Skip to content

Schumer: New MyDoom Virus Reveals Feds' Inability To Contain Cyber Attacks

Today's response by Homeland Security Dept falls short and could lead to even more computer viruses being spread; Fails to implement mandatory reporting of viruses

Schumer urges mandatory virus reporting, an alert system that can't be copied by hackers, as well as increased research into fighting and containing cyber-attacks

US Senator Charles Schumer said a new plan announced by the Department of Homeland Security (DHS) today in response to the MyDoom virus falls short and outlined a series of measures to improve federal efforts to combat viruses and cyberattacks. Schumer said DHS' emailbased warning system would likely lead to more viruses and lacks mandatory reporting requirements.

"What DHS did today was essentially challenge computer hackers all over the world to put a virus into an email that mimics the DHS email warnings," Schumer said. "If I were a betting man, I'd put a few dollars down that the next virus that clogs computer networks is going to be transmitted through an email that looks like one of these DHS email alerts. This flaw is exacerbated by the fact that without any kind of requirement mandating ISPs and other companies to report the discovery of viruses, these warnings will likely come after a virus has stated spreading out of control."

The virus alert system announced by the DHS' National Cyber Security Division (NCSD) has three main features. It will provide biweekly tips to help nontechnical home and corporate computer users on how to protect their computers from viruses and issue bulletins for more technical audiences with news about new security issues and vulnerabilities as well as information about new patches to protect against potential hack attacks. Finally, DHS will issue real time email alerts when new viruses are discovered.

Schumer said that the Federal Trade Commission already provides information about virus protection and vulnerabilities to businesses and consumers. The only truly new feature are the new emailbased warnings, a system that is easily copied by a hacker trying to spread a virus. In addition, Schumer said that the initiative is undermined by its failure to require large businesses, ISPs, software makers and others to report viruses to the government at the time of their discovery.

Schumer said that if the National Cyber Security Division is going to be the lead agency for combating cyberterrorism, it needs to become the functional equivalent of the Centers for Disease Control (CDC) for America's cyberhealth. Schumer detailed a series of steps that would enable the NCSD to function as a clearing house for information about worm and virus attacks: " The NCSD should require companies and financial institutions to report virus attacks that reach a threshold level of danger to national or economic security instead of letting them supply the information on a voluntary basis. It should coordinate the flow of information about viruses among private industry, financial systems, foreign governments computer response centers and professional virus hunting companies. Schumer stressed that information about particular companies or entities would not be publicly disclosed. It would be used to warn industries that are at particular risk or are affected by the virus.

" Schumer said that while it should not duplicate the private sector's efforts to hunt down and stop computer viruses, it should complement those efforts by ensuring that work on containing viruses is distributed to industries being targeted by the attack. The NCDS should be careful to ensure that those industries most effected by a virus are notified immediately upon the discovery of a cyber attack.

" The NCSD should be the primary federal entity responsible for dealing with computer viruses and should have authority to direct the response and investigation into cyber attacks. It would serve as the true focal point for a national response to computer viruses and be assisted by the FBI, Defense Department, Secret Service and other federal agencies responsible for virus protection and enforcement.

" This center would issue national virus alerts to warn of viruses. The alert system would be connected through secure hotlines to national ISPs to quickly locate and disable remotely hijacked bot computers used in massive virus attacks. Schumer said using an emailbased system is a bad idea because hackers can easily duplicate or mimic a DHS email warning.

" Schumer also called for boosting support for the existing federallyfunded research center, CERT, at Carnegie Mellon University, should have additional resources. Its current funding, $25 million, is a little less than 2% of what just one virus could cost the world economy. Schumer also said additional research grants should be made available to researchers at other centers of learning to find the best ways to prevent worm and virus attacks before they wreak havoc on the Internet and the American economy.

In the first half of 2003 alone the number of multilayered, more complex, attacks went up 20% from the previous six months. According to the Symantec Internet Security Threat Report, there was a 500% increase in the number of software vulnerabilities, the flaws computer viruses and worms exploit, from 1999 to 2003. In addition, 64% of new attacks targeted vulnerabilities less than 1 year old. These vulnerabilities allow computers to become hijacked and used to spread viruses.

The MyDoom virus first appeared on Monday and has spread throughout North America, accounting for one in nine messages being sent worldwide. The heavy email traffic caused by the virus has jammed computer networks, hitting corporate computer systems particularly hard.

Eighteen months after 9/11, the Administration released its National Strategy to Secure Cyberspace Security. The strategy provided no regulations, mandates or even standards to protect against cyber attacks. Instead, it merely encourages private companies and individuals to secure their own hardware and software. The GAO reports that the strategy failed to indicate how the efforts will be coordinated; define roles, responsibilities and relationships between key layers; provide time frames for implementation; and establish performance measures to hold entities responsible.