, SecurityFocus 2000-05-10
Love Letter worm was an "utter, abject failure" of industry, says one Congressman. Industry blames liberal judges.
WASHINGTON--Members of the House Science Committee's panel on technology slammed the anti-virus industry for failing to protect the nation from last week's "LoveLetter" Internet worm, in a hastily-assembled hearing Wednesday.Under polite questioning by Committee Chair Constance Morella (R-MD), three industry experts and a U.S. government technical director suggested fighting computer viruses with such tactics as user education, authentication research, ethics training for young people, better "cyber-hygiene," and more use of anti-virus products.
But the hearing adopted a more acrimonious tone as other panel members took their turns asking questions. Anthony Weiner (D-NY) pointed out that the LoveLetter virus spread by raiding Microsoft Outlook address books -- the exact same technique used by the devastating Melissa virus over a year ago. "It seems to me we've had a little time to figure out how to [block] this," said Weiner. "It ain't gonna get any easier than this. They're not going to knock on your door with a disk and say, 'this is going out Monday morning.'"
"We here in Congress, we think have done a laudable and smart thing by stepping away from the Internet," said Weiner, who had just cast a vote against Internet taxation in another chamber. "And then you come before this committee once every three or four months and say, 'Oh, we were whipped again'. And it seems [the virus-writers] get younger and less educated each time."
"This is an utter, abject failure of an industry that has sprung up to protect against these things," said Weiner. "The question for me is, why did your stock prices go up after this?"
Representative Gil Gutknecht (R-MN) agreed. "Why did the stock go up? Because you have to buy more software. The last software didn't work," said Gutknecht.
"It's impossible to predict everything; that simply can't be done," answered Sandra England, senior vice president of Network Associates anti-virus unit McAfee. "I think we've done a very effective job. You're right that this is similar to Melissa, but you cannot know about a virus before it's released."
Anti-virus programs work by scanning for signatures of known viruses, said England.
Peter Tippett, chief scientist at Virginia-based computer security assurance firm ICSA.net, defended the industry by offering that most anti-virus programs have an option to use general heuristic rules to "look for code that's going down a path of bad behavior in general." With that option enabled, the software would have blocked the LoveLetter worm, he said, but most users don't activate the feature. "Mostly, the problem is, it causes more false alarms than users are willing to tolerate, and therefore they don't turn it on," said Tippett.
Congressman Gutknecht expressed concern that virus writers may be encouraged by the belief that they'll be rewarded with lucrative industry jobs later, and said he was contemplating drafting a bill that would make it illegal for software companies to hire former hackers.
"Do you have any former hackers on your staff?," Gutknecht asked England.
"We basically don't hire those people," said England -- a sentiment quickly echoed by the other three witnesses.
While the industry representatives were unanimous in opposing government regulation of Internet security, they all supported new criminal laws, tougher enforcement of current laws, or both.
Harris Miller, president of the Information Technology Association of America, blamed Internet viruses in part on judges who fail to treat computer crimes as seriously as violent, physical crimes. "There is a whole attitude change that is necessary," said Miller.
ICSA's Tippett urged Congress to make virus-writing itself a crime. "I would suggest that we make this one of those few First Amendment exceptions and make it illegal to create them."
Tippett also announced the preliminary results of an ICSA.net survey that showed that as many as 98% of mid to large size North American companies had been affected in some way by the LoveLetter virus. By comparison, a similar survey had found that Melissa affected only 28 percent of such companies. General Accounting Office technical director Keith Rhodes testified that the Love Bug bit at least 14 government agencies.
The LoveLetter worm struck last week, originating in the Philippines and sweeping across the Internet in a matter of hours. It infected millions of computers worldwide, and is considered the most successful computer virus in history.
On Monday, Philippine police arrested a suspect in Manila, but have since released him for lack of evidence. They continue to investigate. Experts have identified at least fourteen variants on the original virus still in the wild.
Miller warned that another virus is inevitable. "There is a subculture out there that is actively plotting its next move," said Miller. "We will be back here having another hearing on another virus attack. There is no magic bullet."