Y2K Fix Also A Threat?

Two of the government's top computer security experts said Thursday that some programmers hired to fix Year 2000 problems may be quietly installing malicious software codes to sabotage companies or to gain access to sensitive information after the new year.

The alarms were sounded at a hearing on the "Y2K glitch" and cyber-terrorism before the Senate Committee on the Year 2000 Technology Problem.

"Many of these (rogue programmers) have no security clearance, do not work for the government, and yet they have access to critical systems that if sabotaged could wreak havoc to our financial institutions and our economy," said Sen. Christopher Dodd, D-Conn., the committee's vice chairman.

A recent analysis by the Gartner Group predicted electronic thefts worth at least $1 billion, noting that the computer networks of financial institutions, corporations and governments handle transactions worth $11 trillion annually.

Michael Vatis, director of the FBI's National Infrastructure Protection Center, said experts hired by U.S. companies to fix their computers could secretly program "trap doors" - ways to let them gain access later - or add malicious codes, such as a logic bomb or time-delayed virus that could disrupt systems.

"While systems have been and will continue to be extensively tested, the probability of finding malicious code is extremely small," agreed Richard Schaeffer, director of the Defense Department's Infrastructure and Information Assurance program.

Neither expert suggested the possible scope of the problem.

Schaeffer said problems are complicated by the New Year's rollover, when some computers programmed to recognize only the last two digits of a year may mistake 2000 for a full century earlier.

"It may be difficult to distinguish between a true Y2K event and some other anomaly caused by a perpetrator with malicious intent," Schaeffer said.

Both experts said the risks were exacerbated by the amount of software repaired by companies overseas. Vatis called the situation "a unique opportunity for foreign countries and companies to access, steal from or disrupt sensitive national and proprietary information systems."

Vatis recommended that companies thoroughly check the backgrounds of companies they hire for software repairs. He also said they should test for the existence of trap doors after the repairs, possibly even hiring teams to try to electronically crack into their own networks.

The latest warnings come on the heels of new disclosures about White House plans to create a government-wide security network to protect the nation's most important computer systems from hackers, thieves, terrorists and hostile countries.

The 148-page proposal from the Clinton administration describes building an elaborate network of electronic obstacles, monitors and analyzers to prevent and watch for potentially suspicious activity ofederal computer systems.

Sen. Robert Bennett, R-Utah, said Thursday that the scope of the Y2K problem shows that a successful attack on a computer system - such as the network that controls the traffic lights or subway in New York City "could have as much impact on the economy as if somebody actually dropped a bomb."

Civil liberties groups complain that the security tools also would make possible unprecedented electronic monitoring, especially because of the increasingly widespread use of computers by the government in almost every aspect of its citizens' daily lives.

The White House defended the proposal.

"We are very concerned about protecting privacy rights," said Mr. Clinton's national security adviser, Sandy Berger. "But there is also a privacy right in not having hostile entities attack systems. We're not only talking about 17-year-old kids in their basement. We're talking about governments that we know are developing systems to get access to our computer systems."