News

USIS Washington File

19 May 2000

Excerpts: U.S. Government Officials on "I Love You" Computer Virus

(Treasury, Federal Reserve officials describe damage control) (3910)

Officials charged with regulation and oversight of the U.S. financial
system say the "I Love You" computer virus that raced around the world
starting May 4 did minimal damage, but serves as a warning about the
need for government agencies and financial institutions to remain
vigilant.

"The delivery of key financial and central bank services by the
Federal Reserve was unaffected," said Stephen R. Malphrus, staff
director for management in the Federal Reserve System, the U.S.
central bank.

The nation's financial institutions do not share a systematic
reporting system to document the effects of computer anomalies, but
Assistant Treasury Secretary Gregory Baer said, "We have anecdotal
reports from the bank regulators and individual institutions, from
which it does not appear that this worm disrupted any of the core
functions of the financial services industry."

"Future viruses may be more difficult to contain," said Malphrus. He
said the financial sector must have a strong strategy to combat
viruses so that public confidence in the system is maintained and the
growth of electronic commerce can continue.

Testifying before a Senate Banking subcommittee, Baer described how
the Treasury Department and the financial industry have been working
since 1996 to develop a system for institutions to exchange
information and contend with attacks on their information systems. An
experimental system, in place for less than a year, relies upon
information-sharing between private institutions. It is "an important
experiment, but still just an experiment," Baer said.

On another tack, Baer said the Treasury Department has made a
continuous effort to help institutions protect themselves from
hackers. He said on May 16, the Office of the Comptroller of the
Currencyissued updated guidance to national banks on how to prevent,
detect and respond to intrusions into their computer systems.
Terms used in the text include:

FBI:  Federal Bureau of Investigation

OCC:, Office of the Comptroller of the Currency, Department of the
Treasury

OTS:  Office of Thrift Supervision, Department of the Treasury 

PDD 63: Presidential Decision Directive 63, issued in May 1998, an
order establishing national mechanisms for protecting the U.S.
information infrastructure from threats.

Following are excerpts of the Baer statement:

Senate Subcommittee on Financial Institutions

Oversight Hearing on the "I Love You" Computer Virus and its Impact on
U.S. Financial Services Industry

10:00 a.m., Thursday, May 18, 2000 - Dirksen 538

STATEMENT OF TREASURY ASSISTANT SECRETARY GREGORY A. BAER


PDD 63 directed each federal department and agency to reduce its own
exposure to cyber threats, and directed government to work in
partnership with the private sector in order to protect critical
private sector infrastructures. In the latter respect, PDD 63 assigned
Treasury as the "lead agency" responsible for working with the banking
and finance sector of the economy. I have been designated by Secretary
Summers as the liaison to the private sector for this purpose. My
counterpart, Steve Katz, the Chief Information Security Officer at
Citigroup, serves as the private sector coordinator.

As a first step toward the private sector outreach mandated by PDD-63,
former Secretary Rubin convened a Treasury information security
conference on October 7, 1998. Attendees included a large number of
industry information security officers and representatives of the
financial regulatory agencies and others with a direct interest in
critical infrastructure protection. We hoped that such a conference
would, at a minimum, allow the best minds in the financial services
sector to meet each other, share expertise, and continue to network.

Industry reaction to the conference was extremely favorable. Industry
representatives at the October 7 conference readily agreed that the
goals of PDD 63 (such as information sharing, education and outreach,
vulnerability assessment, and research and development) were worth
pursuing, and they agreed to create and support what is now known as
the Banking and Finance Sector Coordinating Committee on Critical
Infrastructure Protection (the Coordinating Committee), chaired by
Sector Coordinator Katz. The industry representatives also established
four subgroups to address the issue areas they considered to be of
highest priority: vulnerability assessment; research and development;
CEO outreach; and information sharing. This blueprint has defined the
activities of Treasury and the industry since 1998.

The second meeting of the Coordinating Committee, on March 11, 1999,
was a "nuts-and-bolts" type of meeting that established specific
agendas for each of the working groups going forward. At that meeting,
it was also decided that the creation of an industry information
sharing and analysis center was especially important, largely because
of impending Y2K concerns among government and industry leaders and
other signs of an increase in cyber threats. The third meeting, held
on April 10, 2000, focused on assessing the vulnerability of the
financial services sector to attack and on research and development
priorities.

. . . . One of the most important goals of PDD 63 was government
encouragement of private sector information sharing and analysis
centers (ISACs). These centers would be designed to encourage
information sharing about actual or potential cyber attacks, and
distribute alerts about, and suggested remedies for, such attacks to
their respective industry sponsors, the actual owners and operators of
the critical infrastructures.

Dealing with a computer virus or new type of attack is both a
technological and an administrative problem. Just as combating the
annual flu virus involves isolating and identifying the strain,
developing a vaccine, and inoculating millions of people, so too does
combating a computer virus involve determining the strain, developing
a fix (patch or screen), notifying users of the need to protect
themselves and delivering the fix. In the case of computer viruses,
the administrative problems can be a daunting task since it can
involve large numbers of servers and stations.

For this reason, we believed from the outset that an information
sharing center was an area where Treasury could add value. The
financial services sector already represents the state of the art in
information technology. The sector spends considerable resources,
employs talented people, and retains respected consultants. Financial
services firms, perhaps more than non-financial services firms, have
strong reputational, financial, and competitive incentives to
safeguard their information assets.

The incentives for competing financial services firms to share
information, however, are not as strong. The first instinct of a
company under a debilitating attack is not to highlight its problems
to the public and help its competitors avoid the same fate. Thus, we
believe that this area is one where government could profitably act as
a facilitator.

The financial services industry was among the first to respond to PDD
63's call for the establishment of an ISAC. After an arduous period of
technical, legal, and organizational negotiations, approximately a
dozen major financial services firms and industry utilities
established the Financial Services Information Sharing and Analysis
Center - what they call the FS/ISAC. Its official opening was
announced by Treasury Secretary Summers on October 1, 1999, with the
participation of Chairman Arthur Levitt of the Securities and Exchange
Commission, Vice Chairman Roger Ferguson of the Federal Reserve Board,
and Richard Clarke of the National Security Council and the new
FS/ISAC Board members.

Let me emphasize at the outset that the members of the Center and
Treasury view this entity as an important experiment, but still just
an experiment. There will be other ways for firms to share or gather
information: Carnegie-Mellon's Computer Emergency Response Team (CERT)
(funded partly by the U.S. Government) currently performs a valuable
service in identifying and warning of threats to information security.
The NIPC provides an important watch and warning function and works
closely with GSA's Federal Computer Incident Response Capability
(FedCIRC) and Carnegie-Mellon's Computer Emergency Response Team
(CERT). The anti-virus firms themselves operate centers to learn of
new threats, develop fixes, and sell patches. Consulting firms now
frequently offer a myriad of information security services. I think it
is too soon to know which of these efforts will succeed. It may be
that some will eventually be linked. But we thought that a
sector-based, financial services center deserved a try. . . .

Other Treasury Efforts to Prevent Disruptions of Computer Systems
Regulators have increasingly recognized that protecting the
information assets of a financial institution is a crucial part of
safety and soundness. Thus, on May 16, the OCC issued updated guidance
to national banks on how to prevent, detect and respond to intrusions
into their computer systems. The guidance supplements an OCC bulletin
on cyber-terrorism published last year and an alert on distributed
denial of service attacks issued in February.

The updated guidance discusses controls that can be employed to
prevent and detect intrusions, ranging from basic security procedures,
such as employee and contractor background checks, to technology-based
tools, such as data encryption and real-time intrusion detection
software. The bulletin encourages national banks to perform intrusion
risk assessments, implement controls, establish intrusion response
policies and procedures, and perform periodic testing.

The updated guidance also reminds national banks to report intrusions
and other computer crimes to law enforcement authorities and
regulators by filing Suspicious Activity Reports. The bulletin
provides guidance for gathering and handling information on
intrusions, and highlights three organizations that are primarily
involved with the Federal government's national information security
initiatives: Carnegie Mellon University's CERT, the FS/ISAC, and the
FBI's NIPC.

Similarly, OTS has taken several specific actions to encourage thrift
institutions to be proactive in addressing potential security threats.
Starting in October 1997, OTS issued detailed guidance to the thrift
industry and its examiners in a revised examination handbook section,
which is continually updated as technology evolves.

In November 1998, OTS issued its electronic operations rule that is
designed to facilitate safe, sound, and prudent innovation in the use
of emerging technologies. The rule requires management to identify,
assess, and mitigate potential risks, implement a strong system of
internal controls, and monitor and update security procedures to keep
pace with changing industry standards.

OTS has also issued numerous policies and guidance that address
information and technology security issues. These include CEO
memoranda concerning procedures for recovering information systems
that may be damaged by malicious activity; defining lines of
responsibility to respond and report suspicious activity to
appropriate law enforcement authorities; training staff on information
security precautions; and seeking out assistance from information
security organizations when appropriate.

The "Love Bug" Virus

On May 4, the Visual Basic Script (vbs) Love Letter worm - what some
call the Love Bug computer virus - swept into the United States
through innumerable electronic mail messages.

Reports indicate that activity related to the Love Letter worm has now
subsided, including activity resulting from variations of that worm,
such as "Very Funny.vbs" and "mothersday.vbs." However, there is no
systematic reporting of the effects of viruses or worms for any
industry, including the financial services industry. Instead, we have
anecdotal reports from the bank regulators and individual
institutions, from which it does not appear that this worm disrupted
any of the core functions of the financial services industry - for
example, the payments system or any of the major clearinghouses or
exchanges. It did, however, cause substantial disruption to the e-mail
servers of some financial services firms, requiring them to shut down
those servers for hours or even days. In the coming weeks, we will
seek to learn more about the effects of the Love Bug, and how
information about it flowed through the industry.

As we understand it now, the first accounts of the Love Bug came into
U.S. firms early on the morning of May 4th. Those firms with Asian or
European offices heard first, some as early as 3:00-4:00 a.m., as
their overseas affiliates reported trouble. Even for those who got
early warning, however, the only immediate option was to warn
employees not to open certain e-mails and to stop all e-mail
communications.

The distributed denial of service (DDOS) threat was the first major
test for the FS/ISAC, which was successful in terms of sharing
critical information. The Love Bug was the second major test for the
FS/ISAC and exposed some flaws in its present operating procedures.
Only a few firms reported the incident - either because they were too
busy resolving their own problems or because they assumed everyone was
aware of the problem. Although the Center's operator posted a threat
notice early on the morning of the 4th, the paging system used to
alert the members to an urgent threat did not reach all the member
contacts. The Center determined from this experience that it needs to
implement alternate notification procedures (e.g., a conventional
telephone-line, fax-based notification system for those times when
e-mail or other Internet services are not working). We expect that the
system will be better for these reforms, and will induce even greater
vigilance by the financial services industry.


(end excerpts)

(begin excerpts of Malphrus statement )

Statement of Stephen R. Malphrus
Staff Director for Management
2000-05-19
Board of Governors of the Federal Reserve System


Like many organizations, the Federal Reserve System received hundreds
of Love Bug e-mail messages. However, the virus had no impact on our
critical business functions or information systems. Indeed, the
delivery of key financial and central bank services by the Federal
Reserve was unaffected. In the weeks following May 4, we contacted
industry trade organizations as well as a number of the institutions
we supervise, and they reported the virus did not impair critical
retail or wholesale banking services. Indeed with the help of various
public- and private-sector information-sharing programs, the virus was
quickly detected, isolated, and immunized through a variety of
standard operating procedures that have been implemented by the
Federal Reserve and financial institutions.

May 4 Love Bug Attacks

Because the virus started in the Far East, it was identified before
most U.S. public and private institutions opened for business. The
Federal Reserve became aware of the virus on the morning of Thursday,
May 4, through reports from Microsoft. By approximately 8:30 a.m.,
major news wire services also contained fairly accurate details about
how to identify the virus, although the type of damage inflicted on
computer hardware and files and the manner in which the virus spread
were still unclear. Throughout the day, we also received reports from
the FBI's National Infrastructure Protection Center (NIPC),1 from
InfraGard, 2and from anti-virus software vendors.

Financial institutions that have foreign offices, particularly those
with operations in Asia, had the earliest warning and were able to
take steps to inform employees worldwide and to shield their e-mail
systems, in many cases before opening for business. As a precaution,
many institutions shut down external, and in some instances internal,
e-mail systems. These institutions also quickly alerted industry trade
organizations and business partners about what they knew of the virus.
The global nature of commerce helped many financial institutions learn
about the virus before many of the monitoring services issued an
alert.

At the Federal Reserve, we immediately began to implement our standard
virus incident response procedures. The fact that our employees were
already trained to recognize and report suspicious e-mail messages,
such as those that typically are virus carriers, was a tremendous
asset in limiting the spread of the virus internally - only a handful
of messages were opened. As a preventive measure, at about 9:30 a.m.,
we shut down our e-mail systems to incoming mail from the Internet,
and subsequently through our intranet, until we received and installed
an anti-virus patch, or antidote, from our software vendors. (An
antidote cannot be produced until the particular virus is analyzed,
and systems are at risk until an antidote is installed.)

In accordance with Federal Reserve System policy, line management
responsible for information security convened Systemwide conference
calls to discuss the virus and to coordinate actions to contain it.
During the day, the CERT3 and other virus-response centers provided
information about how the virus spread and measures to contain the
virus. We began installing anti-virus patches in the afternoon, and as
an example, the Board of Governors re-opened its e-mail systems to
outside mail by 5:00 p.m. Financial institutions reported they were
able to reopen e-mail systems at various times during the day, and
most e-mail systems were open by the beginning of business the
following morning. . . .

Impact of Love Bug Virus on Federal Reserve and Financial Institutions

Other than impeding office communications and diminishing productivity
because of the temporary halt in receiving and sending e-mail
messages, the virus had minimal impact on the Federal Reserve's
business operations and no impact on our critical financial and
central bank services. Our electronic payment services are protected
from e-mail viruses because they do not operate on the automation
systems that support our Internet and electronic mail services. Our
payment systems operate on proprietary software systems and use a
closed network rather than the public Internet. Fedwire - our
large-value funds transfer application - and our other key payment
systems are accessible only through dedicated devices and require
specific hardware, software, and communications facilities to process
transactions. Moreover, all of these communication systems are fully
encrypted. If for some reason the Love Bug virus was able to operate
on a device linked to one of our payment system applications, the
device might, at worst, be temporarily disabled. An infected terminal,
however, could be recovered by using contingency procedures.

The Federal Reserve did experience some negative effects from the Love
Bug attack. While our e-mail systems were disconnected, we used fax
machines and telephones to complete routine communications. This
proved to be inconvenient for some employees. In addition, our
Information Technology staff had to devote time to communicating with
employees and business partners about appropriate screening and
containment measures and to perform work to apply software patches to
immunize our e-mail systems and recover machines that had been
infected by the virus. In short, a virus of this nature can be
disruptive to an organization's electronic communications and
knowledge-sharing activities.

The financial institutions we supervise reported a similar experience.
Word about the virus spread almost as quickly around the globe as did
the virus, and companies were able to alert employees and to shield
e-mail systems early in the business day. Even when e-mail systems
became infected, the virus was not able to spread to critical banking
systems. Financial institutions conducted business as usual, and ATMs
and other retail and wholesale payment and settlement systems were
unaffected.

Although there were some minor disruptions in commerce, we have not
identified any measurable effect on the economy - in large part
because commercial transactions are not generally conducted using
e-mail-based information systems. Various news services have estimated
the cost of the virus - in terms of lowered productivity and labor
costs to manage the virus and recover from damage - in the range of $5
billion to $15 billion worldwide. At this time, however, we view those
numbers as "guestimates."

Lessons Learned

Although the Federal Reserve's detection and response procedures were
adequate and worked well, we see the incident as an opportunity to
identify lessons learned so that we can continue to improve our virus
response processes. Our information-security program is based on a
process of continuous improvement and a post incident review is
standard practice in the Federal Reserve. We want to ensure that we
operate in the most secure environment possible and that we are
prepared to respond to cyber-related incidents in a consistent,
coordinated manner.

With respect to the financial institutions we supervise, the Federal
Reserve is integrating our information technology examination program
into safety and soundness assessments to ensure the inherent business
risks created by technology are properly managed. One benefit of Y2K
is that senior executives and board of directors of financial
institutions have a better understanding of the linkage between
operations risk and credit, market, liquidity, reputational, legal,
and other forms of risk. This will serve the industry well in
addressing new operational risks posed by rogue software, such as
viruses.

In addition, we are committed to participating in initiatives that
promote information-system security and that assist in the rapid
identification and analysis of new viruses and other forms of cyber
attacks. The Federal Reserve is an active participant in numerous
public- and private-sector activities to protect the critical
infrastructure. For example, we receive information from the NIPC and
we will also be participating in the financial services information
sharing and assessment center. We also plan to work more closely with
our anti-virus software vendors to convey the urgency of producing
antidotes to new viruses in an even more timely manner.

Our financial institutions report a renewed commitment to training,
particularly institutions in which virus-screening capabilities are
somewhat limited because of lessor reliance on e-mail systems.
Moreover, to avoid having to shut down e-mail systems even briefly,
some larger institutions plan to investigate more robust filters that
can be deployed in the period following the spread of a virus and
before their anti-virus software vendors produce an antidote patch. As
a result of the Love Bug virus, there is an increased awareness in the
financial sector that today's most commonly used desktop products (web
browsers, e-mail, and the like) are generally not designed to resist
future virus strains. Financial institutions also believe that the
software industry needs to take additional steps to ensure that their
products are appropriately secure. It is essential that desktop
products used to support critical business functions are secure and
engender confidence in their use. In the future, we anticipate that
desktop products will increasingly be employed to deliver retail
financial services over the Internet.

Conclusion

Computer viruses and other malicious attacks by software hackers
present an ongoing threat. Although the Love Bug virus was limited in
the damage that it caused, future viruses may be more difficult to
contain. Because viruses put us into a defensive mode, good
information security processes and controls are critical - and those
employed by the Federal Reserve were effective in detecting and
responding to the Love Bug virus.

In my opinion, if electronic commerce is to flourish, there must be a
high degree of confidence by all parties to transactions that the
systems and networks are as secure as possible. There is a need to
focus on measures that can be implemented to contain viruses while
antidotes are being developed. These include measures to share
information more effectively, to analyze new viruses quickly, to
distribute fixes more efficiently, and to recognize new, innovative
viruses as they occur. Finally, public- and private-sector
information-security initiatives, including early warning, analysis,
information on, and containment, should be supported and broadened.

Up to this point, much of the focus on new threats to computer systems
has focused on national security and criminal aspects of the problem.
From my perspective, the discussion should be expanded to include the
broader risks presented by the growth of electronic commerce. One of
the reasons our nation's Year 2000 efforts were so successful was that
leaders in the public and private sectors recognized that technology
issues presented significant business risks and they worked together
to meet the challenge. The work of the Department of the Treasury in
supporting the goals of Presidential Decision Directive 63 is a good
step in helping the financial sector to address new forms of
operations risk. Finally, in my view, the model implemented to address
Y2K could be helpful in strengthening programs to address the risks to
the public infrastructure on which the financial services industry
relies: telecommunications, power, water, transportation, and public
safety.

(end excerpts)

(Distributed by the Office of International Information Programs, U.S.
Department of State. Web site: http://usinfo.state.gov)