Summary: Pursuant to a congressional request, GAO responded to congressional questions concerning its April 1999 Testimony on the Melissa computer virus and its broader implications, focusing on: (1) how much damage was done by the virus and how many federal agencies were affected; (2) whether there are any safeguards that can detect a computer virus before it has been identified as a virus; and (3) whether Java Applets and Internet cookies could be used as a means of transmitting viral infections.
GAO noted that: (1) the Melissa "Frequently Asked Questions" electronic document found at the CERT Coordination Center states that more than 300 organizations were affected, covering more than 100,000 individual hosts; (2) these data, however, are not specific to federal agencies; (3) as GAO stated in its testimony, it is critical that the federal government establish reporting mechanisms that facilitate analyses of viruses and other forms of computer attacks and their impact; (4) antivirus tools are readily available from several commercial vendors; (5) these tools perform three basic functions-- virus detection, identification, or removal; (6) the majority do not look for a virus unless and until the virus has been first identified and its characteristics are known; (7) the ability to be proactive rather than reactive--that is, to defend against a virus that has never been seen before--is the basis of antivirus research; (8) Java Applets and Internet cookies have many security issues associated with them; (9) the risk is based on whether the applet actually only does what it is supposed to do, or that the system that wants to set a cookie is actually only setting a cookie; (10) some security analysts simply state that no user should accept either an applet or a cookie from an unknown source; (11) however, knowing the source of the applet or cookie only means that the user knows the source, not whether the applet is malicious or that the cookie being set is the only action being taken; (12) as with all security issues, the environment is very dynamic; (13) for example, on Princeton University's Secure Internet Computing web page, there is an announcement of a very recent Java security problem; and (14) the dynamic nature of the problem means that all those involved in computing must be diligent in their security efforts.