Feds to Step Up IT Security Research

Suspects potential Trojan horses, common trapdoors from hasty Y2k repairs

By Patrick Thibodeau 04/24/2000 WASHINGTON

The federal government intends to make finding Trojan horses and trapdoors on computer systems a "research priority," since the risk is one that some companies may be facing as a result of hasty year 2000 repair work.

That was the message delivered by Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism, at a U.S. Commerce Department-sponsored conference on information security last week.

Clarke said many companies "woke up too late" to the Y2k problem and in the process of doing "quick work" may have allowed malicious code to be implanted in their systems.

A Trojan horse can be as little as two lines of code buried in millions of lines of programming, said Clarke. "Even our best people have difficulty finding a Trojan horse or trapdoor," he said. Trapdoors can be used to gain unauthorized access into a system.

The Clinton administration is seeking $1 billion for information security research and development projects in next year's budget and intends to coordinate its efforts with those of the private sector "so we won't be duplicating what the corporations and the (information technology) industry will be doing on their own," said Clarke.

The security conference was aimed at corporate board members and auditors -- the people who oversee information technology management -- to improve information security so as to avoid the risk of damage to the national economy. The conference was held with the help of several professional auditing organizations.

Auditors are being targeted by U.S. officials to help raise information security awareness because of their unique roles in corporations: They interact with the companies' boards of directors and can question whether an enterprise is addressing its information security issues.

"We can cajole the private sector to do the right thing. You can actually scare them to do the right thing," said John Podesta, White House chief of staff, at the first of a series of six conferences aimed at top corporate management. The conferences are being sponsored by the U.S. Commerce Critical Infrastructure Assurance Office.

Podesta also said any solutions to information security problems must be addressed by the private sector. Regulation, which is widely opposed by industry trade groups, won't work, he said. "Our policy is to support industry, not to overregulate it."

http://www.computerworld.com/home/print.nsf/all/000424D816

-- Martin Thompson (mthom1927@aol.com), April 24, 2000