(1) Personal computer contamination. Personal computer (PC) viruses, to
date, have resulted from a user knowingly loading software containing a virus onto an
Army PC without license. The virus subsequently damages the files stored on the hard
disk. United States (US) law requires government employees to refrain from loading
unlicensed software, including shareware, onto government computers. (Shareware is
copyrighted software, obtained through bulletin boards or by way of mailed diskettes.
The manufacturer asks users to voluntarily send in payment if using the shareware.
The few who comply cover costs for the majority who use and pass around software by
copying it onto diskettes). United States Army Information System Command (USAISC)
policy requires USAISC bulletin board operators to examine public domain and Army
licensed shareware for viruses before placing software on bulletin boards. End users
would be wise to do the same for such software obtained from other sources.
(2) Network viruses. Network viruses are greater threats, as they spread
themselves across a network, transferring infected files between hosts and propagating
the virus to other computer systems on the network. Simple actions are sufficient to
protect against most threats. The following measures have been sufficient up to now:
not allowing "guests" publicly known passwords; not allowing users to invent their own
passwords (they should use randomly generated passwords that are harder to figure
out); not allowing more than three successive unsuccessful log-on attempts per user;
changing passwords at least semi-annually.
(3) The operations environment. In addition, it is important to consider the
working environment of these systems. Many systems have "holes" which are known to
some communities. The Morris Internet Virus exploited several of the known "holes" in
the Unix computer system. The operating system and security products in use should
be examined and accredited by the National Computer Security Center (NCSC). The
USAIC has established an Army Computer Emergency Response Team (CERT), which
has the technical expertise to deal with computer emergencies, contamination, and
intrusion which may affect USAISC systems. The User Coordinating Center (UCC) is
the focal point of contact for the Army CERT, AUTOVON 879-6255.
g. Cost. It has always been difficult to place computer hardware and software
costs in perspective vis-a-vis anticipated payoffs. Until now, hardware has been the
big-ticket item. Now software and personnel costs are taking center stage as the
important cost factors. Large hospitals are spending millions on medical information
systems, as they underestimate costs and overestimate payoffs, and the costs are
rising each year.
h. Legal Problems. Freedom of Information laws require organizations to make
available information that they hold. At the same time, Privacy laws place limits on
information processing. Today, with the dramatic proliferation of data collected and
stored, it has become harder for organizations to comply with these laws. On the one
hand, data must be made available under the Freedom of Information law. On the other
hand, that same data must be protected under Privacy laws, and "computer error" is not
a valid excuse for noncompliance with these laws.
MD0058
3-24