To: Mr. Don Goldberg House Judiciary Subcommittee on Criminal Justice U.S. House of Representatives H2-362 Washington, DC 20515 202-226-2406 voice; 202-225-3788 fax From: David Stang National Computer Security Association Suite 309, 4401-A Connecticut Ave. NW Washington DC 20008 202-364-8252 voice; 202-364-1320 fax Subject: NCSA Testimony on Virus Bills Date: August 17, 1990 We understand that HR 55 and HR 287 -- the two virus bills -- may have died as a result of unexpected action elsewhere in Congress on the Comprehensive Crime Control Act of 1990. We believe that the magnitude of the problem caused by a virus in just one computer is serious. As you and the committee well know, and have heard through prior testimony, the enormity of the damage caused by a virus can be stunning. I recently talked to one of our members who had spent $16,000 in consulting fees trying to save files that had been ravaged by a computer virus. Yesterday, I spoke to someone who had erased three months worth of work in an attempt to eradicate a virus. These may not be isolated cases. NCSA is now conducting a damage survey, to try to get some more honest numbers for the costs of viruses. We will be sharing our findings with your committee. In the balance of this letter, I will update our previous testimony in regard to the virus problem. There are now over 245 named viruses. More viruses were written so far in 1990 than in all prior years combined. The number of virus incidents is increasing at an alarming rate, although there are no reliable statistics on this. Many good self-defense measures and programs are now available, but the public is largely unaware of them, or of the magnitude of the problem. The damaged caused by viruses may be in the hundreds of millions of dollars annually. Only 25% of viruses appear to have U.S. origins. The committee needs to consider the international scope of the crime. An international symposium would be valuable. Most of the viruses that have been written have not yet spread widely. Many have not yet entered the U.S. Their damage is yet to come. Legislation should consider whether such virus authors will be grandfathered, or whether they are exempt from this legislation for viruses already written. Virus authors do not sign their work, but may show it to friends. Legislation which paid rewards to informers would be more effective than legislation which merely offered to punish those apprehended. The NCSA offers a $1,000 reward for anyone who plays a pivotal role in the conviction -- with jail time -- of a virus author. Legislation could do the same. The program code for many viruses has been published in many sources, making imitation and the creation of new viruses fairly simple. There may be 10,000 programmers in this country alone who are now capable of creating a new virus. Many more can modify an existing virus in a few minutes, using commercially-available software. The committee might consider whether the publication or distribution of virus code should be punishable, as it seems to aid and abet the crime. Because most viruses are reasonably easy to prevent with proper procedures, and easy to detect with software, legislation should encourage/support public education efforts for virus prevention and detection. Ultimately, we may shift some of the burden of virus damage to users who haven't shown reasonable care. There are no trustworthy statistics on incidents of virus infection. A national clearinghouse for such information would be valuable. We wish you well in your efforts to provide a serious, measured response to a serious international problem. As our society becomes increasingly dependent on computers, it will become increasingly victimized by viruses, and the work of your committee will become more important than ever. If there is anything we can do to support your efforts, please let us know. #=> END <=#