Computers and the Internet bring convenience and productivity to individuals, businesses, and government agencies. They can also bring malicious, self-replicating programming code known as "viruses" that can destroy valuable data stored on computers. Experts from the computer industry and government testified Wednesday before a U.S. congressional panel about the latest worldwide attack caused by the "I Love You" virus. RFE/RL's Andrew F. Tully reports.
Washington, 11 May 2000 (RFE/RL) -- It took less than a week for the U.S. Congress to hold hearings on the latest worldwide computer virus attack. Clearly, American officials are becoming increasingly concerned about computer security.
Expert witnesses appeared Wednesday before the technology subcommittee of the House of Representatives' Science Committee to assess the malicious computer program known as the "I Love You" virus.
A computer virus is essentially a program -- or an "executable file" -- that is capable of creating many copies of itself that can damage millions of computers. Like an organic virus, it is not a living thing. Like an organic virus, it cannot reproduce itself unless it attaches itself to a "host." And like an organic virus, it can spread quickly.
Last year, the virus nicknamed "Melissa" caused havoc among computers worldwide. "Melissa" sent copies of itself to addresses stored in an e-mail program on "host" computers. These copies then did the same on the recipients' computers, and the virus spread around the world in hours, clogging e-mail systems.
The "I Love You" virus, which began spreading in Asia last Thursday (May 4), acted in much the same way. It appeared in e-mail programs under the heading "I Love You." Recipients were asked to open the attached program to read a love letter. The program replicated itself the way "Melissa" did, but it also destroyed certain sound and graphic files on the host computer.
But the greatest damage was the time lost as companies and government agencies around the world were forced to close off their computer communications systems to clean out the virus. One technology research company -- Computer Economics in Carlsbad, California -- estimates that these companies and agencies lost $6.7 billion because of the "I Love You" virus. This is more than half of the total estimated losses from all viruses -- including "Melissa" -- incurred during 1999. And one witness at Wednesday's hearing testified that at least 14 agencies of the U.S. federal government were penetrated by the latest virus.
Wednesday's hearing was the latest of several such forums on how to cope with such malicious software. The issue has become increasingly important as more and more individuals, businesses, and governments rely on computers to accomplish even the most elementary tasks.
The witnesses included experts from both government and the computer industry. They tended to agree that there is no single piece of software that can be designed, no single action that can be taken -- no "silver bullet," as one witness said -- that can protect all computers from electronic viruses.
One witness was Harris Miller of the Information Technology Association of America. He said the best way to prevent a computer infection is for the computer user -- or company network administrator -- to practice what he called "good computing hygiene." This means installing anti-virus software and making sure that the software is current.
He also urged private companies to be more willing to share knowledge about viruses, even with competitors, and for both business and government to stay in constant touch. Without such knowledge, he said, all computers are easy prey for a malicious computer programmer.
And Miller said it is never too early to go beyond merely teaching children how to use computers. He said they also should learn about computer ethics.
The hearing at times was acrimonious.
Congressman Anthony Weiner (D-New York) angrily asked how the leading computer anti-virus companies like McAfee and Norton could not have anticipated the "I Love You" virus, which was so similar to "Melissa.
"Frankly, this is an utter and abject failure of an industry that has sprung up to deal with these types of things. This isn't even that bad of a virus. This doesn't even do anything terribly pernicious once it gets in there. And we couldn't stop it. So it seems to me that for the McAfee Company and for other companies -- Norton -- who make a living stopping these things, that this has got to be a pretty bad day."
Sandra England of McAfee Company replied.
"It's impossible to predict everything, and that simply can't be done. No company in the world can do that. And I think we've done a very effective job. You're right, this was very similar to Melissa, but you don't know about the virus until it's been unleashed. You cannot know about it until it hits."
Another subcommittee member, Congressman Gil Gutknecht (R-Minnesota), scoffed at suggestions that it is the responsibility of businesses and consumers to make sure they have anti-virus software and to make sure that software is kept current. Gutknecht also alluded to a question raised by his colleague, Weiner, who had asked rhetorically why the stock in companies like McAfee and Norton rose after the discovery of the "I Love You" virus.
"Why did the stock go up? Because -- the answer is -- you've got to buy more software. The last software didn't work. You've got to buy something new. And that seems to be the answer to every question."
Gutknecht complained that it should not be up to businesses and individual computer users to protect themselves. He said that should be the responsibility of the anti-virus companies. Miller, of the Information Technology Association of America, responded that just such a system is possible: Contracting with a company to intercept all the mail directed to a client to inspect it for evidence of software viruses. But he stressed that this could delay the e-mail for hours or even days.
"You can have that kind of system, if you want to pay that price. What the consumers appear to want -- whether it's business or individual consumers -- is instant e-mail. In fact they like this instant messaging. They want to be able to communicate the same way over the Internet [as] they can by picking up the telephone or by having face-to-face communications. So they want things instantly. Which means, unfortunately, in terms of the Internet, as I said, the openness of it also is its vulnerability."
Keith Rhodes is a computer expert for the General Accounting Office, the investigative arm of the U.S. Congress. He said neither the "Melissa virus" nor the "I Love You" virus has done enough damage to prompt individual users, businesses, and the government to take proper action to protect themselves.
"This is very pernicious, this is an annoyance. It will be worse next time, and it will probably cost more money. But until it reaches a threshold that hits the knee in the curve [leads to a catastrophe] and we say that the risk is too great, we're going to continue to go through this if we don't start designing the information flow inside our organizations based on risk."
The hearing ended with that question unanswered. Computer users -- individuals, businesses and government agencies -- enjoy the speed, convenience, cost-effectiveness, and openness of this new technology. They must now decide how to make it safe as well.