|
Examining potential motives and capabilitiesor meansof
foreign countries to use Year 2000 remediation as an opportunity to exploit or attack US
computer networks can assist in identifying countries more likely to be involved in these
activities. Using reports of economic espionage as an index of motive and foreign
involvement in information warfare initiatives as a measure of capability points to a
tiered national risk structure with India and Israel as more likely sources of malicious
remediation among leading US offshore remediation service providers. The extensive use of
untested foreign providers for Year 2000 remediation requires comprehensive independent
verification by trusted vendors that the new software is free of malicious code or trap
doors to help insure the integrity of computer systems and networks. The global
need to meet the computer date-processing requirements of the Year 2000 has led hundreds
of US government and private sector organizations to find computer programmers. One study
by the Gartner Group suggested that major corporations will have hired at least 200,000
additional programmers to review and repair millions of lines of programming code before
years end. The programming requirement has outstripped internal government and
corporate programming capabilities, and also often exceeded the capabilities of the
trusted US domestic software vendors and information security consultants to meet their
customers needs. As a result, organizations seeking to bring their computer software
up to date have often turned to untested programming suppliers, many of them foreign. The
use of untested foreign sources for Y2K remediation has created a unique opportunity for
potential foreign adversaries to access and disrupt sensitive national security and
proprietary information systems. |
Relying on
Foreign Companies and Programmers |
To meet the major shortfall in trusted US software development companies
and programming experts to handle their Y2K remediation work, public agencies and private
corporations have sought assistance from offshore programming companies or attempted to
bring foreign nationals into the United States to meet their needs. As Year 2000
approaches, more US companies and governments are finding other advantages in outsourcing
Y2K remediation abroad, including lower costs and faster turn-around times in some cases,
press reporting indicates. Moreover, foreign programmers often have more recent experience
in older software programs that are the focus of efforts to update legacyusually
mainframe-basedcomputing systems.
Figure 1:
Basic Computing Vulnerabilities to Electronic ManipulationProgrammers
and companies working on Y2K remediation efforts are often in the position of
"trusted insider" with broad authority to write and amend code to make them Y2K
compliant. This access may provide them the opportunity to take several types of actions
that would make corporate systems vulnerable to exploitation and sabotage:
- Installing trap doors. By installing these illicit avenues of access to corporate
computer systems and networks, intruders often gain anonymous access to systems and
networks that provides the key first step in exploiting or attacking the systems for their
purposes.
- Taking system root. Intruders usually try to take controlor
"root"of the computing system or network. If successful, they will have
the same extensive privileges as the systems administrator. This systemic access may
enable them to steal passwords or create legitimate-appearing access to sensitive
corporate data.
- Exploiting corporate information. From an economic espionage perspective, the primary
goal of illicit access to computer systems and networks is usually the theft of sensitive
proprietary data. Using trap doors and taking root in a system virtually insure unfettered
access to information stored on or reachable from a corporate network.
- Implanting malicious code. Besides stealing data, intruders may use their access as Y2K
code developers as an opportunity to insert programs that could deny or disrupt system or
network service or corrupt data.
In general, these illicit activities would begin when remediated software is installed
and activated, not necessarily on 1 January 2000. |
According to press reports, prime locations for US offshore remediation
work by contractors include countries with a large computer programming labor base and
with few language barriers, such as India, Ireland, and Israel. Other press reporting
points to Pakistan and the Philippines as important sources of US Y2K remediation work.
Many of the foreign companies used by US organizations were recently formed, often for the
express purpose of Y2K remediation and compliance testing, and their bona fides are
untested. These firmssome of which have strategic partnerships with US domestic
companies to market and install their foreign-developed softwaremay be working at a
US sponsors facility, off-site in the United States, or offshore.
US corporate customers and their domestic software providers have also
relied on a growing influx of foreign workers to help meet their Y2K needs. Programmers
have been brought into the United States under the H-1B visa program, which provides visas
to foreign nationals who offer technical expertise of value to US sponsors. In 1998,
pressure from industry groups resulted in an increase in the annual cap of H-1B visas from
65,000 to 115,000. The Immigration and Naturalization Service estimates that about half of
the applications submitted are for computer-related jobs.
Other major developed countries face the same problem and, competing
with US organizations for access to computer programmers who are willing and able to
perform remediation work, often turn to foreign sources. For example, according to press
reporting of March 1999, 22 Chinese programmers employed by the British consulting firm
Reynolds and Dean, Ltd. (RDL) were used to fix Y2K problems in Ministry of Defense
software. An RDL spokesman cited an acute shortage of British programmers willing to do
Y2K remediation as the reason for RDLs enlistment of foreigners. At the time of the
report, RDL was employing 600 Chinese nationals and, in addition to the Defense Ministry,
was serving the Y2K requirements of a number of other prominent British clients, including
Philips and British Petroleum. |
Assessing
RiskUnderstanding Motive and Means |
The unprecedented "trusted" system access given to untested
foreign computer software development companies and programmers in the Year 2000
remediation effort has offered a unique opportunity for potential adversaries to implant
malicious code in sensitive enterprise or national security information systems. In one
press report, an official of a large US information systems consulting firm involved in
Y2K remediation activity stated that the firm had spotted trap doorsillicit portals
for continuing access to updated systems and networksin commercial information
systems multiple times during its work. One useful approach to assessing the risk that
foreign countries may sponsor or support remediation efforts that include malicious code
is by examining the demonstrated motives and capabilities of foreign governments to take
advantage of the opportunity Year 2000 remediation presents. Reporting on two types of
foreign national activityeconomic espionage and infrastructure warfare
initiativeshelps show a motive and a capability to exploit or disrupt US computing
and communications networks given a remediation opportunity.
- Economic espionage as a motive.
Countries that are engaged in economic espionage against the United States have often
violated US law and demonstrated an intent to undermine US national security and corporate
interests. Accessing enterprise information databases and networks through intrusions or
unauthorized computer use by an insider a common and increasingly used mechanism for this
activity. A 1997 report on the fifth annual Information Week/Ernst & Young
(IW/E&Y) survey of corporate information security indicated that 38 percent of
reporting corporations said they had been victims of computer-launched industrial
espionage in the preceding year, up from six percent the preceding year.
- Offensive Information Warfare (IW) initiatives as
a means.
The concept of neutralizing an opponents computing and communications
capabilitiesdenying service, crashing systems, or corrupting datawhile
protecting ones own has become an important feature of the thinking of many modern
militaries in the 1990s. Often the thinking focuses on the battlefield
environmentneutralizing an opponents intelligence, command, and control
capabilities, for examplebut some envision strategic IW disrupting an
opponents civilian infrastructure using computer network attacks. Countries
developing these capabilities must have sophisticated information technology industries
that they can tap for military IW development programs.
Economic Espionage
Some 23 countries are engaging in economic espionage against the United States,
according to the 1998 annual report to Congress of the National Counterintelligence Center
(NACIC) on foreign economic espionage and intelligence gathering. Although the report (and
its predecessors) does not identify these countries, industry and press reporting from
around the world identifies at least 11 countries that are active in this activity. A
1995/1996 survey conducted by the America Society of Information Security (ASIS) reported
that nationals of China, Canada, France, India, and Japan were most frequently among tied
to these incidences where the foreign nationality was known.
The March 1999 report by National Communications System (NCS) on electronic intrusions
adds Cuba, Germany, Iran, Israel, Russia, and South Korea to this list, and argues that
all except Canada use electronic means for these activities. Both the ASIS survey and the
1999 Computer Security Institute/Federal Bureau of Investigation (CSI/FBI) computer crime
and security survey indicate about one-fifth of all economic espionage attacks, including
cyber attacks, originated abroad.
Offensive Information Warfare
Information on countries with offensive IW initiatives is less authoritatively
documented, but some studies and foreign press reporting help point to countries that
probably have such initiatives underway. A 1996 US General Accounting Office (GAO) report
on the threat to Defense Department systems stated that the Department of Energy and the
National Security Agency estimated that more than 120 countries had established computer
attack capabilities. At the low end, June 1998 testimony by the Director of Central
Intelligence stated that "several countries" are sponsoring information warfare
programs, and that "nations developing these programs recognize the value of
attacking a countrys computer systemsboth on the battlefield and in the
civilian arena." A March 1998 report by the Center for Strategic and International
Studies (CSIS) identified Russia, China, the United Kingdom, France, Australia, and Canada
as countries that have dedicated considerable research and resources toward developing IW
capabilities. The March 1999 National Communications System (NCS) report on the threat to
US telecom-munications states that, among these, the National Intelligence Council reports
that Russia, China, and France have acknowledged their IW programs. According to the NCS
report, other countries, such as Bulgaria and Cuba, reportedly have narrower initiatives
focused on developing computer viruses.
An independent review of international press reporting and military press articles on
foreign IW initiatives points to three other countries among those engaged in economic
espionageIndia, Israel, and Taiwanthat are involved in the development of IW
technologies, programs, or military capabilities. All of these countries publicly
acknowledge pursuing defensive IW initiatives with the goal of protecting their military
information capabilities or national information infrastructures.
- India established a National Information Infrastructure-Defensive group several years
ago, apparently in response to Chinas growing interest in IW
- As recently as May 24, the Israel Defense Forces (IDF) acknowledged the existence of a
cyber warfare defense unit whose mission is to protect military systems, but noted that
the national electric utility had organized its own defense.
- Taiwan also recently announced creation of a task force to study ways to protect the
islands information infrastructure from the growing IW threat from China.
Creation of national defensive information infrastructure program is a goodand
probably necessaryindicator of a foreign offensive IW initiative. Defensive
measuresdeterrence, detection, protection, and restorationare difficult to
implement without also developing an understanding of potential adversaries, investing in
computer and software development, and creating a major operational capability, all steps
directly applicable to creating an offensive IW capability. Moreover, from a military
strategic perspective, in an era when offensive IW has many technical advantages over the
complexities of cyber defense, a strong offensive IW capability provides both a deterrent
and a virtually assured counter-strike capability against potential adversaries that is
generally cost-effective.
The presence of a defensive IW initiative, however, is inadequate alone to assess that
a foreign country is also developing its offensive counterpart. To judge that a country
probably has an offensive IW initiativeincluding military theory, technology
development, operational doctrine, unit or individual training, or deployed
forcesrequires positive responses to at least one of the following questions:
- Has a country been reliably identified as participating in offensive IW activities,
especially "preparation of the battlefield" activitiessuch as implanting
and using trap doorsthat would facilitate computer network attacks in a future
conflict?
- Have authoritative, but unofficial, host country sources suggested that a country has an
offensive IW program?
- Do specific activities of the national security or domestic information technology
industry point to the development of capabilities usuallyand preferably
uniquelyassociated with offensive IW?
Figure
2:
Sampling of Foreign Official Comments on National IW Initiatives
- RussiaIn a response to a question posed in a June 1998 interview
about Russias new military doctrine, Col-Gen Valeriy Manilov, first deputy chief of
General Staff of the Armed Forces, stated that the doctrine under development
"acknowledges the world trend toward development and introduction of weapons of
information warfare. On the other hand, it will define the forms and means of their use,
and adequate protection against them."
- FranceAir Marshal Francois Vallat, Commander of French Air
Defense stated in 1993, "We must master the domain of information in order to acquire
military supremacy. This is difficult to do, especially if one must simultaneously deny
the adversary the capacity to do the same. . . . In crises and conflicts, tomorrow even
more than yesterday, supremacy will belong to those who can best and most rapidly collect
and exploit the most information."
- IndiaAlthough New Delhi has not officially acknowledged an
offensive IW initiative, Indias Chief of Naval Staff Admiral Vishnu Bhagwat stated
in an interview with the Indian press that the Navy had recently commissioned an IW air
squadron that "will equip them to secure information dominance of the new
millennium."
- IsraelA May 24, 1999, article in the Jerusalem Post states that
Israel has never made any official mention of its offensive IW capabilities, and the IDF
spokesperson refused to allow questions on the topic in an interview with the head of the
cyber warfare defense unit. Nonetheless, Lt. Col. Eytan, head of the unit, noted that
"In the future, this (cyber war) will be a central part of the battlefield. It
doesnt mean there wont be divisions and fighters, but the fighting capability
in the digital battlefield, the cyber warfare, will certainly be very significant. . .. It
does not necessarily have to be damage in battlefield casualties, but in damage which
could lead to . . . total chaos." The article goes on to note that "cyber
attacks can come from allies sitting across the world."
|
Among the major foreign providers of Year 2000 software remediation services to the
United States, Israel and, to a lesser extent, India have acknowledged a defensive IW or
national information infrastructure protection program, and also meet at least one of the
supplemental criteria.
- Israel was involved in the 1991 penetration of US defense computers and copying
information on the Patriot missile defense system, according to the NCS report. Reliable
recent US military reporting corroborates that Israel is among the leading sources of
intrusion attempts on some protected Defense information systems and networks. The
comments of the IW defense unit commander and the IDF spokesperson in a recent interview (see Figure 2 above) also suggest the existence of an offensive program.
- With the exception of the comment by the Chief of Naval Staff that the Navy was
preparing for "information dominance" in the next decade (see
Figure 2), the case that India also has an offensive IW is more problematic. The 1995
ASIS survey report identifies Indian nationals among the top five sources of economic
espionage against the United States, but does not indicate whether these nationals use
cyber techniques nor whether they targeted more than commercial information.
Figure
3:
Publicly-Identified Foreign Countries Involved in Economic Espionage, Information Warfare
Initiatives, and US Y2K Remediation |
Country |
Economic
Espionage |
Information
Warfare Initiative |
Major
Y2K Remediation Provider |
Bulgaria |
Yes* |
-- |
-- |
Canada |
Yes |
Yes |
-- |
Cuba |
Yes* |
Yes |
-- |
France |
Yes* |
Yes |
-- |
Germany |
Yes* |
Yes |
-- |
India |
Yes |
Yes |
Yes |
Iran |
Yes |
Yes |
-- |
Iraq |
Yes* |
Yes |
-- |
Ireland |
-- |
-- |
Yes |
Israel |
Yes* |
Yes |
Yes |
Japan |
Yes* |
-- |
-- |
Pakistan |
-- |
-- |
Yes |
Philippines |
-- |
-- |
Yes |
Russia |
Yes* |
Yes |
-- |
South Korea |
Yes |
-- |
-- |
Taiwan |
Yes* |
-- |
-- |
* Countries identified by NCS as
using electronic intrusions, usually for economic espionage purposes. |
|
Ranking
the Risks |
The results of this analysis point to a tiered set of foreign national
risks to US computing and network systems remediation involving the insertion of malicious
code.
- At the top, India and Israel are the most likely countries to use the broad opportunity
presented by Year 2000 remediation in light of their historic involvement in economic
espionage against the United States and the likelihood that they have ongoing offensive IW
initiatives.
- France, Germany, Russia, and Taiwan comprise a second tier of countries that have also
been identified as participants in economic espionage against the United States and
developing IW initiatives, but are not believed to be major foreign sources of US Year
2000 remediation services. While their efforts may have less impact on the national-level
integrity of US systems and networks, companies and government agencies utilizing services
provided by companies in these countries are still at significant risk in our estimation.
- The governments and companies in the other countries that have engaged in economic
espionage against the United States may also utilize this unique opportunity to advance
their espionage objectives.
|
Protecting
and Responding |
The ability to protect corporate or government systems and networks
against these foreignand domesticrisks hinges on comprehensive testing and
validation of the integrity of the remediated software by a trusted independent
source before it is implemented. Analysis of the softwares content and testing for
trap doors and other accesses are key elements in this risk reduction. Besides testing
for intended performance, analysis of the content of the program is most important.
Evaluators should insure that all the program code has a legitimate business purpose; any
unused code should be extracted. Often evaluators will have access to the object
codethe applications-level information used to operate the softwarerather than
the program-language source code, which undermines the effectiveness of content analysis.
Customers may wish to insist that the source code be shared with the evaluator so its
integrity can be examined. The evaluator then needs to match the object code against that
actually used in the corporate application to insure the validity of testing.
Preventing unauthorized access in the future is a second essential step in assuring the
integrity of a system or network. Evaluators can begin by using standard hacker tools to
see if the software displays any access vulnerabilities. At a second level, a "red
team" approachactually trying to crack the software--can be taken to explore
more deeply whether trap doors exist. Special attention should be paid to all authorized
software accesses, such as those for remote system administration, which could result in
future introduction of malicious code. These accesses should be protected by software able
to identify and halt delivery of malicious code.
In the event malicious code is identified in testing or operation of the remediated
software, we strongly recommend the local FBI field office or the National Infrastructure
Protection Center Watch at (202)323-3205. Specially trained FBI agents and computer
specialists can preserve and collect critical evidence that can be used in identifying and
prosecuting the perpetrator and, using its ability to compare across similar events,
facilitate the restoration of protected service to the system. The early FBI involvement
in addressing criminal computer intrusions will help smooth the national computing
transition to the next millennium. |
Selected
Bibliography |
The Electronic Intrusion Threat to National Security and Emergency
Preparedness Telecommunications,
National Communications System (NCS), 3rd ed., March 1999.Cybercrime
Cyberterrorism
Cyberwarfare
Averting an Electronic Waterloo,
Global Organized Crime Project, Task Force Report, Center for Strategic and International
Studies (CSIS), March 1998.
Trends in Intellectual Property Loss1995/1996,
American Society for Industrial Security (ASIS), 1996.
Information SecurityComputer Attacks at Department of Defense Pose Increasing
Risks,
General Accounting Office (GAO), GAO/AIMD-96-84, May 22, 1996.
"Economic EspionageInformation on Threat from US Allies,"
statement for the record for the Senate Select Committee on Intelligence, GAO,
GAO/NSIAD-96-114, February 28, 1996.
"1999 CSI/FBI Computer Crime and Security Survey,"
Computer Security Issues & Trends (CSI&T), Vol. V, No. 1, Winter 1999.
DCI Testimony to the Senate Committee on Government Affairs on the Information Warfare
Threat, 24 June 1998.
Foreign Broadcast Information Service, various foreign press items.
InfoWar.com, a website compendium of news and
articles on IW issues. |
|