The global need to meet the computer date-processing requirements of the Year 2000 has led hundreds of US government and private sector organizations to find computer programmers. One study by the Gartner Group suggested that major corporations will have hired at least 200,000 additional programmers to review and repair millions of lines of programming code before year’s end. The programming requirement has outstripped internal government and corporate programming capabilities, and also often exceeded the capabilities of the trusted US domestic software vendors and information security consultants to meet their customers’ needs. As a result, organizations seeking to bring their computer software up to date have often turned to untested programming suppliers, many of them foreign. The use of untested foreign sources for Y2K remediation has created a unique opportunity for potential foreign adversaries to access and disrupt sensitive national security and proprietary information systems.

According to press reports, prime locations for US offshore remediation work by contractors include countries with a large computer programming labor base and with few language barriers, such as India, Ireland, and Israel. Other press reporting points to Pakistan and the Philippines as important sources of US Y2K remediation work. Many of the foreign companies used by US organizations were recently formed, often for the express purpose of Y2K remediation and compliance testing, and their bona fides are untested. These firms—some of which have strategic partnerships with US domestic companies to market and install their foreign-developed software—may be working at a US sponsor’s facility, off-site in the United States, or offshore.

US corporate customers and their domestic software providers have also relied on a growing influx of foreign workers to help meet their Y2K needs. Programmers have been brought into the United States under the H-1B visa program, which provides visas to foreign nationals who offer technical expertise of value to US sponsors. In 1998, pressure from industry groups resulted in an increase in the annual cap of H-1B visas from 65,000 to 115,000. The Immigration and Naturalization Service estimates that about half of the applications submitted are for computer-related jobs.

Other major developed countries face the same problem and, competing with US organizations for access to computer programmers who are willing and able to perform remediation work, often turn to foreign sources. For example, according to press reporting of March 1999, 22 Chinese programmers employed by the British consulting firm Reynolds and Dean, Ltd. (RDL) were used to fix Y2K problems in Ministry of Defense software. An RDL spokesman cited an acute shortage of British programmers willing to do Y2K remediation as the reason for RDL’s enlistment of foreigners. At the time of the report, RDL was employing 600 Chinese nationals and, in addition to the Defense Ministry, was serving the Y2K requirements of a number of other prominent British clients, including Philips and British Petroleum.

Reporting on two types of foreign national activity–economic espionage and infrastructure warfare initiatives—helps show a motive and a capability to exploit or disrupt US computing and communications networks given a remediation opportunity.

• Economic espionage as a motive.
  Countries that are engaged in economic espionage against the United States have often violated US law and demonstrated an intent to undermine US national security and corporate interests. Accessing enterprise information databases and networks through intrusions or unauthorized computer use by an insider a common and increasingly used mechanism for this activity. A 1997 report on the fifth annual Information Week/Ernst & Young (IW/E&Y) survey of corporate information security indicated that 38 percent of reporting corporations said they had been victims of computer-launched industrial espionage in the preceding year, up from six percent the preceding year.
• Offensive Information Warfare (IW) initiatives as a means.
  The concept of neutralizing an opponent’s computing and communications capabilities—denying service, crashing systems, or corrupting data—while protecting one’s own has become an important feature of the thinking of many modern militaries in the 1990s. Often the thinking focuses on the battlefield environment—neutralizing an opponent’s intelligence, command, and control capabilities, for example—but some envision strategic IW disrupting an opponent’s civilian infrastructure using computer network attacks. Countries developing these capabilities must have sophisticated information technology industries that they can tap for military IW development programs.

Economic Espionage

Some 23 countries are engaging in economic espionage against the United States, according to the 1998 annual report to Congress of the National Counterintelligence Center (NACIC) on foreign economic espionage and intelligence gathering. Although the report (and its predecessors) does not identify these countries, industry and press reporting from around the world identifies at least 11 countries that are active in this activity. A 1995/1996 survey conducted by the America Society of Information Security (ASIS) reported that nationals of China, Canada, France, India, and Japan were most frequently among tied to these incidences where the foreign nationality was known.

The March 1999 report by National Communications System (NCS) on electronic intrusions adds Cuba, Germany, Iran, Israel, Russia, and South Korea to this list, and argues that all except Canada use electronic means for these activities. Both the ASIS survey and the 1999 Computer Security Institute/Federal Bureau of Investigation (CSI/FBI) computer crime and security survey indicate about one-fifth of all economic espionage attacks, including cyber attacks, originated abroad.

Offensive Information Warfare

Information on countries with offensive IW initiatives is less authoritatively documented, but some studies and foreign press reporting help point to countries that probably have such initiatives underway. A 1996 US General Accounting Office (GAO) report on the threat to Defense Department systems stated that the Department of Energy and the National Security Agency estimated that more than 120 countries had established computer attack capabilities. At the low end, June 1998 testimony by the Director of Central Intelligence stated that "several countries" are sponsoring information warfare programs, and that "nations developing these programs recognize the value of attacking a country’s computer systems—both on the battlefield and in the civilian arena." A March 1998 report by the Center for Strategic and International Studies (CSIS) identified Russia, China, the United Kingdom, France, Australia, and Canada as countries that have dedicated considerable research and resources toward developing IW capabilities. The March 1999 National Communications System (NCS) report on the threat to US telecom-munications states that, among these, the National Intelligence Council reports that Russia, China, and France have acknowledged their IW programs. According to the NCS report, other countries, such as Bulgaria and Cuba, reportedly have narrower initiatives focused on developing computer viruses.

An independent review of international press reporting and military press articles on foreign IW initiatives points to three other countries among those engaged in economic espionage—India, Israel, and Taiwan—that are involved in the development of IW technologies, programs, or military capabilities. All of these countries publicly acknowledge pursuing defensive IW initiatives with the goal of protecting their military information capabilities or national information infrastructures.

• India established a National Information Infrastructure-Defensive group several years ago, apparently in response to China’s growing interest in IW
• As recently as May 24, the Israel Defense Forces (IDF) acknowledged the existence of a cyber warfare defense unit whose mission is to protect military systems, but noted that the national electric utility had organized its own defense.
• Taiwan also recently announced creation of a task force to study ways to protect the island’s information infrastructure from the growing IW threat from China.

Creation of national defensive information infrastructure program is a good—and probably necessary—indicator of a foreign offensive IW initiative. Defensive measures—deterrence, detection, protection, and restoration—are difficult to implement without also developing an understanding of potential adversaries, investing in computer and software development, and creating a major operational capability, all steps directly applicable to creating an offensive IW capability. Moreover, from a military strategic perspective, in an era when offensive IW has many technical advantages over the complexities of cyber defense, a strong offensive IW capability provides both a deterrent and a virtually assured counter-strike capability against potential adversaries that is generally cost-effective.

The presence of a defensive IW initiative, however, is inadequate alone to assess that a foreign country is also developing its offensive counterpart. To judge that a country probably has an offensive IW initiative—including military theory, technology development, operational doctrine, unit or individual training, or deployed forces—requires positive responses to at least one of the following questions:

• Has a country been reliably identified as participating in offensive IW activities, especially "preparation of the battlefield" activities—such as implanting and using trap doors—that would facilitate computer network attacks in a future conflict?
• Have authoritative, but unofficial, host country sources suggested that a country has an offensive IW program?
• Do specific activities of the national security or domestic information technology industry point to the development of capabilities usually—and preferably uniquely—associated with offensive IW?

Among the major foreign providers of Year 2000 software remediation services to the United States, Israel and, to a lesser extent, India have acknowledged a defensive IW or national information infrastructure protection program, and also meet at least one of the supplemental criteria.

• Israel was involved in the 1991 penetration of US defense computers and copying information on the Patriot missile defense system, according to the NCS report. Reliable recent US military reporting corroborates that Israel is among the leading sources of intrusion attempts on some protected Defense information systems and networks. The comments of the IW defense unit commander and the IDF spokesperson in a recent interview (see Figure 2 above) also suggest the existence of an offensive program.
• With the exception of the comment by the Chief of Naval Staff that the Navy was preparing for "information dominance" in the next decade (see Figure 2), the case that India also has an offensive IW is more problematic. The 1995 ASIS survey report identifies Indian nationals among the top five sources of economic espionage against the United States, but does not indicate whether these nationals use cyber techniques nor whether they targeted more than commercial information.

• At the top, India and Israel are the most likely countries to use the broad opportunity presented by Year 2000 remediation in light of their historic involvement in economic espionage against the United States and the likelihood that they have ongoing offensive IW initiatives.
• France, Germany, Russia, and Taiwan comprise a second tier of countries that have also been identified as participants in economic espionage against the United States and developing IW initiatives, but are not believed to be major foreign sources of US Year 2000 remediation services. While their efforts may have less impact on the national-level integrity of US systems and networks, companies and government agencies utilizing services provided by companies in these countries are still at significant risk in our estimation.
• The governments and companies in the other countries that have engaged in economic espionage against the United States may also utilize this unique opportunity to advance their espionage objectives.

Besides testing for intended performance, analysis of the content of the program is most important. Evaluators should insure that all the program code has a legitimate business purpose; any unused code should be extracted. Often evaluators will have access to the object code—the applications-level information used to operate the software—rather than the program-language source code, which undermines the effectiveness of content analysis. Customers may wish to insist that the source code be shared with the evaluator so its integrity can be examined. The evaluator then needs to match the object code against that actually used in the corporate application to insure the validity of testing.

Preventing unauthorized access in the future is a second essential step in assuring the integrity of a system or network. Evaluators can begin by using standard hacker tools to see if the software displays any access vulnerabilities. At a second level, a "red team" approach—actually trying to crack the software--can be taken to explore more deeply whether trap doors exist. Special attention should be paid to all authorized software accesses, such as those for remote system administration, which could result in future introduction of malicious code. These accesses should be protected by software able to identify and halt delivery of malicious code.

In the event malicious code is identified in testing or operation of the remediated software, we strongly recommend the local FBI field office or the National Infrastructure Protection Center Watch at (202)323-3205. Specially trained FBI agents and computer specialists can preserve and collect critical evidence that can be used in identifying and prosecuting the perpetrator and, using its ability to compare across similar events, facilitate the restoration of protected service to the system. The early FBI involvement in addressing criminal computer intrusions will help smooth the national computing transition to the next millennium.

Cybercrime …Cyberterrorism…Cyberwarfare…Averting an Electronic Waterloo,
Global Organized Crime Project, Task Force Report, Center for Strategic and International Studies (CSIS), March 1998.

Trends in Intellectual Property Loss—1995/1996,
American Society for Industrial Security (ASIS), 1996.

Information Security—Computer Attacks at Department of Defense Pose Increasing Risks,
General Accounting Office (GAO), GAO/AIMD-96-84, May 22, 1996.

"Economic Espionage—Information on Threat from US Allies,"
statement for the record for the Senate Select Committee on Intelligence, GAO, GAO/NSIAD-96-114, February 28, 1996.

"1999 CSI/FBI Computer Crime and Security Survey,"
Computer Security Issues & Trends (CSI&T), Vol. V, No. 1, Winter 1999.

DCI Testimony to the Senate Committee on Government Affairs on the Information Warfare Threat, 24 June 1998.

Foreign Broadcast Information Service, various foreign press items.

InfoWar.com, a website compendium of news and articles on IW issues.