Critical Infrastructure Protection:
'ILOVEYOU' Computer Virus Highlights Need for Improved Alert and Coordination Capabilities
T-AIMD-00-181, May 18, 2000
Pursuant to a congressional request, GAO discussed the ILOVEYOU computer virus, focusing on measures that can be taken to mitigate the effects of future attacks.
GAO noted that: (1) ILOVEYOU is both a virus and a worm; (2) worms propagate themselves through networks, and viruses destroy files and replicate themselves by manipulating files; (3) the damage resulting from this hybrid is limited to users of the Microsoft Windows operating system; (4) ILOVEYOU typically comes in the form of an electronic mail (e-mail) message from someone the recipient knows; (5) when opened and allowed to run, the virus attempts to send copies of itself to all entries in all of the recipient's address books; (6) soon after initial reports of the virus surfaced in Asia, the virus proliferated rapidly throughout the rest of the world; (7) recognizing the increasing computer-based risks to the nation's critical infrastructures, the federal government has taken steps over the past several years to create capabilities for effectively detecting, analyzing, and responding to cyber-based attacks; (8) however, the events and responses spawned by ILOVEYOU demonstrate both the challenge of providing timely warnings against information based threats and the increasing need for the development of national warning capabilities; (9) the National Infrastructure Protection Center (NIPC) is responsible for serving as the focal point in the federal government for gathering information on threats as well as facilitating and coordinating the federal government's response to incidents impacting key infrastructures; (10) once an imminent threat is identified, appropriate warnings and response actions must be effectively coordinated among federal agencies, the private sector, state and local governments, and other nations; (11) NIPC has had some success in providing early warnings on threats, but had less success with the ILOVEYOU virus; (12) for over 2 hours after NIPC first learned of the virus, it checked other sources in attempts to verify the initial information, with limited success; (13) NIPC did not issue an alert about ILOVEYOU on its own web page until hours after federal agencies were reportedly hit; (14) agencies themselves responded promptly and appropriately once they learned about the virus; (15) GAO found that the few federal components that either discovered or were alerted to the virus early did not effectively warn others; (16) to prevent future virus attacks, agencies can teach computer users that e-mail attachments are not always what they seem and that they should be careful when opening them; and (17) agencies can ensure that up-to-date virus detection software has been installed on their systems.