The Melissa Computer Virus Demonstrates Urgent Need for Stronger Protection Over Systems and Sensitive Data
T-AIMD-99-146: Published: Apr 15, 1999. Publicly Released: Apr 15, 1999.
Pursuant to a congressional request, GAO discussed: (1) the immediate effects of the Melissa virus and variations of it as well as its broader implications for the federal government; and (2) critical measures that should be taken to ensure that federal departments and agencies are better prepared for future viruses and other forms of attack.
GAO noted that: (1) Melissa is a macro virus that can affect users of Microsoft's Word 97 or Word 2000; (2) macro viruses are computer viruses that use an application's own macro programming language to reproduce themselves; (3) Melissa itself is delivered in a Word document; (4) once the Word document is opened, and the virus is allowed to run, Melissa: (a) checks to see if Word 97 or Word 2000 is installed; (b) disables certain features of the software, which makes it difficult to detect the virus in action; (c) generally sends copies of the infected document to up to 50 other addresses using compatible versions of Microsoft's Outlook electronic mail program; and (d) modifies the Word software so that the virus infects any document that the user may open and close; (5) under some circumstances, Melissa could cause confidential documents to be disclosed without the user knowing it; (6) in the course of spreading, variations of the Melissa virus also surfaced, including the Papa virus that can also be delivered by electronic mail; (7) although the Melissa virus reportedly did not compromise sensitive government data or damage systems, it demonstrated the formidable challenge the federal government faces in protecting its information technology assets and sensitive data; (8) Melissa showed just how quickly viruses can proliferate due to the intricate and extensive connectivity of today's networks and how hard it is to trace any virus back to its source; (9) Melissa demonstrated that vulnerabilities in widely adopted commercial-off-the-shelf products can be easily exploited to attack all their users; (10) Melissa illustrated that there are no effective agency and governmentwide processes for reporting and analyzing the effects of computer attacks; (11) to help strengthen computer security practices, GAO issued an executive guide in May 1998, which describes a framework for managing risks through an ongoing cycle of activity coordinated by a central focal point; (12) by adopting the practices recommended by the guide, agencies can be better prepared to protect their systems, detect attacks and react to security breaches; and (13) a comprehensive governmentwide strategy for increasing computer security should: (a) clearly delineate the roles of federal organizations with responsibilities for information security; (b) rank the greatest risks; (c) promote the use of proven security tools and best practices; (d) ensure the adequacy of workforce skills; (e) provide for evaluating systems on a regular basis; and (f) identify long-term goals, as well as timeframes, priorities, and annual performance goals.