Watchdog criticizes federal response to e-mail virus

Most federal agencies were squarely hit by the "ILOVEYOU" virus because of a lack of coordinated notice from federal officials and a lack of internal communication, Congress' watchdog told the Senate Banking Financial Institutions Subcommittee Thursday.

"The incident was a good lesson learned, but an expensive lesson learned," said Jack Brock, the General Accounting Office's director of government and information systems. "It pointed to a lack of coordinated oversight. Agencies need to do more."

While the private sector Financial Services Information Sharing and Analysis Center discovered the virus at 3 a.m. EDT and immediately sent an alert to its members on May 4, the FBI's National Infrastructure Protection Center did not issue a notice until 11 a.m. and didn't follow up with advice on how to handle the virus until 10 p.m., according to GAO.

Only seven of 20 agencies interviewed by GAO were spared widespread infection by the e-mail virus, Brock told the subcommittee. The Health and Human Services Department was hit with about 3 million ILOVEYOU messages, taking the agency six days to restore department-wide e-mail communications. The Veterans Health Administration received 7 million messages and spent 240 work hours to recover.

At the Defense Department, an official told GAO that if the attack had occurred over a substantial period of time, the department would have had to call on reservists to cover for military personnel correcting the virus problem.

"It was private industry that had the first alert going out, not the federal government," said Subcommittee Chairman Bob Bennett, R-Utah. "It's clear the government can learn something from the private sector."

Treasury Assistant Secretary Gregory Baer suggested more interagency information sharing as a preventative measure against future attacks as he praised the financial services industry for its quick response.

John Hamre, president of the Center for Strategic and International Studies and former deputy defense secretary, said the incident should serve as a warning to government leaders and CEOs that computer security needs to be taken seriously. He added that without last year's Y2K remediation efforts, the fallout could have been much worse.

"This is an electronic Paul Revere," he told National Journal's Technology Daily.

Bennett suggested that Thursday's hearing, which was cut short because of procedural wrangling on the Senate floor, would be the first of many on coordinated critical infrastructure protection. Bennett leads a working group on computer security issues for the Senate, but he said a similar leadership post is needed in the executive branch to coordinate security efforts.