Lawmakers aim to get tough on malicious code

House subcommittee members were frustrated Wednesday in their efforts to find out just who is releasing all of these computer worms and viruses.

Neither government officials nor industry experts testifying before the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census were able to identify the culprits.

When Deputy Assistant Attorney General John Malcolm could not provide a list of people prosecuted for hacking, Chairman Adam Putnam (R-Fla.) suggested that the Justice Department was not paying enough attention to the issue.

"I would reject that implication totally," said Malcolm, who heads the Criminal Division. "These are unusually complicated investigations." He called cybercrime a "high, high, high priority" for the department.

Malcolm said the U.S. Judicial Conference is reviewing federal sentencing guidelines and could increase penalties for computer crimes.

"I expect the sentences and prosecutions to commensurately increase" as the seriousness of computer crimes is recognized.

Norman Lorentz, the Office of Management and Budget's acting administrator of e-government and IT, and Lawrence Hale, director of the Federal Computer Incident Response Center, outlined their agencies' response to vulnerabilities exploited by recent worms.

OMB alerted agency CIOs and incident response centers via conference call, following up with an e-mail listing specific actions to be taken. Agencies were required to report back to OMB through FedCIRC on the implementation of countermeasures.

"This emergency notification and reporting process was instituted for the Microsoft RPC vulnerability in July and as a result, agencies were able to rapidly close vulnerabilities that otherwise might have been exploited by the Blaster worm," Lorentz said.

Even with this process, several thousand government computers were affected by recent worms, Lorentz said. "This impact ranged from a slowdown in agency e-mail to the temporary unavailability of internal agency systems."

Rep. Candice Miller (R-Mich.) said the Sobig.F worm "nearly crippled the House e-mail network," and called the recent worms, "terrorism, plain and simple."

Putnam criticized guidelines for handling software security vulnerabilities published recently by the Organization for Internet Safety. The voluntary guidelines call for a 30-day waiting period from the discovery of a to when it is announced to give software vendors a chance to prepare a patch. Absent from the guidelines is a role for the government in the process.

"We specifically excluded government from the drafting process," Scott Blake, a vice president of BindView Corp. of Houston and chairman of the OIS communications committee, said in July. "We felt that involving the U.S. government would limit the document's international appeal."

Putnam said at the hearing, "there is a very important role for government to play in the disclosure process. It is simply not acceptable for vendors to determine on their own who gets notified and when. It is imperative that the appropriate government entities be involved in this process from the very beginning."

OIS co-founder Christopher Wysopal, who testified at Wednesday's hearing, did not address the issue.

William Jackson writes for Government Computer News magazine.