Virus Highlights Need for Improved Internet Management
IMTEC-89-57, Jun 12, 1989
Pursuant to a congressional request, GAO reviewed the November 1988 Internet computer virus incident.
GAO found that: (1) the Internet virus infected up to 6,000 computers within hours after it appeared, clogging systems and disrupting most of the nation's major research centers; (2) university computer experts eradicated the virus at most sites within 2 days; (3) the virus caused lost computer processing and staff time, but no permanent damage; (4) a few changes to the virus program could have resulted in widespread damage and compromise of sensitive or private information; (5) the incident highlighted such vulnerabilities as the lack of an Internet focal point for addressing security issues, security weaknesses at some sites, and problems in developing, distributing, and installing software fixes; and (6) agencies and groups have taken such actions as creating computer emergency response centers and issuing ethics statements. GAO also found that factors hindering prosecution of computer-virus-type incidents included the lack of federal statutes specifically directed at computer-virus-type incidents and the technical nature of computer-virus-type cases.
- Closed - implemented
- Closed - not implemented
Recommendation for Executive Action
Recommendation: The President's Science Advisor, Office of Science and Technology Policy (OSTP), should coordinate, through the Federal Coordinating Council on Science, Engineering, and Technology, the establishment of an interagency group to serve as an Internet security focal point. This group should include representatives from the federal agencies that fund Internet research networks and should: (1) provide Internet-wide policy, direction, and coordination in security-related areas to help ensure that the vulnerabilities highlighted by the recent incidents are effectively addressed; (2) support efforts already underway to enhance Internet security and, where necessary, assist these efforts to ensure their success; (3) develop mechanisms for obtaining the involvement of Internet users, systems software vendors, industry and technical groups, such as the Internet Activities Board, and the National Institute of Standards and Technology and the National Security Agency, the government agencies with responsibilities for federal computer security; and (4) become an integral part of the structure that emerges to manage the National Research Network.
Agency Affected: Executive Office of the President: Office of Science and Technology Policy
Status: Closed - Not Implemented
Comments: OSTP has not decided upon action, but does not intend to follow this recommendation. Action taken will be dependent on legislation introduced creating a National Research and Education Network. This bill has not yet been acted upon.