Want CNET to notify you of price drops and the latest stories?

Congress mulls worm defense tactics

Lawmakers express frustration over the problems caused by malicious viruses and ask whether additional laws and criminal prosecutions are necessary to protect the public.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read
Members of Congress expressed frustration Wednesday over the exploding problems caused by malicious worms and viruses and asked whether additional laws and criminal prosecutions are necessary to protect the public.

Rep. Adam Putnam, the chairman of a House subcommittee that oversees government use of technology, suggested at a hearing that the U.S. Department of Justice and the FBI are not doing enough to identify and prosecute those responsible for the havoc caused by viruses such as the MSBlast worm, also known as Blaster and Lovsan.

"There are hundreds of viruses released every year...but you can only recall two arrests, two convictions, two jail times?" Putnam asked a Justice Department official. "Now I ask, 'What's the source of the threat? Is it foreign or domestic?' Well, we really don't know."

Putnam said that such a lack of knowledge shows that the Justice Department has a "different level of seriousness"--that is, not as much--when targeting computer criminals.

John Malcolm, the deputy assistant attorney general who oversees the department's computer crime section, responded by saying: "I would reject that implication totally...These are unusually complicated investigations. Very sophisticated people are very good at covering their tracks. To suggest that--just because there are few public arrests out there in the media--that this is not a very high, high, high priority of the Department of Justice, is a completely wrong assumption to make."

While the masterminds behind the Sobig.F mass-mailing virus and the MSBlast worm (which enters computers through a programming flaw in Microsoft Windows) remain at large, police have made some progress. On Wednesday, Romanian police said that Dan Dumitru Ciobanu, 24, admitted to unleashing MSBlast.F, a variant of the MSBlast worm. And U.S. federal police have arrested Jeffrey Lee Parson on charges of allegedly releasing MSBlast.B.

Rep. Candice Miller, R-Mich., said she is generally worried about overregulating the private sector. But because of the growth of security breaches and the increasing importance of the Internet, Miller suggested, the time for legislative forbearance might be over.

Isn't it true that the "federal government has an oversight rule?" Miller asked. "We're trying to understand what we need to do appropriately, without overstepping our bounds in the private sector."

Miller and other members of the subcommittee said they are particularly concerned about the effect that vulnerabilities in common operating systems such as Windows could have on government agencies. In June, the subcommittee convened a hearing designed to explore whether federal agencies are--or are not--following approved procedures in making their systems secure.

Microsoft acknowledged on Wednesday that Windows suffered from three additional vulnerabilities and that if users do not download a patch, security vulnerabilities similar to those exploited by the MSBlast worm could be introduced.

Putnam, the chairman of the subcommittee, recently proposed requiring that publicly traded companies include a kind of "cybersecurity checklist" when filing reports with the Securities and Exchange Commission. Supporters of that approach argue that it would avoid intrusive federal regulation, but no bill has been introduced so far.

Also on Wednesday, the White House released a 24-page document titled "Progress Report on the Global War on Terrorism." Five paragraphs are devoted to computer security, and they stress that the Department of Homeland Security's National Cyber Security Division "played a central role in coordinating national response efforts" to the recent worm and virus threats.

The report also says that the department's Critical Infrastructure Information Program Office is busy creating a way to receive and collate reports from the private sector on threats and vulnerabilities. The department "released draft regulations for implementing the Critical Infrastructure Information Act this spring and is now developing the final guidelines," according to the document.