Keeping Out the Digital Swarm

Shortly after midnight on Aug. 20, 2003, railroad company CSX was forced to delay several trains because its computer networks were flooded by the Nachi worm, a self-propagating piece of code that exploited a Windows XP security hole. The Jacksonville, Fla.-based railroad, the third-largest in North America, says the overall effect was a slowdown in its operations for about half a day. Considering the company had $7.79 billion in sales last year, several million dollars of revenue would have been at risk while it was fighting the worm.

How did it happen? CSX says it was running up-to-date antivirus software on its desktops and e-mail servers (though the company would not disclose the names of its software vendors). But computers in CSX’s remote offices were not always included as part of the routine maintenance, a process the company says it has since taken steps to improve. Overall, only about 2% of the company’s PCs were infected by the worm, but that was enough to bring the network to a standstill.

“It was really a new world to a certain extent, because it was a very small level of infection that led to a very big impact,” says Mark Grant, CSX’s director of information security.

There are other irritating blights of the Internet age, like spam. But viruses and worms—small pieces of code that take advantage of software flaws or trick a computer user into activating them to spread across networks— produce far more fear and loathing because they can shut down a network and hobble a business for hours or days. Certain varieties are programmed to delete files; even those that are basically pranks, though, can clog e-mail servers and render them useless.

And the problem is getting worse: Symantec, which sells antivirus and other security software, says it discovered 2,636 Internet-borne viruses and other potential threats in 2003, up 2% from the year before. “Viruses are what keep me up at night,” says Mark Van Holsbeck, director of enterprise security at Avery Dennison, a label maker based in Pasadena, Calif. “I keep waiting for the big bomber virus that deletes all the applications on my desktops.”

Which means, of course, that CSX has plenty of company. Dozens of organizations have reported being briefly disabled by viruses or worms, including Air Canada, which canceled a few flights last summer after a worm infiltrated its reservation system; the Maryland Motor Vehicle Administration; Temple University; and the U.S. State Department.

“You only have to go through that once in order to realize you can’t afford to have that happen again,” says Tim O’Rourke, Temple’s vice president of computer and information services. He estimates the university spent half a million dollars on technology-staff costs alone last summer to recover from the Blaster worm.

Grudgingly, corporate America has accepted that maintaining antivirus software is part of the cost of doing business—the digital equivalent of security guards and razor wire. “It’s a necessary evil we have to pay for,” says Marian Cole, director of global information-technology infrastructure at Cabot, a diversified manufacturer.

Some customers use antivirus products from multiple vendors, believing that provides better protection. But Peter Firstbrook, senior research analyst at Meta Group, says there’s not much to be gained from this approach because most products provide about the same ability to eradicate viruses. A more effective strategy, he says, is to deploy antivirus products in multiple tiers—for example, at the network level, on e-mail servers and on desktops—and choose one vendor based on such factors as its products’ management capabilities and quality of support.

As viruses and other threats have run rampant, antivirus vendors have thrived. Network Associates, Symantec and Trend Micro, which IDC says are the three largest antivirus companies, have all shown profits the last two years as other information-technology companies suffered from spending pullbacks. That puts these players in the odd position of rooting for virus epidemics: Earlier this year, Greg Myers, Symantec’s chief financial officer, told financial analysts that “to the extent we have a major [virus] event in fiscal 2005, it would be an upside.”

Industry analysts say antivirus vendors will need to make their software more proactive at preventing infections rather than reacting to viruses and worms after an outbreak. Among the forces at work: Microsoft, pushed by customers sick of dealing with security flaws in Windows, is trying to make its operating system more resistant to malicious code. Last year it acquired two small companies—GeCAD Software, a Romanian antivirus company, and Pelican Software, a developer of behavior-based blocking software that detects suspicious activity—and analysts expect these technologies to show up in future iterations of Windows, although Microsoft hasn’t explicitly said so. Says Gartner analyst John Pescatore: “The antivirus vendors are protecting their business models, while technology has changed around them.”

But technology, by itself, only goes so far. Antivirus software is critical, but it’s useless unless an organization’s security processes, and the people in charge of carrying them out, are up to snuff. Last summer, the city government of El Paso, Texas, was hit with the same worm that struck CSX. The city’s Network Associates WebShield e500 appliance had been continuously scanning network traffic for viruses and worms. But the administrator in charge of the system had not properly configured it, so its security definitions were old. For several days after the worm contaminated its computers, city workers—including those in the police and fire departments—couldn’t access e-mail or payroll or human-resources systems.

Jose Aguirre, the city’s manager of information systems, says “a change was made in personnel,” and the task of updating the system is now split between two members of his staff. Since then, he says, El Paso has not been knocked offline by viruses. Still, Aguirre knows a massive virus attack is potentially just a mouse-click away. “We’re on our toes,” he says.