When Melissa Virus Transformed World’s Perspective on Cyber Security

The Release

It had been just a few years since Microsoft Outlook was launched and only a small percentage of people were familiar with the computer technologies like viruses, let alone cybersecurity in the year 1999. The common public was still understanding the e-mails when David L. Smith seized the opportunity of unawareness with both of his hands.

The Working

The victim received an e-mail that appeared to have been sent by a trustworthy person (someone from your family, friends, or relatives). What made it more appealing was the subject line and the document attached to it. Here’s how it looked like:

Melissa Virus

The Impact

It completely damaged large companies that had a huge amount of emails being created on their web servers. It managed to disrupt hundreds of networks including those of Microsoft! The New York Times reported in March 1999 that 250 organizations had called the Computer Emergency Response Team, a Pentagon-financed security service at Carnegie Mellon University, which meant that at least 100,000 workplace computers were affected. The final number of infected computers was much larger.

The Arrest

The Federal Bureau of Investigation and The New York Jersey Police led the investigation with the help of a computer scientist and electronically tracked down Smith after a week of the release. Smith acknowledged that he was behind the release of the virus but pleaded that he had not anticipated that it will create this much impact. He said that it was intended to be a “harmless joke”.

Further Impact

The incident was taken as a ‘wake-up call’ because it clearly proved how many vulnerabilities were still to be taken care of. The need for further advancements in technology was acknowledged. It also increased the awareness among the common public and people were more cautious about their presence on the internet.

The Lessons

  • Melissa showed just how quickly viruses can spread due to the intricate and extensive connectivity of today’s networks.
  • Melissa showed how hard it is to trace any virus back to its source. Without the cooperation of the third parties and sources, the attacker would have never been identified.
  • Melissa demonstrated that vulnerabilities in widely adopted commercial-off-the-shelf (COTS) products can be easily exploited to attack all their users.
  • Melissa illustrated a lack of effective agency and governmentwide processes for reporting and analyzing the effects of computer attacks.
  • Melissa proved that computer users can do a good job of protecting their systems when they know the risks and dangers of computing and when they are alerted to attacks.

The Measures

To help strengthen computer security practices, the Computers and Telecommunications Accounting and Information Management Division issued an executive guide in May 1998 entitled Information Security Management: Learning From Leading Organizations (GAO/AIMD-98–68). By adopting the following 16 practices recommended by the guide, agencies can be better prepared to protect their systems, detect attacks and react to security breaches:

The Conclusion

Federal agencies were fortunate that the worst damage done by Melissa was to shut down e-mail systems and temporarily disrupt operations. The Information Security Best Practice guide offered a good framework for agencies to follow (at that time), but sustained governmentwide leadership was still needed to ensure that executives understand their risks, monitor agency performance, and resolve issues affecting multiple agencies.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store