[iwar] Historical posting
From: Fred Cohen
From: fc@all.net
To: iwar@onelist.com
Mon, Jan 1, 1999
fc Mon Jan 1, 1999
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id FAA15269 for iwar@onelist.com; Tue, 18 Apr 2000 05:21:43 -0700
To: iwar@onelist.com
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Mon, Jan 1, 1999
From: Fred Cohen
Reply-To: iwar@egroups.com
Subject: [iwar] Historical posting
http://www.SANS.ORG/newlook/resources/Y2K.htm
===============================================
Year 2000 Computer Remediation: Assessing Risk Levels in Foreign Outsourcing
Examining potential motives and capabilities-or means-of foreign
countries to use Year 2000 remediation as an opportunity to exploit or
attack US computer networks can assist in identifying countries more
likely to be involved in these activities. Using reports of economic
espionage as an index of motive and foreign involvement in information
warfare initiatives as a measure of capability points to a tiered
national risk structure with India and Israel as more likely sources of
malicious remediation among leading US offshore remediation service
providers. The extensive use of untested foreign providers for Year
2000 remediation requires comprehensive independent verification by
trusted vendors that the new software is free of malicious code or trap
doors to help insure the integrity of computer systems and networks.
...
===============================================
The article is quite explicit...
Now some additional comments:
I have been concerned about this for some time and have said so
in a number of fora - particularly in briefings to the State department,
DoD, several commercial entities, and others not named here. This
article is interesting, but it misses a few points I think are worth
pointing out:
1) This is not a maybe sort of proposition. There are examples
I am aware of where Trojan Horses have been detected in Y2K
fixes of critical infrastructure elements of the United States.
These were detected accidentally, and as far as I have been able
to tell from real experts 'on the ground' there is no concerted
effort to detect such Trojan Horses. The ones detected were detected
by accident. The cases I am directly aware of had all of the
finger prints of foreign intelligence efforts and those I am less
directly aware of involved individuals from many of the
countries listed in the cited report - including those not listed
as 'major' Y2K providers. You don't have to be a major provider to
have a major effect.
2) Even if these efforts are not directed at Y2K events, the
opportunity to plant these Trojan Horses for other - perhaps
more controllable or more useful - purposes has been granted
by the wide open approach required for timely Y2K remediation.
Too little time and too little ability to detect Trojans.
3) I am aware of such situations involving substantial elements
of the Power Grid, the telecommunications infrastructure, and
financial systems - where substantial means the potential for an
effect in excess of 10% of the US national capability.
4) I think it is a valid assumption that the same methods have
been employed by these same nations against other nations as well
as by the United States against other nations.
5) There would not be enough time at this point to do anything
about these issues as far as Y2K is concerned (other than final
elements of contingency planning).
6) In the worst case, we are talking about a distributed coordinated
attack with political, economic, and military components combined
for long-term strategic advantage. Many scenarios are possible, but
given the list of sometimes-loosely-allied nations on the list, it
should not be surprising if some of them decide to cooperate in some
way on the planting and application of these assets.
7) The US military is likely to have extreme vulnerabilities relative
to this situation - both from a standpoint of the indirect effects
of infrastructure attacks - and from direct effects of similar attacks
on their systems which have been widely documented in large
volume for a long time.
Comments from the list are welcomed. would anybody like to play a
scenario game looking at different eventualities on this one?
FC
--