'ILOVEYOU' Computer Virus Emphasizes Critical Need for Agency and Governmentwide Improvements
T-AIMD-00-171: Published: May 10, 2000. Publicly Released: May 10, 2000.
Pursuant to a congressional request, GAO discussed the "ILOVEYOU" computer virus, focusing on the need for agency and governmentwide improvements in information security.
GAO noted that: (1) ILOVEYOU is both a virus and a worm; (2) the damage resulting from this particular hybrid is limited to users of the Microsoft Windows operating system; (3) ILOVEYOU typically comes in the form of an electronic mail (e-mail) message from someone the recipient knows; (4) as long as recipients do not run the attached file, their systems will not be affected and they need only to delete the e-mail and its attachment; (5) if opened, the ILOVEYOU can spread and infect systems by sending itself to everyone in the recipient's address book; (6) there are areas of management and general control that are integral to improving problems in information security; (7) most agencies do not develop security plans for major systems based on risk, have not formally documented security policies, and have not implemented programs for testing and evaluating the effectiveness of controls they rely on; (8) these are fundamental activities that allow an organization to manage its information security risks cost-effectively rather than by reacting to individual problems ad hoc; (9) agencies often lack effective access controls to their computer resources and, as a result, are unable to protect these assets against unauthorized modification, loss, and disclosure; (10) these controls would normally include physical protections such as gates and guards and logical controls, which are controls built into software that: (a) require users to authenticate themselves through passwords or other identifiers; and (b) limit the files and other resources that an authenticated user can access and the actions that he or she can take; (11) testing procedures are undisciplined and do not ensure that implemented software operates as intended, and access to software program libraries is inadequately controlled; (12) GAO found that computer programmers and operators are authorized to perform a wide variety of duties; (13) this, in turn, provides them with the ability to independently modify, circumvent, and disable system security features; (14) GAO's reviews frequently identify systems with insufficiently restricted access to the powerful programs and sensitive files associated with the computer system's operation; (15) such free access makes it possible for knowledgeable individuals to disable or circumvent controls; (16) service continuity controls are incomplete and often not fully tested for ensuring that critical operations can continue when unexpected events occur; and (17) agencies can act immediately to address computer weaknesses and reduce their vulnerability to computer attacks.