sansinst_res.GIF (4722 bytes) Year 2000 Computer Remediation:
Assessing Risk Levels in Foreign Outsourcing

- By Terrill D. Maynard -

Examining potential motives and capabilities—or means—of foreign countries to use Year 2000 remediation as an opportunity to exploit or attack US computer networks can assist in identifying countries more likely to be involved in these activities. Using reports of economic espionage as an index of motive and foreign involvement in information warfare initiatives as a measure of capability points to a tiered national risk structure with India and Israel as more likely sources of malicious remediation among leading US offshore remediation service providers. The extensive use of untested foreign providers for Year 2000 remediation requires comprehensive independent verification by trusted vendors that the new software is free of malicious code or trap doors to help insure the integrity of computer systems and networks.

The global need to meet the computer date-processing requirements of the Year 2000 has led hundreds of US government and private sector organizations to find computer programmers. One study by the Gartner Group suggested that major corporations will have hired at least 200,000 additional programmers to review and repair millions of lines of programming code before year’s end. The programming requirement has outstripped internal government and corporate programming capabilities, and also often exceeded the capabilities of the trusted US domestic software vendors and information security consultants to meet their customers’ needs. As a result, organizations seeking to bring their computer software up to date have often turned to untested programming suppliers, many of them foreign. The use of untested foreign sources for Y2K remediation has created a unique opportunity for potential foreign adversaries to access and disrupt sensitive national security and proprietary information systems.

Relying on Foreign Companies and Programmers
To meet the major shortfall in trusted US software development companies and programming experts to handle their Y2K remediation work, public agencies and private corporations have sought assistance from offshore programming companies or attempted to bring foreign nationals into the United States to meet their needs. As Year 2000 approaches, more US companies and governments are finding other advantages in outsourcing Y2K remediation abroad, including lower costs and faster turn-around times in some cases, press reporting indicates. Moreover, foreign programmers often have more recent experience in older software programs that are the focus of efforts to update legacy—usually mainframe-based—computing systems.

 

Figure 1:
Basic Computing Vulnerabilities to Electronic Manipulation

Programmers and companies working on Y2K remediation efforts are often in the position of "trusted insider" with broad authority to write and amend code to make them Y2K compliant. This access may provide them the opportunity to take several types of actions that would make corporate systems vulnerable to exploitation and sabotage:

  • Installing trap doors. By installing these illicit avenues of access to corporate computer systems and networks, intruders often gain anonymous access to systems and networks that provides the key first step in exploiting or attacking the systems for their purposes.
  • Taking system root. Intruders usually try to take control—or "root"—of the computing system or network. If successful, they will have the same extensive privileges as the systems administrator. This systemic access may enable them to steal passwords or create legitimate-appearing access to sensitive corporate data.
  • Exploiting corporate information. From an economic espionage perspective, the primary goal of illicit access to computer systems and networks is usually the theft of sensitive proprietary data. Using trap doors and taking root in a system virtually insure unfettered access to information stored on or reachable from a corporate network.
  • Implanting malicious code. Besides stealing data, intruders may use their access as Y2K code developers as an opportunity to insert programs that could deny or disrupt system or network service or corrupt data.

In general, these illicit activities would begin when remediated software is installed and activated, not necessarily on 1 January 2000.

 

According to press reports, prime locations for US offshore remediation work by contractors include countries with a large computer programming labor base and with few language barriers, such as India, Ireland, and Israel. Other press reporting points to Pakistan and the Philippines as important sources of US Y2K remediation work. Many of the foreign companies used by US organizations were recently formed, often for the express purpose of Y2K remediation and compliance testing, and their bona fides are untested. These firms—some of which have strategic partnerships with US domestic companies to market and install their foreign-developed software—may be working at a US sponsor’s facility, off-site in the United States, or offshore.

US corporate customers and their domestic software providers have also relied on a growing influx of foreign workers to help meet their Y2K needs. Programmers have been brought into the United States under the H-1B visa program, which provides visas to foreign nationals who offer technical expertise of value to US sponsors. In 1998, pressure from industry groups resulted in an increase in the annual cap of H-1B visas from 65,000 to 115,000. The Immigration and Naturalization Service estimates that about half of the applications submitted are for computer-related jobs.

Other major developed countries face the same problem and, competing with US organizations for access to computer programmers who are willing and able to perform remediation work, often turn to foreign sources. For example, according to press reporting of March 1999, 22 Chinese programmers employed by the British consulting firm Reynolds and Dean, Ltd. (RDL) were used to fix Y2K problems in Ministry of Defense software. An RDL spokesman cited an acute shortage of British programmers willing to do Y2K remediation as the reason for RDL’s enlistment of foreigners. At the time of the report, RDL was employing 600 Chinese nationals and, in addition to the Defense Ministry, was serving the Y2K requirements of a number of other prominent British clients, including Philips and British Petroleum.

Assessing Risk—Understanding Motive and Means
The unprecedented "trusted" system access given to untested foreign computer software development companies and programmers in the Year 2000 remediation effort has offered a unique opportunity for potential adversaries to implant malicious code in sensitive enterprise or national security information systems. In one press report, an official of a large US information systems consulting firm involved in Y2K remediation activity stated that the firm had spotted trap doors—illicit portals for continuing access to updated systems and networks—in commercial information systems multiple times during its work. One useful approach to assessing the risk that foreign countries may sponsor or support remediation efforts that include malicious code is by examining the demonstrated motives and capabilities of foreign governments to take advantage of the opportunity Year 2000 remediation presents.

Reporting on two types of foreign national activity–economic espionage and infrastructure warfare initiatives—helps show a motive and a capability to exploit or disrupt US computing and communications networks given a remediation opportunity.

  • Economic espionage as a motive.
    Countries that are engaged in economic espionage against the United States have often violated US law and demonstrated an intent to undermine US national security and corporate interests. Accessing enterprise information databases and networks through intrusions or unauthorized computer use by an insider a common and increasingly used mechanism for this activity. A 1997 report on the fifth annual Information Week/Ernst & Young (IW/E&Y) survey of corporate information security indicated that 38 percent of reporting corporations said they had been victims of computer-launched industrial espionage in the preceding year, up from six percent the preceding year.
  • Offensive Information Warfare (IW) initiatives as a means.
    The concept of neutralizing an opponent’s computing and communications capabilities—denying service, crashing systems, or corrupting data—while protecting one’s own has become an important feature of the thinking of many modern militaries in the 1990s. Often the thinking focuses on the battlefield environment—neutralizing an opponent’s intelligence, command, and control capabilities, for example—but some envision strategic IW disrupting an opponent’s civilian infrastructure using computer network attacks. Countries developing these capabilities must have sophisticated information technology industries that they can tap for military IW development programs.

Economic Espionage

Some 23 countries are engaging in economic espionage against the United States, according to the 1998 annual report to Congress of the National Counterintelligence Center (NACIC) on foreign economic espionage and intelligence gathering. Although the report (and its predecessors) does not identify these countries, industry and press reporting from around the world identifies at least 11 countries that are active in this activity. A 1995/1996 survey conducted by the America Society of Information Security (ASIS) reported that nationals of China, Canada, France, India, and Japan were most frequently among tied to these incidences where the foreign nationality was known.

The March 1999 report by National Communications System (NCS) on electronic intrusions adds Cuba, Germany, Iran, Israel, Russia, and South Korea to this list, and argues that all except Canada use electronic means for these activities. Both the ASIS survey and the 1999 Computer Security Institute/Federal Bureau of Investigation (CSI/FBI) computer crime and security survey indicate about one-fifth of all economic espionage attacks, including cyber attacks, originated abroad.

Offensive Information Warfare

Information on countries with offensive IW initiatives is less authoritatively documented, but some studies and foreign press reporting help point to countries that probably have such initiatives underway. A 1996 US General Accounting Office (GAO) report on the threat to Defense Department systems stated that the Department of Energy and the National Security Agency estimated that more than 120 countries had established computer attack capabilities. At the low end, June 1998 testimony by the Director of Central Intelligence stated that "several countries" are sponsoring information warfare programs, and that "nations developing these programs recognize the value of attacking a country’s computer systems—both on the battlefield and in the civilian arena." A March 1998 report by the Center for Strategic and International Studies (CSIS) identified Russia, China, the United Kingdom, France, Australia, and Canada as countries that have dedicated considerable research and resources toward developing IW capabilities. The March 1999 National Communications System (NCS) report on the threat to US telecom-munications states that, among these, the National Intelligence Council reports that Russia, China, and France have acknowledged their IW programs. According to the NCS report, other countries, such as Bulgaria and Cuba, reportedly have narrower initiatives focused on developing computer viruses.

An independent review of international press reporting and military press articles on foreign IW initiatives points to three other countries among those engaged in economic espionage—India, Israel, and Taiwan—that are involved in the development of IW technologies, programs, or military capabilities. All of these countries publicly acknowledge pursuing defensive IW initiatives with the goal of protecting their military information capabilities or national information infrastructures.

  • India established a National Information Infrastructure-Defensive group several years ago, apparently in response to China’s growing interest in IW
  • As recently as May 24, the Israel Defense Forces (IDF) acknowledged the existence of a cyber warfare defense unit whose mission is to protect military systems, but noted that the national electric utility had organized its own defense.
  • Taiwan also recently announced creation of a task force to study ways to protect the island’s information infrastructure from the growing IW threat from China.

Creation of national defensive information infrastructure program is a good—and probably necessary—indicator of a foreign offensive IW initiative. Defensive measures—deterrence, detection, protection, and restoration—are difficult to implement without also developing an understanding of potential adversaries, investing in computer and software development, and creating a major operational capability, all steps directly applicable to creating an offensive IW capability. Moreover, from a military strategic perspective, in an era when offensive IW has many technical advantages over the complexities of cyber defense, a strong offensive IW capability provides both a deterrent and a virtually assured counter-strike capability against potential adversaries that is generally cost-effective.

The presence of a defensive IW initiative, however, is inadequate alone to assess that a foreign country is also developing its offensive counterpart. To judge that a country probably has an offensive IW initiative—including military theory, technology development, operational doctrine, unit or individual training, or deployed forces—requires positive responses to at least one of the following questions:

  • Has a country been reliably identified as participating in offensive IW activities, especially "preparation of the battlefield" activities—such as implanting and using trap doors—that would facilitate computer network attacks in a future conflict?
  • Have authoritative, but unofficial, host country sources suggested that a country has an offensive IW program?
  • Do specific activities of the national security or domestic information technology industry point to the development of capabilities usually—and preferably uniquely—associated with offensive IW?

 

Figure 2:
Sampling of Foreign Official Comments on National IW Initiatives
  • Russia—In a response to a question posed in a June 1998 interview about Russia’s new military doctrine, Col-Gen Valeriy Manilov, first deputy chief of General Staff of the Armed Forces, stated that the doctrine under development "acknowledges the world trend toward development and introduction of weapons of information warfare. On the other hand, it will define the forms and means of their use, and adequate protection against them."
  • France—Air Marshal Francois Vallat, Commander of French Air Defense stated in 1993, "We must master the domain of information in order to acquire military supremacy. This is difficult to do, especially if one must simultaneously deny the adversary the capacity to do the same. . . . In crises and conflicts, tomorrow even more than yesterday, supremacy will belong to those who can best and most rapidly collect and exploit the most information."
  • India—Although New Delhi has not officially acknowledged an offensive IW initiative, India’s Chief of Naval Staff Admiral Vishnu Bhagwat stated in an interview with the Indian press that the Navy had recently commissioned an IW air squadron that "will equip them to secure information dominance of the new millennium."
  • Israel—A May 24, 1999, article in the Jerusalem Post states that Israel has never made any official mention of its offensive IW capabilities, and the IDF spokesperson refused to allow questions on the topic in an interview with the head of the cyber warfare defense unit. Nonetheless, Lt. Col. Eytan, head of the unit, noted that "In the future, this (cyber war) will be a central part of the battlefield. It doesn’t mean there won’t be divisions and fighters, but the fighting capability in the digital battlefield, the cyber warfare, will certainly be very significant. . .. It does not necessarily have to be damage in battlefield casualties, but in damage which could lead to . . . total chaos." The article goes on to note that "cyber attacks can come from allies sitting across the world."

 

Among the major foreign providers of Year 2000 software remediation services to the United States, Israel and, to a lesser extent, India have acknowledged a defensive IW or national information infrastructure protection program, and also meet at least one of the supplemental criteria.

  • Israel was involved in the 1991 penetration of US defense computers and copying information on the Patriot missile defense system, according to the NCS report. Reliable recent US military reporting corroborates that Israel is among the leading sources of intrusion attempts on some protected Defense information systems and networks. The comments of the IW defense unit commander and the IDF spokesperson in a recent interview (see Figure 2 above) also suggest the existence of an offensive program.
  • With the exception of the comment by the Chief of Naval Staff that the Navy was preparing for "information dominance" in the next decade (see Figure 2), the case that India also has an offensive IW is more problematic. The 1995 ASIS survey report identifies Indian nationals among the top five sources of economic espionage against the United States, but does not indicate whether these nationals use cyber techniques nor whether they targeted more than commercial information.

 

Figure 3:
Publicly-Identified Foreign Countries Involved in Economic Espionage, Information Warfare Initiatives, and US Y2K Remediation
Country Economic
Espionage
Information
Warfare Initiative
Major Y2K Remediation Provider
Bulgaria Yes* -- --
Canada Yes Yes --
Cuba Yes* Yes --
France Yes* Yes --
Germany Yes* Yes --
India Yes Yes Yes
Iran  Yes Yes --
Iraq Yes* Yes --
Ireland -- -- Yes
Israel Yes* Yes Yes
Japan Yes* -- --
Pakistan -- -- Yes
Philippines -- -- Yes
Russia Yes* Yes --
South Korea Yes -- --
Taiwan Yes* -- --
* Countries identified by NCS as using electronic intrusions, usually for economic espionage purposes.

 

Ranking the Risks
The results of this analysis point to a tiered set of foreign national risks to US computing and network systems remediation involving the insertion of malicious code.
  • At the top, India and Israel are the most likely countries to use the broad opportunity presented by Year 2000 remediation in light of their historic involvement in economic espionage against the United States and the likelihood that they have ongoing offensive IW initiatives.
  • France, Germany, Russia, and Taiwan comprise a second tier of countries that have also been identified as participants in economic espionage against the United States and developing IW initiatives, but are not believed to be major foreign sources of US Year 2000 remediation services. While their efforts may have less impact on the national-level integrity of US systems and networks, companies and government agencies utilizing services provided by companies in these countries are still at significant risk in our estimation.
  • The governments and companies in the other countries that have engaged in economic espionage against the United States may also utilize this unique opportunity to advance their espionage objectives.

 

Protecting and Responding
The ability to protect corporate or government systems and networks against these foreign—and domestic—risks hinges on comprehensive testing and validation of the integrity of the remediated software by a trusted independent source before it is implemented. Analysis of the software’s content and testing for trap doors and other accesses are key elements in this risk reduction.

Besides testing for intended performance, analysis of the content of the program is most important. Evaluators should insure that all the program code has a legitimate business purpose; any unused code should be extracted. Often evaluators will have access to the object code—the applications-level information used to operate the software—rather than the program-language source code, which undermines the effectiveness of content analysis. Customers may wish to insist that the source code be shared with the evaluator so its integrity can be examined. The evaluator then needs to match the object code against that actually used in the corporate application to insure the validity of testing.

Preventing unauthorized access in the future is a second essential step in assuring the integrity of a system or network. Evaluators can begin by using standard hacker tools to see if the software displays any access vulnerabilities. At a second level, a "red team" approach—actually trying to crack the software--can be taken to explore more deeply whether trap doors exist. Special attention should be paid to all authorized software accesses, such as those for remote system administration, which could result in future introduction of malicious code. These accesses should be protected by software able to identify and halt delivery of malicious code.

In the event malicious code is identified in testing or operation of the remediated software, we strongly recommend the local FBI field office or the National Infrastructure Protection Center Watch at (202)323-3205. Specially trained FBI agents and computer specialists can preserve and collect critical evidence that can be used in identifying and prosecuting the perpetrator and, using its ability to compare across similar events, facilitate the restoration of protected service to the system. The early FBI involvement in addressing criminal computer intrusions will help smooth the national computing transition to the next millennium.

Selected Bibliography
The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications,
National Communications System (NCS), 3rd ed., March 1999.

Cybercrime …Cyberterrorism…Cyberwarfare…Averting an Electronic Waterloo,
Global Organized Crime Project, Task Force Report, Center for Strategic and International Studies (CSIS), March 1998.

Trends in Intellectual Property Loss—1995/1996,
American Society for Industrial Security (ASIS), 1996.

Information Security—Computer Attacks at Department of Defense Pose Increasing Risks,
General Accounting Office (GAO), GAO/AIMD-96-84, May 22, 1996.

"Economic Espionage—Information on Threat from US Allies,"
statement for the record for the Senate Select Committee on Intelligence, GAO, GAO/NSIAD-96-114, February 28, 1996.

"1999 CSI/FBI Computer Crime and Security Survey,"
Computer Security Issues & Trends (CSI&T), Vol. V, No. 1, Winter 1999.

DCI Testimony to the Senate Committee on Government Affairs on the Information Warfare Threat, 24 June 1998.

Foreign Broadcast Information Service, various foreign press items.

InfoWar.com, a website compendium of news and articles on IW issues.

 

Home  |  Events  |  Publications  |  Security Digests
Resources  |  Miscellaneous  |  Contact SANS

 

1999 SANS Institute  :  Office 301.951.0102  :  Registration 719.599.4303  :  Web Contact scott@sans.org