Y2.001K

Although the much-dreaded Y2K meltdown of the world's computers failed to materialize last year, speakers at the recent COTScon West conference and exhibition in San Diego warned of vulnerabilities that are inherent in today's interconnected global information systems.

Feb 1st, 2001

by John Rhea

SAN DIEGO — Although the much-dreaded Y2K meltdown of the world's computers failed to materialize last year, speakers at the recent COTScon West conference and exhibition in San Diego warned of vulnerabilities that are inherent in today's interconnected global information systems. I don't mean to be an alarmist, but I think they're on to something and this problem should not be swept under the rug.

The reality is that the systems can only become more interconnected, and that's the heart of the problem. "We can't hunker down in forts," commented Paul Zavidniak, founder of Northrop Grumman Corp.'s Logicon subsidiary in Arlington, Va. "We must communicate between cultures. A system is secure only if it doesn't talk to anybody."

In a COTScon panel on information warfare last December moderated by Military & Aerospace Electronics magazine Senior Editor John McHale, the panelists downplayed the fears of a "digital Pearl Harbor," but they conceded that all the ingredients are in place for future hacker attacks and dissemination of viruses.

The issue has parallels in both the military and civilian spheres. Just as the U.S. Department of Defense must coordinate its global information assets in order to deploy its forces effectively, commercial institutions such as banks must also operate globally.

Moreover, they must rely on outside suppliers of information services that possess the expertise that would be prohibitively expensive for the users to develop on their own, says George Jelatis, director of E-business initiatives at Secure Computing Corp. in St. Paul, Minn. This is particularly true of banks, which traditionally have outsourced all of these financially sensitive functions, added Jonathan Callas, who describes himself as "minister of defense" at Counterpane Internet Security Inc. in San Jose, Calif.

Military forces, which are increasingly relying on wireless communications grids, are accordingly giving up the inherent security of shielded Tempest-rated hardware, Jelatis noted. This inevitably means greater reliance on commercial off-the-shelf (COTS) equipment. Is COTS adequate for military needs, an audience member asked. "It's not adequate for civilian needs," Callas shot back.

The biggest problem with COTS is the software, maintained Jelatis. This vulnerability begins with the operating system. Significantly, Macintosh is less vulnerable than the predominant Wintel operating systems, Callas noted, because the former is more "genetically diverse."

Where vulnerability really begins to pinch is in the software overlaid on top of the operating system, says Ryan Walters, senior manager at Symantec Corp. in San Antonio, Texas. Third-party vendors, over which neither the military nor commercial users have any control, typically supply these software applications. He also cited such commonly used programs as the Internet Explorer used with Windows NT.

This problem is not confined to hostile outsiders. Jelatis pointed out that a frequent cause of security breaches is employees inside an organization who are pressed to get their work done and take shortcuts to get around burdensome security measures. The result can be what he called a "big hole in the firewall."

Despite the public perception that much of the estimated $200 billion spent by governments and business worldwide on the non-event of Y2K was wasted, there may yet be some dividends from that investment. Greater public awareness of the problem should be the least we can expect.

An example is the analysis by Mark Haselkorn, professor of technical communications at the University of Washington, who noted that previously technophobic managers began to see their organizations as dynamic ecosystems. That is, after all, what the organizations are. They're all constantly dependent on an uninterrupted flow of trustworthy information.

For those who may have forgotten, intentionally or unintentionally, Y2K was all about a decision by computer makers to represent the year with two digits. This shortcut saved money on memory, but threatened to cause some computers to interpret the year 2000 as 1900.

That's ancient history now, and the $50 million Y2K crisis center in Washington was closed and reused last fall to house the transition team of President-elect George W. Bush. You can interpret that fact any way you like.

If, as the COTScon panelists agreed, the problem is endemic as long as we have open systems that must communicate with each other — which I regard as forever — then it logically follows that diligence is also going to be needed forever.

To employ one of my favorite football metaphors, the offense takes what the defense will allow. After all, the offense knows where the play is supposed to go. Well, more or less. The hackers, whether pranksters or international terrorists, can choose their own time and place for an attack on a computer system. The defense, in this case those charged with maintaining the integrity of the system, face the unenviable task of trying to anticipate every eventuality.

The COTScon panelists were unimpressed by the efforts of pranksters to date, such as the "I love you" computer virus that crippled millions of systems worldwide last year and caused tens of millions of dollars in damages. If the pranksters were that sophisticated, the panelists said, they would have planted much deeper and more complex viruses that wouldn't be discovered for years. I'm not so confident. What if they've already done so and we won't discover the consequences for several years?

I see the great value of the COTScon panel on information warfare as serving as a reminder of the significance of the information security problem for a community that is on the firing line. The problem isn't going away, and we're all going to have to learn to live with it. Ad hoc measures won't do. It's going to take dedicated information security teams who are up to speed on state-of-the-art security measures.

In that regard, I'm inspired by this passage from Pudd'nhead Wilson's Calendar by Mark Twain:

"Behold, the fool saith, 'Put not all thine eggs in the one basket' — which is but a manner of saying, 'Scatter your money and your attention'; but the wise man saith, 'Put all your eggs in the one basket and — WATCH THAT BASKET'."

More in Communications