INTRODUCTION

Chairwoman Morella and Members of the Subcommittee: Thank you for inviting me here today to discuss with you the Melissa Macro Virus and the NIPC response to this virus. As we continue into the information age, our society is increasingly dependent on computer systems and on communication sent by e-mail over the Internet. When those systems and services are disrupted, it can have severe repercussions on our ability to transact business in both the government and private sectors. The recent virus demonstrates that even an event that causes no direct loss or destruction of data can still have substantial repercussions.

WHAT IS THE MELISSA VIRUS AND WHY IS IT SO SERIOUS?

The Melissa virus is a macro virus spread through a Microsoft Word 97 or Word 2000 e-mail attachment that, when opened, reveals a list of passwords for pornographic websites, but also activates a macro through the Microsoft Outlook program and e-mails itself to the first fifty names in the address book of the infected computer. The message's subject header reads "Important Message From [and name of someone you know]," and the body begins "Here is that document you asked for ... don't show anyone else ;-)."

What is of great concern about this particular virus is its ability to propagate itself rapidly across a vast number of systems in the commercial, government, and military realms in a relatively short period of time. Steven R. White, senior manager for antivirus research at IBM, has warned, "Because of the way Melissa virus spreads, it represents a new page in the history of viruses." The Melissa Virus used the Internet to cause widespread infection rapidly and exploited a known vulnerability in the macro command language common to Microsoft applications. Many people had macro virus protection turned on, which protected their computers from infection. In essence, when someone received the document containing Melissa, the virus protection feature would ask the user if they wished to run a macro. If the user said "no," then Melissa would not be activated and not infect their computer. Because of this, many computers that were attacked did not succumb to infection.

This rapid distribution of the virus degraded or disrupted computer networks by means of an overload in e-mail servers and resulted in a denial of service on some networks, as they had to be shut down while the virus was purged from the system. Another serious concern with Melissa is that once it successfully entered a system, macro virus protection settings in affected systems were disabled, thus conceivably allowing for future, more damaging macro viruses to infect these systems without detection. There is a fear that these macro commands can be used to have a victim computer send by e-mail sensitive or classified documents on the victims hard-drive to others without the knowledge of the victim. Further, the Melissa virus, with modifications, could be designed to destroy or alter data, which could have catastrophic effects on businesses, government agencies, and individuals.

Eleven years ago the Morris Worm was released onto the Internet, but at that time only 6,000 or so computers were impacted. Today millions of computers are hooked up to the Internet, including, I suspect, almost everyone's in this room. The potential for damage just from the number of potential affected users is vast. The Melissa virus exploited a known vulnerability. If a virus attacked computers attached to the Internet utilizing an unknown vulnerability, the results could be devastating. Commerce could be significantly affected either because no information could be passed using the Internet or because information passed over the Internet might be considered unreliable. Many businesses now rely on the Internet as a primary or even sole carrier of information. E-commerce would be the most affected as many on-line stores, brokerage firms and corporations would be unable to continue using the Internet to process business orders and correspondence. If the Internet ceased to function, the losses could ultimately be measured in tens of billions rather that millions of dollars.

WHAT IS THE ROLE OF THE NIPC IN SUCH A CRISIS?

The NIPC was established last year as the government's focal point for detecting, warning, analyzing, investigating, and responding to cyber threats against the critical infrastructures of the United States. These infrastructures are telecommunications, banking and finance, health services, water, energy, transportation, emergency law enforcement services, and government operations. Our role is to prevent or detect cyber intrusions and attacks by gathering information about threats and incidents from sources that are uniquely available to the government (such as law enforcement and intelligence sources), and combining that information with information provided voluntarily by the private sector and obtained from open sources, conducting analysis, and disseminating those analyses and warnings to all relevant consumers via our classified and unclassified warning networks. We also regularly produce a publication called "CyberNotes," that provides information on cyber vulnerabilities, hacker-exploit scripts, hacker trends, virus information, and other information to security and information systems professionals to help them better protect their systems. If an attack does occur, the NIPC's role is to coordinate crisis response and investigation. However, we are not the nation's super systems administrator, responsible for securing everyone's systems against intruders or providing the latest software patches to fix vulnerabilities. That role must be filled by the systems administrators in private sector companies, the Chief Information Officers in government agencies, and by the software and hardware security communities.

THE NIPC AND THE MELISSA VIRUS

The role I described is precisely what the NIPC did with respect to the Melissa virus as we reviewed the first reports of the virus in the late afternoon on March 26. During the evening, the Center received calls from government agencies, including the National Security Council (NSC) and the Department of Defense (DoD), informing us of a virus. We immediately began looking into the matter and called the Computer Emergency Response Team (CERT) at Carnegie Mellon University to determine if the virus was affecting the private sector. Based on the information we received about the speedy propagation and the effects of the virus on the victims, I decided that a warning should be issued to alert businesses, government agencies, and individuals in an effort to contain the damage and limit further spread of the virus. The NIPC Watch began preparing a warning message on the Melissa Macro Virus and was augmented to a 24 hour posture.

Just after midnight, our Watch and Warning Unit transmitted a warning message to federal, state, and local law enforcement and federal agencies. The warning gave a basic description of the virus and provided some pointers to web sites for further information on how to detect and clean up macro type viruses. Warnings also were transmitted to the private sector via InfraGard, a new public- private initiative designed to share information about cyber threats and incidents, and FBI's Awareness of National Security and Response (ANSIR) program, which provides a vehicle for delivering messages about national security or other threats to approximately 100,000 U.S. companies. The NIPC also sent a copy of its warning to the CERT. In addition, we posted a warning on the NIPC web page, which we regularly updated and which was referenced by news organizations as a place to look for more information.

Because of our concern that the virus's effects would potentially increase on Monday, March 29 as people returned to work and checked their office e-mail, we decided on Sunday to issue a press release. The purpose of the release was to disseminate the warnings about the Melissa virus as broadly as possible before Monday. On Sunday and Monday, news stories about the virus and how to avoid or eliminate it were published in traditional media and posted on Internet news sites. The rapid proliferation of information from the Center, the CERT, and from many individuals in the computer security community, likely significantly limited the damage from Melissa by alerting people not to open suspicious mail messages with attachments, which was found to launch the virus. Additional news reports and updates appeared throughout the week. The NIPC Watch also maintained contact with DoD and CERT regarding the spread of the virus and their response.

Each of the FBI's 56 field offices around the country now has a computer intrusion squad or team. Several FBI field offices launched investigations of the virus and shared information on reports from victims within their areas. The NIPC acted as a central point of contact for the field offices on their response to the virus and also provided technical assistance to field offices working leads on the case. As is now well known, the FBI's Newark Field Office worked closely with the New Jersey State Police on the case. A tip received by the New Jersey State Police from America Online, and their follow-up investigation, led to the April 2 arrest of David L. Smith. Search warrants were executed in New Jersey by the New Jersey State Police and FBI Special Agents from the Newark field office. The outstanding work of the N.J. State Police demonstrates the value and importance of cooperation among federal, state and local law enforcement agencies in addressing cyber crime. We have accordingly made it a top priority to work with closely with state and local law enforcement to train their investigators on computer investigations, to share information about threats and incidents, and to help them protect their systems from cyber attack.

Mr. Smith was charged under New Jersey State law with the second degree offenses of interruption of public communication, conspiracy to commit the offense and the attempt to commit the offense, third degree theft of computer service, and third degree damage or wrongful access to computer systems. If Smith is convicted, he faces a maximum penalty of $480,000 in fines and 40 years in prison.

In terms of federal law, Title 18, United States Code, section 1030(a)(5)(A), criminalizes "knowingly caus(ing) the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus(ing) damage without authorization to a protected computer." Subsection (e)(8) of the same law defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information." The penalties for each offense are a fine of up to $250,000 or imprisonment for up to five years, or both. The FBI is continuing to investigate this matter.

THE EXTENT OF DAMAGE FROM THE VIRUS

Viruses are a serious concern. There are an estimated 30,000 computer viruses in existence, and about 300 new ones are created each month, according to CERT. Fortunately, in the spectrum of possible damage, the harm caused by the Melissa virus is serious but temporary. The virus does not cause the loss of data but did affect tens of thousands of systems, resulting in a loss of productivity when the systems were shut down. For example, within the federal government, the Marine Corps was forced to halt its base-to-base e-mail system until the virus was contained. The Department of Veterans Affairs also took its e-mail system offline the day Melissa was discovered. A Department of Energy server was also impacted.

One private sector company reported to CERT that its 500-employee computer network was buffeted by 32,000 e-mail messages in a 45 minute period, effectively shutting it down for legitimate uses. Numerous organizations were forced to cut their e-mail off from the outside world to insulate themselves. CERT disclosed that, as of April 12, 233 organizations had reported that a total of 81,285 machines had been affected by the virus. As yet we have no hard estimates of the monetary damage from the loss of productivity and other disruptions associated with the virus.

WHAT STEPS CAN BE TAKEN TO PROTECT FEDERAL AND PRIVATE SECTOR SYSTEMS?

There are several steps that can be taken to better protect our networks from such attacks. First, there are numerous virus protection utilities available on the market that can detect, clean, and attempt to predict, suspicious program behavior. Updates can be downloaded from the Internet on a continual basis. Users should be sure that their computers are running the most up-to-date virus protection software. Second, users need to be careful in what they download and in opening attachments, both from known users and especially from users unknown to you. In the case of Melissa, the virus was activated only if the attachment was opened. These basic precautions could protect the user from viruses spread on the Internet. Finally, in order to protect the larger network community, computer intrusions and viruses should be reported quickly to the local FBI field office, the NIPC, CERT, computer security officers, and government CIOs, as appropriate. These organizations can provide information to other users and take appropriate steps to protect the networks. In some cases, the news media can be extremely effective in quickly alerting people to the existence of viruses so they can better protect themselves.

CONCLUSION

We are fortunate that this virus did not do more damage than it did. Its occurrence serves as a wake up call for both the government and the private sector regarding the threat from malicious viruses being spread over the Internet. There are several lessons to be learned from the Melissa virus. First, users need to be careful about attachments sent to them, especially, but not only, if the source of the attachment is in doubt. Second, users should be aware of the virus protection software that exists and ensure that they have up-to-date virus protection on their systems and are running the virus protection already built into their software packages. Melissa exploited a known vulnerability. Users could protect themselves using the tools already at their disposal. Third, the notifications and information provided by the NIPC, CERT, and others demonstrates the value of a cooperative effort by the private sector and government to contain and minimize the effects of attacks against the National Information Infrastructure. Thus, another lesson from Melissa is that information sharing is an effective means to countering malicious viruses on the Internet. Finally, attacks such as Melissa demonstrate the need for tough laws regarding computer crime. Because of the ease of writing and disseminating destructive and disruptive viruses, deterring people from engaging in such conduct is the surest method of prevention. Cyber criminals who plant viruses such as Melissa need to know that justice will be swift, certain and severe. I welcome any questions you have.

Thank you.