Some Fear Sabotage by Y2K Consultants
America’s computer systems may survive this New Year’s Eve just fine, but some U.S. intelligence officials and security consultants are worried about a threat that may linger long after the 2000 bug has come and gone.
Experts are expressing increasing confidence that critical computer systems in government agencies and private corporations will withstand the primary Y2K challenge: the transition from Dec. 31, 1999, to Jan. 1, 2000.
But key officials at the White House, Pentagon and national intelligence agencies, along with private consultants who are paid to make systems more secure, warn that the billions of dollars spent to fix the millennium glitch may have left U.S. computers vulnerable to a more insidious threat: Some of the people hired to make computer programs Y2K compliant, including foreign contractors, may have deliberately infected them with hostile programming code.
‘Unique Opportunity for Foreign Countries’
“The use of untested foreign sources for Y2K remediation has created a unique opportunity for foreign countries or companies to access and disrupt sensitive national security and proprietary information systems,” wrote Terril D. Maynard, a CIA analyst at the National Infrastructure Protection Center, in a recently published unclassified report.
Maynard cited India and Israel in particular as “more likely sources of malicious remediation among leading U.S. offshore remediation service providers.” He said that both countries are among those known to be developing “cyber-warfare” capabilities and that both have large numbers of skilled programmers who work for U.S. firms.
Industry officials said that U.S. software contractors have farmed out significant amounts of their Y2K remediation work to subsidiaries or subcontractors in other countries, where labor costs are lower. The painstaking work involves revising code in older computer programs that denote years with two digits. Programs could malfunction and entire systems could crash if a computer “thinks” that Jan. 1 is New Year’s Day 1900 instead of 2000.
Government officials and industry experts said that they are not sure what percentage of remediation work has been done offshore, but America’s Y2K glitches clearly have been a boon to foreign software programmers.
Even so, most U.S. corporations and a few contrarian consultants think the threat of foreign infiltration has been overblown.
CIO Magazine polled 202 chief information officers and business executives in August to determine their level of confidence that programmers were not sabotaging their security infrastructure. It found that 70% were extremely confident or very confident, 22% were confident and only 1% were not confident.
Companies Express Security Concerns
Wayne Bennett, an attorney who represents a wide range of businesses in their dealings with computer contractors, acknowledged that security is an issue any time companies contract with outsiders for work on their computer systems.
“But I don’t see among my clients a heightened fear related to Y2K,” said Bennett, who represents Boston-based Bingham Dana LLP.
Diane Blaser, the Y2K manager for a large life insurance and retirement savings company that farmed out much of its computer fixes, said she is offended by the questions being raised about Indian programmers in particular.
“Because I worked so closely with [Indian programmers] for three years, I felt it was not fair,” said Blaser, who works for Minneapolis-based ReliaStar Corp. “I don’t feel there’s any more risk in using them than in using any other consulting firm.”
Blaser said that she is confident about the work done by about 125 Indian programmers working for IMRglobal Corp. of Clearwater, Fla., which Blaser hired to do ReliaStar’s Y2K remediation.
Some security analysts agree that it is unfair to point the finger at overseas programmers. U.S. contractors are just as capable of playing dirty tricks--or making unintentional mistakes--as foreigners, they said.
“You can’t attack a problem as far-reaching as this without having some risk of having someone somewhere taking advantage of the situation,” said Perry Harris, director of management strategy practice at Boston-based Yankee Group, a market research and consulting firm that focuses on information technology and telecommunications industries.
In theory, hostile Y2K contractors could infiltrate U.S. systems in several ways. They could install “trapdoor” programming that would provide them with access to the systems in the future. Or they could insert malicious coding that could corrupt data, disrupt networks or introduce nasty viruses.
“We think there’s a vulnerability” to such nefarious activity, said an official of the White House National Security Council who focuses on cyber-terrorism. “That doesn’t mean we know any malicious code was inserted.”
The United States is the world’s most technology-dependent nation, and government officials have become increasingly concerned about the country’s vulnerability to cyber-warfare.
“Programmers and companies working on Y2K remediation efforts are often in the position of ‘trusted insider’ with broad authority to write and amend code to make them Y2K compliant,” Maynard wrote. “This access may provide them the opportunity to take several types of actions that would make corporate systems vulnerable to exploitation and sabotage.”
Mark Gembicki, chairman of WarRoom Research, a computer security consulting firm, said that his company has detected about a dozen “security holes” in corporate computer systems that may have been introduced during Y2K remediation efforts. But he declined to specify whose systems were involved.
“We’ve discovered . . . bugs and back doors being put in software from remediation efforts from foreign nationals,” Gembicki said. “We discovered that some of the [changes] allowed access for 10, 12, 13 years. . . . We think it’s a serious issue.”
Trapdoors allow outsiders to regain access to programs at a future date, often without detection. Most trapdoors are benign, designed to give programmers a way to get back into a system in case of an accident. But some programmers may have less honorable intentions.
Frank J. Cilluffo, director of the terrorism task force at the Center for Strategic and International Studies, a Washington think tank, said that trapdoors may have been inserted into code rewritten for banks and investment houses, as well as government agencies and scientific laboratories.
“The potential for espionage and fraud is enormous,” he said.
Joe Pucciarelli, vice president and research director for the Gartner Group Inc., which advises major companies on millennium problems, is less alarmist. People should be prudent but not paranoid, he said.
“The act of opening and closing everything creates risk,” Pucciarelli said. “On the other hand, our computer networks will be in probably the finest shape they’ve ever been in because they’ve been checked and rechecked.”
Some government officials and security analysts discount the risk of Y2K security breaches. One senior Clinton administration official said that the threat of cyber-terrorism, especially related to Y2K remediation, remains largely hypothetical. “There’s a lot of silly talk out there,” the official said.
A number of government agencies with critical computer systems have used their own information technology personnel to fix Y2K problems and express confidence that their systems are secure.
“For us it’s a nonissue,” said Paul Takemoto, spokesman for the Federal Aviation Administration, which runs the nation’s air traffic control system. “Our Y2K work was done by existing staff. We didn’t go out and hire any programmers.”
Similarly, the Air Force, the most computer-intensive of the military forces, relied solely on government employees for its Y2K fixes.
“We didn’t go to any contractors so we don’t have to worry about foreign programmers,” said Brig. Gen. Gary Ambrose, director of the Air Force Year 2000 Program.
