Mounties fear Y2K terrorists' cyber-attacksgreenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread
This is why I just love our Canadian friends. Right to the point.
Computer crisis ties up experts, risks security Ian MacLeod The Ottawa Citizen
The RCMP is investigating whether crime groups, terrorists and others are taking advantage of the Y2K crisis to plot cyber-attacks on Canada's computer-driven critical infrastructure, from electrical power to banking.
"We're looking into the potential intent by groups and persons that may utilize (the) Year 2000 (computer problem) to further their own gains through the attacking of infrastructure and or (computer information) systems," RCMP Sgt. Chuck Waring said yesterday.
He wouldn't elaborate on the specific police investigations under way, other than to say there are a number of them. "We're talking about (the) threat that could be posed by terrorism-extremism, organized crime or criminal sponsors of civil unrest. If we've thought of it, why wouldn't they?
"We know that information technology expertise exists within extremist-terrorist groups. Do we know that that capability can be married up with actual intent to harm critical infrastructure in Canada? That would speak to the specific investigations that are ongoing and it's a little premature to speak of any of those."
Sgt. Waring heads Project Solstice, a large team of intelligence officers and high-technology sleuths quietly formed by the RCMP in December and which includes members of the Department of National Defence, the Canadian Security Intelligence Service and the Ottawa-based information technology security consulting practice, DOMUS Security.
The team's job is to investigate potential threats and warn key industries and businesses about criminals, extremists, computer hackers and others suspected of using the enormous attention being focused on fixing the Y2K problem as a diversion to infiltrate, exploit or outright attack essential computer systems around the world.
CSIS, the domestic spy agency, issued a similar warning last week in its annual report: "The availability of advances in technology, armament and travel to those seeking to cause harm is disturbing. The wide variety of available telecommunications services, including computer networks and the Internet is a new tool and potential weapon at the terrorist's disposal," the agency reported.
"Present use of these services by terrorist groups has been restricted to rhetoric and propaganda, as well as planning and co-ordination; however, the possibility exists for this tool to be used in a destructive manner, ranging from tampering with information infrastructure to a full-fledged attack.
"The impact of the 1998 ice storm I is an indication of modern society's dependence on technologically-driven systems. A cyber-attack causing a large scale power outage for a lengthy duration in a city ill-equipped to handle such massive disruption could have devastating results."
Project Solstice is responsible for guarding against threats to Canada's power supplies, especially electricity; oil and gas production; water supply systems, including waste treatment; the financial and banking sector; communication systems; transportation; emergency services, notably police, fire and ambulance; and essential government services, including correctional services and nuclear safety systems.
The RCMP's concern over possible attacks on those systems stems from the massive attention their operators have had to give to fixing possible Y2K meltdowns. Most computer systems use two digits, not four, to denote years. This means that when 2000 comes, they could read "00" as "1900," potentially fouling up or crashing any service that relies on computers.
Industries and businesses, especially in the Western world, have been racing to make their computer systems Y2K complaint, creating a global shortage of skilled computer programmers.
And that, said Sgt. Waring, has created vulnerabilities as well as criminal and terrorist opportunities.
"If you put yourself in the place of someone that was running a centre of critical infrastructure and your first concern wasn't security, your first concern was remediating all those systems, the first thing that you do is throw all of your energy time and money at that problem.
"If you're throwing money at a problem and you're out there trying to get a hold of people that will do this and along comes a potential solution, then the temptation to take that solution is very high."
As a result, he said, security in some critical sectors has slipped.
"It's potentially very possible that there are (newly-hired) persons working in those (Y2K) remediation efforts that don't have adequate security clearance." In other cases, he said, Y2K repairs may present disgruntled workers with opportunities to sabotage their employers.
Another concern is what's known as zero-degrees of separation. Basically, the shortage of Y2K expertise has forced many industries and businesses to rely on a single contractor to both revise and test a program.
"I don't about you, but when I was in high school I didn't get to mark my own exams, and that's what this is a little bit like. Do you (the infrastructure managers) have any processes in place to independently verify that remediation has been conducted satisfactorily?"
Another area gaining police attention is what's known as Y2K conversions houses, often offshore entities that offer to make companies computer codes Y2K complaint. "You box up all of your code and send it away to this organization and have them fix it," said Sgt. Waring. "Of course, it's out of your hands, you don't really know what's going on with it.
"It comes back certified compliant. But you have no idea whose hands that stuff actually landed in or where it went while it was in their care."
Despite some real and urgent concerns, police say people shouldn't panic. "We have some vulnerability," said Sgt. Waring. But "quite frankly, I don't see anything to cause panic.
"I see things that make us want to be aware of security, similar to having to your door unlocked in your neighbourhood. A prudent police officer is going to tell you to lock your door."
"We're trying to advise people to take a prudent action that they may not have thought of taking, or that they've been so focused on another issue, that they've forgotten about it."
"In many ways, we're like a Neighborhood Watch of critical infrastructure. These people, the last thing they need to worry about at this point in time is criminals coming in and interfering with their operations."
-- y2k dave (firstname.lastname@example.org), June 16, 1999
FBI and Justice Dept. have made similar statements.
-- Paul Davis (email@example.com), June 16, 1999.
Click here to see how Paul Davis really feels about this forum and this topic.
-- (firstname.lastname@example.org), June 16, 1999.