Opening Statements of Committee Members

Oversight Hearing on the "I Love You" Computer Virus
and its Impact on U.S. Financial Services Industry

Opening Statement of Senator Bob Bennett (R-UT)

10:00 a.m., Thursday, May 18, 2000

I am happy to hold my first hearing as chairman of this subcommittee on such an important issue. To borrow a phrase from that great American, Yogi Berra, "It's Deja Vu all over again." A little more than three years ago, we began a series of hearings in the Banking Committee which led to the creation of the Year 2000 Committee.

Our inquiry at that time focused on a mysterious programming flaw called the Year 2000 Bug. We quickly realized the implications of the issue we were examining reached far beyond the financial services sector. That is why for today's hearing I have asked the GAO to look into how the government reacted to this most recent virus, the Love Bug.

I want to begin to lay the foundation for a series of hearings on the subject of coordinated critical infrastructure protection in the financial services area over the remainder of this Congress. The GAO interviewed 20 different agencies and has discovered that the virus caused real, tangible problems for the federal government. Eight of the 20 agencies experienced computer problems which lasted more than one day. The GAO will tell us how one federal agency lost connections to the Internet and its e-mail service for up to six days and a critical government agency involved with public health stated that it would not have been able to coordinate an emergency response in case of a biological incident. These agencies spent literally thousands of hours fixing their systems.

Now let's look specifically at the three unique features of the "I Love You" virus. One, it targeted Microsoft Outlook users and propagated itself to everyone on the program user's address book. Two, it deleted picture and sound files and attempted to steal the computer's passwords. Three, it used a "worm" to occupy unused system capacity, thereby crashing servers in corporations around the globe. The thing that should make all of us sit-up and take notice is that if this virus had targeted Microsoft Excel or Lotus spreadsheets, it could have wrought massive devastation on the financial services industry.

The effect of the "I Love You" virus on the financial services industry and its regulators is a microcosm of the impact it has had on the economy as a whole.

Within the last few years we have witnessed increasingly more severe cyber-attacks. Each new virus is to be an integral part of an evolutionary process which seems to forewarn of the attacks yet to come. Each mutation is faster, stronger, and more sophisticated than its predecessor. Some of the hackers with whom my staff has communicated express extreme contempt for those who have spread these viruses, describing them as "unimaginative" and "simplistic." Ladies and gentlemen, the implications of that are quite frightening.

The "I Love You" virus demonstrates several weaknesses in our government's ability to detect and respond to fast-moving cyber events in a coordinated and efficient manner. I have been asking the questions for sometime now about what happens when our borders disappear. What does it mean to function in a borderless economy? The Virus illustrates that global boundaries are disappearing for commerce; oceans still separate one federal agency from another. The "I Love You" virus should occasion a careful review of out national capabilities. It is important that these weaknesses be addressed now in order to reduce future risks.

With worldwide estimates ranging from $950 million to $15 billion for the "I Love You" virus, the concept, that these viruses were less virulent than "those in the know" expected them to be, concerns me greatly. With this evidence mounting, do we have a national capacity to provide early warnings of coordinated cyber-attacks and if so how well does it work? What does this mean for the government and our economy as a whole?

The private sector seems to be beginning to do its job. Microsoft has announced that it will provide a patch to its Microsoft Outlook 1998 program, which was the target of the "I Love You" virus, and its Office 2000 products. The pendulum is beginning to swing the market in the direction of greater safety. Microsoft has recognized that it must reassess the balance between the user-friendliness of its products and their security. Regrettably, due to a very important scheduling conflict, no representative from Microsoft was able to join us today.

As was the case with the Year 2000 problem, the ultimate responsibility for security rests with the CEO of the corporation. And make no mistake, particularly in the financial services industry, the customer will act quickly to punish an institution that has lost his or her faith. While many companies see system security as an unproductive investment, basic computer security drops straight down to the bottom line. The good news, however, is that the private financial services ISAC (Information Sharing and Analysis Center) had the earliest US warning and analysis of the "I Love You" virus. It is clear that the government can learn something from the private sector.

One of the most confounding facts about viruses is that in many countries no legal barriers exist to prohibit their creation or release. In the case of the "I Love You" virus, the Philippine school which Onel de Guzman attended reprimanded him for his thesis–calling it illegal–but, in fact, it was not illegal according to the local laws. There is a void in the legal systems of many countries which leaves computer vandals free to go about their destructive business, without fear of legal recourse. The Internet is a ripe target for these individuals because its very structure requires the absence of barriers which normally limit criminal enterprise. As these young people see pictures of other hackers splashed across the front pages of national newspapers it feeds a frenzy. Some of these hackers are elevated to cult figure status; urban legends spring up around them and their deeds.

Until laws are created and enforced internationally which make computer vandals liable for their misdeeds, the only absolute protection from their misdeeds is a pair of wire clippers and a resignation to living in another era.