19 May 2000
(Treasury, Federal Reserve officials describe damage control) (3910) Officials charged with regulation and oversight of the U.S. financial system say the "I Love You" computer virus that raced around the world starting May 4 did minimal damage, but serves as a warning about the need for government agencies and financial institutions to remain vigilant. "The delivery of key financial and central bank services by the Federal Reserve was unaffected," said Stephen R. Malphrus, staff director for management in the Federal Reserve System, the U.S. central bank. The nation's financial institutions do not share a systematic reporting system to document the effects of computer anomalies, but Assistant Treasury Secretary Gregory Baer said, "We have anecdotal reports from the bank regulators and individual institutions, from which it does not appear that this worm disrupted any of the core functions of the financial services industry." "Future viruses may be more difficult to contain," said Malphrus. He said the financial sector must have a strong strategy to combat viruses so that public confidence in the system is maintained and the growth of electronic commerce can continue. Testifying before a Senate Banking subcommittee, Baer described how the Treasury Department and the financial industry have been working since 1996 to develop a system for institutions to exchange information and contend with attacks on their information systems. An experimental system, in place for less than a year, relies upon information-sharing between private institutions. It is "an important experiment, but still just an experiment," Baer said. On another tack, Baer said the Treasury Department has made a continuous effort to help institutions protect themselves from hackers. He said on May 16, the Office of the Comptroller of the Currencyissued updated guidance to national banks on how to prevent, detect and respond to intrusions into their computer systems. Terms used in the text include: FBI: Federal Bureau of Investigation OCC:, Office of the Comptroller of the Currency, Department of the Treasury OTS: Office of Thrift Supervision, Department of the Treasury PDD 63: Presidential Decision Directive 63, issued in May 1998, an order establishing national mechanisms for protecting the U.S. information infrastructure from threats. Following are excerpts of the Baer statement: Senate Subcommittee on Financial Institutions Oversight Hearing on the "I Love You" Computer Virus and its Impact on U.S. Financial Services Industry 10:00 a.m., Thursday, May 18, 2000 - Dirksen 538 STATEMENT OF TREASURY ASSISTANT SECRETARY GREGORY A. BAER PDD 63 directed each federal department and agency to reduce its own exposure to cyber threats, and directed government to work in partnership with the private sector in order to protect critical private sector infrastructures. In the latter respect, PDD 63 assigned Treasury as the "lead agency" responsible for working with the banking and finance sector of the economy. I have been designated by Secretary Summers as the liaison to the private sector for this purpose. My counterpart, Steve Katz, the Chief Information Security Officer at Citigroup, serves as the private sector coordinator. As a first step toward the private sector outreach mandated by PDD-63, former Secretary Rubin convened a Treasury information security conference on October 7, 1998. Attendees included a large number of industry information security officers and representatives of the financial regulatory agencies and others with a direct interest in critical infrastructure protection. We hoped that such a conference would, at a minimum, allow the best minds in the financial services sector to meet each other, share expertise, and continue to network. Industry reaction to the conference was extremely favorable. Industry representatives at the October 7 conference readily agreed that the goals of PDD 63 (such as information sharing, education and outreach, vulnerability assessment, and research and development) were worth pursuing, and they agreed to create and support what is now known as the Banking and Finance Sector Coordinating Committee on Critical Infrastructure Protection (the Coordinating Committee), chaired by Sector Coordinator Katz. The industry representatives also established four subgroups to address the issue areas they considered to be of highest priority: vulnerability assessment; research and development; CEO outreach; and information sharing. This blueprint has defined the activities of Treasury and the industry since 1998. The second meeting of the Coordinating Committee, on March 11, 1999, was a "nuts-and-bolts" type of meeting that established specific agendas for each of the working groups going forward. At that meeting, it was also decided that the creation of an industry information sharing and analysis center was especially important, largely because of impending Y2K concerns among government and industry leaders and other signs of an increase in cyber threats. The third meeting, held on April 10, 2000, focused on assessing the vulnerability of the financial services sector to attack and on research and development priorities. . . . . One of the most important goals of PDD 63 was government encouragement of private sector information sharing and analysis centers (ISACs). These centers would be designed to encourage information sharing about actual or potential cyber attacks, and distribute alerts about, and suggested remedies for, such attacks to their respective industry sponsors, the actual owners and operators of the critical infrastructures. Dealing with a computer virus or new type of attack is both a technological and an administrative problem. Just as combating the annual flu virus involves isolating and identifying the strain, developing a vaccine, and inoculating millions of people, so too does combating a computer virus involve determining the strain, developing a fix (patch or screen), notifying users of the need to protect themselves and delivering the fix. In the case of computer viruses, the administrative problems can be a daunting task since it can involve large numbers of servers and stations. For this reason, we believed from the outset that an information sharing center was an area where Treasury could add value. The financial services sector already represents the state of the art in information technology. The sector spends considerable resources, employs talented people, and retains respected consultants. Financial services firms, perhaps more than non-financial services firms, have strong reputational, financial, and competitive incentives to safeguard their information assets. The incentives for competing financial services firms to share information, however, are not as strong. The first instinct of a company under a debilitating attack is not to highlight its problems to the public and help its competitors avoid the same fate. Thus, we believe that this area is one where government could profitably act as a facilitator. The financial services industry was among the first to respond to PDD 63's call for the establishment of an ISAC. After an arduous period of technical, legal, and organizational negotiations, approximately a dozen major financial services firms and industry utilities established the Financial Services Information Sharing and Analysis Center - what they call the FS/ISAC. Its official opening was announced by Treasury Secretary Summers on October 1, 1999, with the participation of Chairman Arthur Levitt of the Securities and Exchange Commission, Vice Chairman Roger Ferguson of the Federal Reserve Board, and Richard Clarke of the National Security Council and the new FS/ISAC Board members. Let me emphasize at the outset that the members of the Center and Treasury view this entity as an important experiment, but still just an experiment. There will be other ways for firms to share or gather information: Carnegie-Mellon's Computer Emergency Response Team (CERT) (funded partly by the U.S. Government) currently performs a valuable service in identifying and warning of threats to information security. The NIPC provides an important watch and warning function and works closely with GSA's Federal Computer Incident Response Capability (FedCIRC) and Carnegie-Mellon's Computer Emergency Response Team (CERT). The anti-virus firms themselves operate centers to learn of new threats, develop fixes, and sell patches. Consulting firms now frequently offer a myriad of information security services. I think it is too soon to know which of these efforts will succeed. It may be that some will eventually be linked. But we thought that a sector-based, financial services center deserved a try. . . . Other Treasury Efforts to Prevent Disruptions of Computer Systems Regulators have increasingly recognized that protecting the information assets of a financial institution is a crucial part of safety and soundness. Thus, on May 16, the OCC issued updated guidance to national banks on how to prevent, detect and respond to intrusions into their computer systems. The guidance supplements an OCC bulletin on cyber-terrorism published last year and an alert on distributed denial of service attacks issued in February. The updated guidance discusses controls that can be employed to prevent and detect intrusions, ranging from basic security procedures, such as employee and contractor background checks, to technology-based tools, such as data encryption and real-time intrusion detection software. The bulletin encourages national banks to perform intrusion risk assessments, implement controls, establish intrusion response policies and procedures, and perform periodic testing. The updated guidance also reminds national banks to report intrusions and other computer crimes to law enforcement authorities and regulators by filing Suspicious Activity Reports. The bulletin provides guidance for gathering and handling information on intrusions, and highlights three organizations that are primarily involved with the Federal government's national information security initiatives: Carnegie Mellon University's CERT, the FS/ISAC, and the FBI's NIPC. Similarly, OTS has taken several specific actions to encourage thrift institutions to be proactive in addressing potential security threats. Starting in October 1997, OTS issued detailed guidance to the thrift industry and its examiners in a revised examination handbook section, which is continually updated as technology evolves. In November 1998, OTS issued its electronic operations rule that is designed to facilitate safe, sound, and prudent innovation in the use of emerging technologies. The rule requires management to identify, assess, and mitigate potential risks, implement a strong system of internal controls, and monitor and update security procedures to keep pace with changing industry standards. OTS has also issued numerous policies and guidance that address information and technology security issues. These include CEO memoranda concerning procedures for recovering information systems that may be damaged by malicious activity; defining lines of responsibility to respond and report suspicious activity to appropriate law enforcement authorities; training staff on information security precautions; and seeking out assistance from information security organizations when appropriate. The "Love Bug" Virus On May 4, the Visual Basic Script (vbs) Love Letter worm - what some call the Love Bug computer virus - swept into the United States through innumerable electronic mail messages. Reports indicate that activity related to the Love Letter worm has now subsided, including activity resulting from variations of that worm, such as "Very Funny.vbs" and "mothersday.vbs." However, there is no systematic reporting of the effects of viruses or worms for any industry, including the financial services industry. Instead, we have anecdotal reports from the bank regulators and individual institutions, from which it does not appear that this worm disrupted any of the core functions of the financial services industry - for example, the payments system or any of the major clearinghouses or exchanges. It did, however, cause substantial disruption to the e-mail servers of some financial services firms, requiring them to shut down those servers for hours or even days. In the coming weeks, we will seek to learn more about the effects of the Love Bug, and how information about it flowed through the industry. As we understand it now, the first accounts of the Love Bug came into U.S. firms early on the morning of May 4th. Those firms with Asian or European offices heard first, some as early as 3:00-4:00 a.m., as their overseas affiliates reported trouble. Even for those who got early warning, however, the only immediate option was to warn employees not to open certain e-mails and to stop all e-mail communications. The distributed denial of service (DDOS) threat was the first major test for the FS/ISAC, which was successful in terms of sharing critical information. The Love Bug was the second major test for the FS/ISAC and exposed some flaws in its present operating procedures. Only a few firms reported the incident - either because they were too busy resolving their own problems or because they assumed everyone was aware of the problem. Although the Center's operator posted a threat notice early on the morning of the 4th, the paging system used to alert the members to an urgent threat did not reach all the member contacts. The Center determined from this experience that it needs to implement alternate notification procedures (e.g., a conventional telephone-line, fax-based notification system for those times when e-mail or other Internet services are not working). We expect that the system will be better for these reforms, and will induce even greater vigilance by the financial services industry. (end excerpts) (begin excerpts of Malphrus statement ) Statement of Stephen R. Malphrus Staff Director for Management 2000-05-19 Board of Governors of the Federal Reserve System Like many organizations, the Federal Reserve System received hundreds of Love Bug e-mail messages. However, the virus had no impact on our critical business functions or information systems. Indeed, the delivery of key financial and central bank services by the Federal Reserve was unaffected. In the weeks following May 4, we contacted industry trade organizations as well as a number of the institutions we supervise, and they reported the virus did not impair critical retail or wholesale banking services. Indeed with the help of various public- and private-sector information-sharing programs, the virus was quickly detected, isolated, and immunized through a variety of standard operating procedures that have been implemented by the Federal Reserve and financial institutions. May 4 Love Bug Attacks Because the virus started in the Far East, it was identified before most U.S. public and private institutions opened for business. The Federal Reserve became aware of the virus on the morning of Thursday, May 4, through reports from Microsoft. By approximately 8:30 a.m., major news wire services also contained fairly accurate details about how to identify the virus, although the type of damage inflicted on computer hardware and files and the manner in which the virus spread were still unclear. Throughout the day, we also received reports from the FBI's National Infrastructure Protection Center (NIPC),1 from InfraGard, 2and from anti-virus software vendors. Financial institutions that have foreign offices, particularly those with operations in Asia, had the earliest warning and were able to take steps to inform employees worldwide and to shield their e-mail systems, in many cases before opening for business. As a precaution, many institutions shut down external, and in some instances internal, e-mail systems. These institutions also quickly alerted industry trade organizations and business partners about what they knew of the virus. The global nature of commerce helped many financial institutions learn about the virus before many of the monitoring services issued an alert. At the Federal Reserve, we immediately began to implement our standard virus incident response procedures. The fact that our employees were already trained to recognize and report suspicious e-mail messages, such as those that typically are virus carriers, was a tremendous asset in limiting the spread of the virus internally - only a handful of messages were opened. As a preventive measure, at about 9:30 a.m., we shut down our e-mail systems to incoming mail from the Internet, and subsequently through our intranet, until we received and installed an anti-virus patch, or antidote, from our software vendors. (An antidote cannot be produced until the particular virus is analyzed, and systems are at risk until an antidote is installed.) In accordance with Federal Reserve System policy, line management responsible for information security convened Systemwide conference calls to discuss the virus and to coordinate actions to contain it. During the day, the CERT3 and other virus-response centers provided information about how the virus spread and measures to contain the virus. We began installing anti-virus patches in the afternoon, and as an example, the Board of Governors re-opened its e-mail systems to outside mail by 5:00 p.m. Financial institutions reported they were able to reopen e-mail systems at various times during the day, and most e-mail systems were open by the beginning of business the following morning. . . . Impact of Love Bug Virus on Federal Reserve and Financial Institutions Other than impeding office communications and diminishing productivity because of the temporary halt in receiving and sending e-mail messages, the virus had minimal impact on the Federal Reserve's business operations and no impact on our critical financial and central bank services. Our electronic payment services are protected from e-mail viruses because they do not operate on the automation systems that support our Internet and electronic mail services. Our payment systems operate on proprietary software systems and use a closed network rather than the public Internet. Fedwire - our large-value funds transfer application - and our other key payment systems are accessible only through dedicated devices and require specific hardware, software, and communications facilities to process transactions. Moreover, all of these communication systems are fully encrypted. If for some reason the Love Bug virus was able to operate on a device linked to one of our payment system applications, the device might, at worst, be temporarily disabled. An infected terminal, however, could be recovered by using contingency procedures. The Federal Reserve did experience some negative effects from the Love Bug attack. While our e-mail systems were disconnected, we used fax machines and telephones to complete routine communications. This proved to be inconvenient for some employees. In addition, our Information Technology staff had to devote time to communicating with employees and business partners about appropriate screening and containment measures and to perform work to apply software patches to immunize our e-mail systems and recover machines that had been infected by the virus. In short, a virus of this nature can be disruptive to an organization's electronic communications and knowledge-sharing activities. The financial institutions we supervise reported a similar experience. Word about the virus spread almost as quickly around the globe as did the virus, and companies were able to alert employees and to shield e-mail systems early in the business day. Even when e-mail systems became infected, the virus was not able to spread to critical banking systems. Financial institutions conducted business as usual, and ATMs and other retail and wholesale payment and settlement systems were unaffected. Although there were some minor disruptions in commerce, we have not identified any measurable effect on the economy - in large part because commercial transactions are not generally conducted using e-mail-based information systems. Various news services have estimated the cost of the virus - in terms of lowered productivity and labor costs to manage the virus and recover from damage - in the range of $5 billion to $15 billion worldwide. At this time, however, we view those numbers as "guestimates." Lessons Learned Although the Federal Reserve's detection and response procedures were adequate and worked well, we see the incident as an opportunity to identify lessons learned so that we can continue to improve our virus response processes. Our information-security program is based on a process of continuous improvement and a post incident review is standard practice in the Federal Reserve. We want to ensure that we operate in the most secure environment possible and that we are prepared to respond to cyber-related incidents in a consistent, coordinated manner. With respect to the financial institutions we supervise, the Federal Reserve is integrating our information technology examination program into safety and soundness assessments to ensure the inherent business risks created by technology are properly managed. One benefit of Y2K is that senior executives and board of directors of financial institutions have a better understanding of the linkage between operations risk and credit, market, liquidity, reputational, legal, and other forms of risk. This will serve the industry well in addressing new operational risks posed by rogue software, such as viruses. In addition, we are committed to participating in initiatives that promote information-system security and that assist in the rapid identification and analysis of new viruses and other forms of cyber attacks. The Federal Reserve is an active participant in numerous public- and private-sector activities to protect the critical infrastructure. For example, we receive information from the NIPC and we will also be participating in the financial services information sharing and assessment center. We also plan to work more closely with our anti-virus software vendors to convey the urgency of producing antidotes to new viruses in an even more timely manner. Our financial institutions report a renewed commitment to training, particularly institutions in which virus-screening capabilities are somewhat limited because of lessor reliance on e-mail systems. Moreover, to avoid having to shut down e-mail systems even briefly, some larger institutions plan to investigate more robust filters that can be deployed in the period following the spread of a virus and before their anti-virus software vendors produce an antidote patch. As a result of the Love Bug virus, there is an increased awareness in the financial sector that today's most commonly used desktop products (web browsers, e-mail, and the like) are generally not designed to resist future virus strains. Financial institutions also believe that the software industry needs to take additional steps to ensure that their products are appropriately secure. It is essential that desktop products used to support critical business functions are secure and engender confidence in their use. In the future, we anticipate that desktop products will increasingly be employed to deliver retail financial services over the Internet. Conclusion Computer viruses and other malicious attacks by software hackers present an ongoing threat. Although the Love Bug virus was limited in the damage that it caused, future viruses may be more difficult to contain. Because viruses put us into a defensive mode, good information security processes and controls are critical - and those employed by the Federal Reserve were effective in detecting and responding to the Love Bug virus. In my opinion, if electronic commerce is to flourish, there must be a high degree of confidence by all parties to transactions that the systems and networks are as secure as possible. There is a need to focus on measures that can be implemented to contain viruses while antidotes are being developed. These include measures to share information more effectively, to analyze new viruses quickly, to distribute fixes more efficiently, and to recognize new, innovative viruses as they occur. Finally, public- and private-sector information-security initiatives, including early warning, analysis, information on, and containment, should be supported and broadened. Up to this point, much of the focus on new threats to computer systems has focused on national security and criminal aspects of the problem. From my perspective, the discussion should be expanded to include the broader risks presented by the growth of electronic commerce. One of the reasons our nation's Year 2000 efforts were so successful was that leaders in the public and private sectors recognized that technology issues presented significant business risks and they worked together to meet the challenge. The work of the Department of the Treasury in supporting the goals of Presidential Decision Directive 63 is a good step in helping the financial sector to address new forms of operations risk. Finally, in my view, the model implemented to address Y2K could be helpful in strengthening programs to address the risks to the public infrastructure on which the financial services industry relies: telecommunications, power, water, transportation, and public safety. (end excerpts) (Distributed by the Office of International Information Programs, U.S. Department of State. Web site: http://usinfo.state.gov)