Subcommittee on Financial Institutions

Oversight Hearing on the "I Love You" Computer Virus
and its Impact on U.S. Financial Services Industry

10:00 a.m., Thursday, May 18, 2000 - Dirksen 538

Prepared Testimony of Mr. James Adams


Chairman Bennett, members of the committee, good afternoon and thank you for including me on this distinguished panel. I consider it an honor to share with you today my perspective on the LoveLetter experience and steps necessary to proactively defend our nation's critical infrastructure from future cyber attack.

By way of brief background, my name is James Adams, and I am the CEO of Infrastructure Defense (iDEFENSE). Founded in 1998, iDEFENSE provides intelligence-driven products, daily reports, consulting, and certification that allow clients to mitigate or avoid computer network, Internet and information asset attacks before they occur. As an example, iDEFENSE reported on the LoveLetter virus to its clients and provided countermeasures to mitigate the damage from this virus as it quickly spread and evolved. I will comment more extensively on iDEFENSE's approach to this virus in a moment.

Before I do so, I want to commend Chairman Bennett, and the committee, for its leadership and diligence on moving the federal government forward on the Y2K issue and its potentially lethal electronic threats. As proven with the Y2K experience, this committee has recognized the vital importance of computer security to the health of the nation, and it continues to take a lead role in raising the right issues at the right time.

Double-Edged World

As a nation, and as a global community, we have been awed by the recent evolution of information technology. For the first time in recorded history, we have a truly interactive media in the hands of the Everyman, and there pervades an air of international exuberance that we have the ability to interact with persons of virtually any age, station, and location at the touch of a button. And this exuberance is not unfounded we are truly in the midst of a Revolution one that connects more and more of our global neighbors with each passing day, facilitating collaborations both academic and economic that have and will change the way we live.

However, as with any great power, there comes a dark side and a grave responsibility. As we connect more and more of the global community it is our duty to warn them of the risks involved. As Americans, we have approached the Internet as we have so many challenging new frontiers: as we put down our roots, we have set about the business of doing business. In so doing, we have raised the stakes exponentially: the Internet is no longer a place dedicated solely to the exchange of ideas, but the exchange of currency and vital, proprietary information.

LoveLetter: A Review

Late in the afternoon of May 4, the LoveLetter virus was discovered in Hong Kong. In its wake, we stand reminded of how much damage the dedicated minority can inflict on us all. Following closely last February's distributed denial of service attacks; the LoveLetter virus is a clear sign that our current approach to dealing with the growing cyber threat is simply inadequate. In fact, it is quite dangerous and irresponsible. We must do better if the current revolution is to remain a positive influence on the global community.

Two important points regarding LoveLetter: One, it spreads primarily through technologies and vulnerabilities that have been known within the industry for over a year, and that have been proven in several relatively prolific viruses. Two, LoveLetter is not self-actuating - it can only be activated and passed to another computer if a recipient consciously activates it. The inescapable conclusion is that the LoveLetter virus exploited human elements and lack of user awareness as much or even more so than technology.

Had the general populace been taught to instinctively verify the source and content of email attachments, the virus might never have reached such epidemic proportions. Had the average user been shown a few minor adjustments to the configurations of their computers, the doors through which the virus entered could have been closed against it. Does this impute to everyone from whose computer the virus propagated some responsibility for the damage that it caused? To some extent, yes, it does, but to a greater extent, the fault lies in our consistently reactive approach to information security.

As the CEO of iDEFENSE, I am privy to all of our ongoing operations, and I would offer some of our experiences and procedures as further illustration of what I mean when I talk of a reactive approach. Since last year, our Intelligence team worked closely with our computer scientists to pinpoint several viruses that appear to have been integrated into the LoveLetter virus. When these earlier viruses were discovered, their less destructive payloads and less intrusive propagation made them a low priority. In fact, many experts paid them very little attention. Not at iDEFENSE. In addition to the timely intelligence regarding these virus's possible damaging effects, our clients also received careful instruction as to how to secure their systems against such intrusions, whatever their purpose or origin. So, in the case of the LoveLetter, persons who had implemented these countermeasures were not vulnerable to its damaging effects.

LoveLetter: Lessons Learned

There are at least four lessons to be learned here. The first, and potentially most troubling for managers of the growing cyber threat, is that in this new world, there is no such thing as a minor threat. Earlier viruses in the LoveLetter virus strain appear, in hindsight, to be much more than the harmless exercises of a bored hacker - they look very much like proofs of concepts. They look like tests. Writers of malicious computer programs, it would seem, are strikingly similar to any other engineer: they build a product, and then find it necessary to test that product on a suitable target.

A specific example, earlier this year a group of Internet-based activists noted for building their own cyber attack tools went searching for a test target. After building a tool specifically for an upcoming attack, they unleashed it at what amounted to a very low power setting on a government Web site chosen for its lack of defenses and monitoring. Had our Intelligence analysts not discovered their plans, the test might never have been discovered. As it turned out, the test was monitored not only by the attackers, but by the owners of the test site and iDEFENSE as well. Without alerting the attackers to our presence, we were able to notify the tool's eventual target and help thwart the attack for which it was built. Had the components of the LoveLetter virus been pursued with the tenacity with which we now pursue the author of the LoveLetter virus itself, we might have been able to prevent much of the damage it caused.

The second lesson to be learned from our experience is the value of a central point of contact. Our clients are able to react immediately to threats because they have no opinions to poll or conflicting advice to sort - they depend solely on iDEFENSE for their intelligence. When our clients hear from us, they can act immediately. As most experts will freely tell you, response time can make or break an organization in the face of a cyber threat.

This will become even more imperative as cyber threats evolve - we have already seen several viruses circulating in the wild that are self-actuating: they require no user interaction whatsoever to infect a computer. Simply receiving these viruses in an email can result in infection. While they have not yet carried any destructive payloads, the astounding speed with which the LoveLetter virus was altered and re-released into the wild is more than enough warning that it can only be a matter of time before they do. When this happens, information security professionals will need immediate warnings of their existence and how to defend against them, or the results could be devastating.

The viruses of the future will not only be self-actuating, but they will travel on a whole new generation of hardware. As those of you who are exposed to television with any regularity will already know, several vendors are now offering Internet access via cellular telephones and even Personal Digital Assistants, such as the Palm Pilot. These new devices are too new to be included in most security architectures, and the protocols on which they function are in many cases rushed to market before they can be comprehensively evaluated.

There are already confirmed reports of automated attack tools with the capability to flood cellular networks, resulting in a denial of cellular service. Suddenly, a workforce that maintains communication via any cellular devices could be completely cut off. Theoretically, cellular-based Web communications could even be intercepted, altered, and then sent on to their intended recipient. Suddenly, the prospect of trading stocks online via your cellular telephone takes on a terrifying new light.

The third lesson to be learned is that as a global community, we face a constantly expanding enemy. While it is widely known that established nations like Russia, China and even France are actively building their cyber attack capabilities, the LoveLetter appears to have originated in the Philippines. Similarly, Serbia, Pakistan, and Taiwan have all demonstrated significant hacker capabilities in recent months. These are all areas that boast significant concentrations of relatively disenfranchised persons who have obviously turned to the Internet as a forum for their agendas. Where during the Cold War there might have sprung up an armed insurrection, we now see cyber attacks carried out by increasingly organized and technologically savvy militants. Even more dangerous, while most conventional terrorists are intimately familiar with the capabilities of their assault rifles and pipe bombs, those responsible for viruses like the LoveLetter may never have any idea of the full extent of the damages they unleash.

Finally, it is quite clear that cyberspace is the new frontier of war and that conflict in the virtual space is a reality. The creator of the LoveLetter virus was an individual and not a nation state yet the power of the weapon that was created was enormous. Following the sun, in the course of a single day the virus caused chaos in the public and private sectors worldwide. A current CIA estimate suggests that the cost of the virus worldwide was $1 billion. Others suggest that may have been the cost to the United States alone. A powerful weapon indeed.

The Way Out: Intelligence and Information Sharing

All three of these lessons point to a single conclusion: the only defenses we have against the hyper-evolving cyber threat are intelligence and an established and effective procedure for its dissemination.

There is much in common between government and industry when it comes to the challenges - and the pportunities - which the Information Revolution poses. Both sectors face common threats ranging from vandal hackers and hardened criminals to foreign agents and natural disasters. Both sectors share common goals for the well being of America and her people. Both employ technologies that are essentially identical. And both must work together to protect each other.

With common problems and common goals, there are opportunities for common solutions. One of the most important, I believe - one that is too new to have been embraced by either the private or public sector - is the need for every organization to incorporate a risk-mitigation process. A second priority is to build a comprehensive information sharing system across all sectors on cyber threats and countermeasures. We cannot afford to allow important information to grow stagnant within particular public or private entities. The rapid pace of technological change necessitates a correspondingly robust response mechanism.

In conjunction with this private-public effort, it is vital that we empower a person or an entity to coordinate a collective response to the growing cyber threat. This entity will draw on skill sets in many areas overlapping that of the CIO, CFO, CSO, and most other officers or entities. I call this entity the Office of Business Assurance and its task would be to continuously gather and synthesize infrastructure-related trends and events, to intelligently evaluate the technological context within which the organization operates, to identify and assess potential threats, and then to suggest defense action. Or, viewed from the positive side, to assess the technological revolution's opportunities and propose effective offensive strategies. Most importantly, the OBA would be a proactive measure: it would endeavor as much to prevent attacks as to defend against them or mitigate the damages resulting therefrom.

Defending our nation's infrastructure is as important as managing Health and Social Security, the Environment or foreign affairs. In the virtual world, if we are not adequately protected, everything fails - and that includes many of the government departments that were damaged by the LoveLetter virus. It is logical then that the Office of Business Assurance is run by a government official with Cabinet level status who can cut across that stagnant bureaucracy and drag it kicking and screaming into the 21st century. The nation deserves no less.

The one thing that has remained constant over our nation's history is the American pioneering spirit. However many years ago, most of our ancestors left the safety of the known for the promise of opportunity in this, the New World. So now we too enter a New World, and with it a host of new challenges, opportunities, and risks. I urge you now to come together and work for the common good, the protection of our cyber pioneers, as our forefathers once circled their wagons to defend their belongings against physical threats. Given her history, I have no doubt that America will establish her place in the cyber world as she established her place on the planet - a haven for all who would enter.

Home | Menu | Links | Info | Chairman's Page