalties
for each offense are a fine of up to $250,000 or imprisonment
for up to five years, or both. The FBI is continuing to investigate
this matter.
THE EXTENT OF DAMAGE FROM
THE VIRUS
Viruses are a serious concern.
There are an estimated 30,000 computer viruses in existence,
and about 300 new ones are created each month, according to
CERT. Fortunately, in the spectrum of possible damage, the
harm caused by the Melissa virus is serious but temporary.
The virus does not cause the loss of data but did affect tens
of thousands of systems, resulting in a loss of productivity
when the systems were shut down. For example, within the federal
government, the Marine Corps was forced to halt its base-to-base
e-mail system until the virus was contained. The Department
of Veterans Affairs also took its e-mail system offline the
day Melissa was discovered. A Department of Energy server
was also impacted.
One private sector company reported
to CERT that its 500-employee computer network was buffeted
by 32,000 e-mail messages in a 45 minute period, effectively
shutting it down for legitimate uses. Numerous organizations
were forced to cut their e-mail off from the outside world
to insulate themselves. CERT disclosed that, as of April 12,
233 organizations had reported that a total of 81,285 machines
had been affected by the virus. As yet we have no hard estimates
of the monetary damage from the loss of productivity and other
disruptions associated with the virus.
WHAT STEPS CAN BE TAKEN TO
PROTECT FEDERAL AND PRIVATE SECTOR SYSTEMS?
There are several steps that
can be taken to better protect our networks from such attacks.
First, there are numerous virus protection utilities available
on the market that can detect, clean, and attempt to predict,
suspicious program behavior. Updates can be downloaded from
the Internet on a continual basis. Users should be sure that
their computers are running the most up-to-date virus protection
software. Second, users need to be careful in what they download
and in opening attachments, both from known users and especially
from users unknown to you. In the case of Melissa, the virus
was activated only if the attachment was opened. These basic
precautions could protect the user from viruses spread on
the Internet. Finally, in order to protect the larger network
community, computer intrusions and viruses should be reported
quickly to the local FBI field office, the NIPC, CERT, computer
security officers, and government CIOs, as appropriate. These
organizations can provide information to other users and take
appropriate steps to protect the networks. In some cases,
the news media can be extremely effective in quickly alerting
people to the existence of viruses so they can better protect
themselves.
CONCLUSION
We are fortunate that this virus
did not do more damage than it did. Its occurrence serves
as a wake up call for both the government and the private
sector regarding the threat from malicious viruses being spread
over the Internet. There are several lessons to be learned
from the Melissa virus. First, users need to be careful about
attachments sent to them, especially, but not only, if the
source of the attachment is in doubt. Second, users should
be aware of the virus protection software that exists and
ensure that they have up-to-date virus protection on their
systems and are running the virus protection already built
into their software packages. Melissa exploited a known vulnerability.
Users could protect themselves using the tools already at
their disposal. Third, the notifications and information provided
by the NIPC, CERT, and others demonstrates the value of a
cooperative effort by the private sector and government to
contain and minimize the effects of attacks against the National
Information Infrastructure. Thus, another lesson from Melissa
is that information sharing is an effective means to countering
malicious viruses on the Internet. Finally, attacks such as
Melissa demonstrate the need for tough laws regarding computer
crime. Because of the ease of writing and disseminating destructive
and disruptive viruses, deterring people from engaging in
such conduct is the surest method of prevention. Cyber criminals
who plant viruses such as Melissa need to know that justice
will be swift, certain and severe. I welcome any questions
you have.
Thank you.
|