Some Fear Sabotage by Y2K Consultants Computers: Foreign contractors in particular may be infecting programs as they fix 2000 bugs, U.S. security experts warn.

By ELIZABETH SHOGREN, BOB DROGIN, Times Staff Writers

WASHINGTON--America's computer systems may survive this New Year's Eve just fine, but some U.S. intelligence officials and security consultants are worried about a threat that may linger long after the 2000 bug has come and gone. Experts are expressing increasing confidence that critical computer systems in government agencies and private corporations will withstand the primary Y2K challenge: the transition from Dec. 31, 1999, to Jan. 1, 2000. But key officials at the White House, Pentagon and national intelligence agencies, along with private consultants who are paid to make systems more secure, warn that the billions of dollars spent to fix the millennium glitch may have left U.S. computers vulnerable to a more insidious threat: Some of the people hired to make computer programs Y2K compliant, including foreign contractors, may have deliberately infected them with hostile programming code.

'Unique Opportunity for Foreign Countries' "The use of untested foreign sources for Y2K remediation has created a unique opportunity for foreign countries or companies to access and disrupt sensitive national security and proprietary information systems," wrote Terril D. Maynard, a CIA analyst at the National Infrastructure Protection Center, in a recently published unclassified report. Maynard cited India and Israel in particular as "more likely sources of malicious remediation among leading U.S. offshore remediation service providers." He said that both countries are among those known to be developing "cyber-warfare" capabilities and that both have large numbers of skilled programmers who work for U.S. firms. Industry officials said that U.S. software contractors have farmed out significant amounts of their Y2K remediation work to subsidiaries or subcontractors in other countries, where labor costs are lower. The painstaking work involves revising code in older computer programs that denote years with two digits. Programs could malfunction and entire systems could crash if a computer "thinks" that Jan. 1 is New Year's Day 1900 instead of 2000. Government officials and industry experts said that they are not sure what percentage of remediation work has been done offshore, but America's Y2K glitches clearly have been a boon to foreign software programmers. Even so, most U.S. corporations and a few contrarian consultants think the threat of foreign infiltration has been overblown. CIO Magazine polled 202 chief information officers and business executives in August to determine their level of confidence that programmers were not sabotaging their security infrastructure. It found that 70% were extremely confident or very confident, 22% were confident and only 1% were not confident.

Companies Express Security Concerns Wayne Bennett, an attorney who represents a wide range of businesses in their dealings with computer contractors, acknowledged that security is an issue any time companies contract with outsiders for work on their computer systems. "But I don't see among my clients a heightened fear related to Y2K," said Bennett, who represents Boston-based Bingham Dana LLP. Diane Blaser, the Y2K manager for a large life insurance and retirement savings company that farmed out much of its computer fixes, said she is offended by the questions being raised about Indian programmers in particular. "Because I worked so closely with [Indian programmers] for three years, I felt it was not fair," said Blaser, who works for Minneapolis-based ReliaStar Corp. "I don't feel there's any more risk in using them than in using any other consulting firm." Blaser said that she is confident about the work done by about 125 Indian programmers working for IMRglobal Corp. of Clearwater, Fla., which Blaser hired to do ReliaStar's Y2K remediation. Some security analysts agree that it is unfair to point the finger at overseas programmers. U.S. contractors are just as capable of playing dirty tricks--or making unintentional mistakes--as foreigners, they said. "You can't attack a problem as far-reaching as this without having some risk of having someone somewhere taking advantage of the situation," said Perry Harris, director of management strategy practice at Boston-based Yankee Group, a market research and consulting firm that focuses on information technology and telecommunications industries. In theory, hostile Y2K contractors could infiltrate U.S. systems in several ways. They could install "trapdoor" programming that would provide them with access to the systems in the future. Or they could insert malicious coding that could corrupt data, disrupt networks or introduce nasty viruses. "We think there's a vulnerability" to such nefarious activity, said an official of the White House National Security Council who focuses on cyber-terrorism. "That doesn't mean we know any malicious code was inserted." The United States is the world's most technology-dependent nation, and government officials have become increasingly concerned about the country's vulnerability to cyber-warfare. "Programmers and companies working on Y2K remediation efforts are often in the position of 'trusted insider' with broad authority to write and amend code to make them Y2K compliant," Maynard wrote. "This access may provide them the opportunity to take several types of actions that would make corporate systems vulnerable to exploitation and sabotage." Mark Gembicki, chairman of WarRoom Research, a computer security consulting firm, said that his company has detected about a dozen "security holes" in corporate computer systems that may have been introduced during Y2K remediation efforts. But he declined to specify whose systems were involved. "We've discovered . . . bugs and back doors being put in software from remediation efforts from foreign nationals," Gembicki said. "We discovered that some of the [changes] allowed access for 10, 12, 13 years. . . . We think it's a serious issue." Trapdoors allow outsiders to regain access to programs at a future date, often without detection. Most trapdoors are benign, designed to give programmers a way to get back into a system in case of an accident. But some programmers may have less honorable intentions. Frank J. Cilluffo, director of the terrorism task force at the Center for Strategic and International Studies, a Washington think tank, said that trapdoors may have been inserted into code rewritten for banks and investment houses, as well as government agencies and scientific laboratories. "The potential for espionage and fraud is enormous," he said. Joe Pucciarelli, vice president and research director for the Gartner Group Inc., which advises major companies on millennium problems, is less alarmist. People should be prudent but not paranoid, he said. "The act of opening and closing everything creates risk," Pucciarelli said. "On the other hand, our computer networks will be in probably the finest shape they've ever been in because they've been checked and rechecked." Some government officials and security analysts discount the risk of Y2K security breaches. One senior Clinton administration official said that the threat of cyber-terrorism, especially related to Y2K remediation, remains largely hypothetical. "There's a lot of silly talk out there," the official said. A number of government agencies with critical computer systems have used their own information technology personnel to fix Y2K problems and express confidence that their systems are secure. "For us it's a nonissue," said Paul Takemoto, spokesman for the Federal Aviation Administration, which runs the nation's air traffic control system. "Our Y2K work was done by existing staff. We didn't go out and hire any programmers." Similarly, the Air Force, the most computer-intensive of the military forces, relied solely on government employees for its Y2K fixes. "We didn't go to any contractors so we don't have to worry about foreign programmers," said Brig. Gen. Gary Ambrose, director of the Air Force Year 2000 Program.

-- a (a@a.a), October 24, 1999

Answers

http://www.latimes.com/news/asection/19991024/t000096286.html

-- a (a@a.a), October 24, 1999.

this is crap,any and all programmers WILL BE scapegoats next year when the Govt. says "Y2K was no problem,no no those power outages,those banks closing,those supermarkets with no food, those fires burning all round the world,they are all the work of CYBER TERRORISTS!!!HACKERS!!!DISGRUNTLED PROGRAMMERS!!! WE MUST LYNCH THEM!!.....

-- ??? (whatever@wherever.com), October 24, 1999.

Typical, BLAME THE CONTRATOR

Fat-butted govt guys that put off remediations until they could only get help from foreign countries.. Places like India provide the workers for less money (and lower quality). Big schemers those Indians.. mostly trying to fight off starvation and get a chance to live the American dream.

What a bunch of crap.

-- Bryce (bryce@nospam.com), October 24, 1999.

I don't know about anyone wanting to lynch programmers, but note how cleverly the government is using Y2K to usher in "cyberterrorism". So, even if it things meltdown due to Y2K problems ... well, guess what, it may LOOK like a Y2K problem, it may ACT like a Y2K problem, but IN REALITY it is AN ACT OF CYBERTERRORISM!! Yes, this so-called "Y2K problem" was DELIBERATELY PLANTED THERE by a foreigner to undermine our freedoms!!!!

So, with all of our systems going bonkers because of CYBERTERRORISM that just happens to behave EXACTLY like Y2K problems would if they had not been fixed -- yes, OF COURSE, they were fixed!!!! -- it becomes necessary to break out those ol' Presidential executive orders that we JUST HAPPEN TO HAVE ON HAND to combat ... you guessed it, CYBERTERRORISM!!!

-- King of Spain (madrid@aol.cum), October 24, 1999.

drunken foreign squirrel cyberterrorist hackers in collusion with doomer woodchuck survivalist religious millennium bunker-nuts

-- taking notes (allaha@earthlink.net), October 24, 1999.

Taking notes,

What was that drunken squirrel doing behind a computer anyways? LOL

-- y2k dave (xsdaa111@hotmail.com), October 24, 1999.

Well, what did you expect? I told you so.

Sping of Kain (SOK, as in what needs to be put in it...doomer-ly misspelled...), you are obviously suffering form mud-wrestling withdrawals...is it possible to mud-wrestle yourself?

Regards,
Andy Ray

-- Andy Ray (andyman633@hotmail.com), October 24, 1999.

I think you folks are not getting the idea here. Espionage is conducted all the time and in all disciplines. There are undoubtedly agents of other powers working withing the system. There always are. The first example that comes to mind is the recent loss of our nuke weapons designs to the Chinese at Los Alamos... Other examples come to mind as well. What the document indicates to me is that some systems incorporated untested foreign code. The chance that that code was 'tainted' would be very high if the situation was a late project that might slip easily through extended testing and code review. That describes a LOT or Y2K projects. This is all hypothetical from here on. Suppose a company like AT&T needed more programmers than they had and went overseas with adds in Israel and India? Suppose that background checks were suspended or run thru the native country's government. You get the idea. How many companies might have done just that. What if any of that software was sold as COTS software to DoD and the Fed in general? No this is a very real worry. My experience indicates that such 'doors' would not be used to cause problems but rather used to glean information. Ofcourse at some point it might be usefull to go ahead and take the system down. Anyone ever seen a 'root' kit. Dasterdly piece of software...

-m-

-- Michael Erskine (osiris@urbanna.net), October 24, 1999.

If American government and business are calling for foreign cyberterrorists as scape goats to cover Y2K remdiation shortfalls; imagine how foreign governments view the USA suppliers of their non- compliant hardware and software.

-- Bill P (porterwn@one.net), October 24, 1999.