Remember 9/11 By Doing Something About Software Terrorist Threat

VDARE.COM writes: A year ago, we closed our site for nearly a week out of respect for the 9/11 dead. This year, we offer a practical memorial: a reminder of another threat to America about which nothing has been done.

Our author, John Miano tells us that he was a computer programmer for 18 years. He has written two books on computer programming as well as numerous technical articles for various computer publications. He has also written articles on the state of the computer industry for publications ranging from ComputerWorld to USA Today. He was also the founder of the Programmers Guild, a professional organization for computer programmers.

In 2002, due to the saturation of the programming job market by foreign programmers, he left the profession to go to law school.

By John Miano

In my first computer job I learned an interesting lesson about the security of data within computer systems. A coworker and I were installing some equipment in an office belonging to Human Resources (HR) when we were told that we had to leave immediately. The HR folks used this office to enter data about employees into the computer. Since they considered this data to be top secret, no one else could be in the room when it was entered.

As we left my coworker asked me “Do you want to see something interesting?” I followed him to his office where he sat down at his terminal, opened up a database then showed me the data the HR people had just entered.

As the administrator of the HR database, my coworker had free access to data that was supposed to be so secret no one could be in the same room when it was entered.

Since then, I have learned few corporations have any concern with, or any idea of, who has access to their computer systems. This could provide terrorists with new opportunities for making attacks upon the U.S. Serious action in this area should have been taken immediately after 9/11. It was not.

Potential computer terrorism threats come in three broad categories:

Denial of Service - the computer system is simply made to shut down. Telephone systems going down, computer trains stopping in their tracks, stock market trading being halted.

Malicious Action - where computer system does things it was not intended to do. Examples include banking systems making unauthorized transfers or flight control software causing airplanes to crash.

Theft of information - credit card numbers, social security numbers, corporate plans.

Look at some famous software accidents:

Problems in the software controlling the Therac-25 radiation therapy machine caused the system to fry patients, resulting in deaths and serious injuries. Some patients received more than 100 times the amount of radiation they were supposed to get.

A software failure in the bond processing system at the Bank of New York halted Treasury bond payments for more than a day, triggering a panic in the precious metals market.

Programming errors have caused both European Arianne and American Delta III rockets carrying satellites to explode, resulting in losses of hundreds of millions of dollars.

If simple programming errors can cause this level of damage, imagine what could be accomplished through deliberate malicious action.

Where computer terrorism is unique is that many such acts can be done in such a way that it would be impossible to distinguish between a deliberate act and an accident. The atrocious (and steadily declining) level of quality in software today would assist concealment. The last time your PC crashed, was it a programming error or sabotage?

This is where immigration policy comes in. In a quest for cheap labor, corporations have been importing hundreds of thousands of foreign computer programmers into the United States on guest worker visas. They receive little scrutiny of credentials and no security checks.

There have already been cases of information theft and computer sabotage by foreign guest workers. In a recent case, a U.S. Attorney noted that the Chinese accused came to the U.S. posing “as scholars. In reality, they were nothing more than sleuths” who were “ripping off cutting-edge, one-of-a-kind computer technology without spending a dime for it” then selling it to a Chinese government-owned company.

Most foreign programmers intend no harm. But it would only take a few to cause serious damage. Remember the September 11^th attack took only nineteen out of the 8 million illegal aliens in the U.S.

Another risky trend: “offshoring”. A company moves the support for a computer system to another country to take advantage of low salaries. Programmers sitting in the Philippines, India or Pakistan have free access to data in computers sitting in the U.S. This is an open invitation to commit terrorist acts in the U.S. without even coming here. Imagine the havoc that could be caused by a programmer in another country simply by downloading and selling thousands of credit card numbers.

“Offshoring” takes place right now in customer service. Mary, who took your credit card number when you ordered that jacket from an 800 number may actually be Padma sitting somewhere Asia.

If Padma steals your credit card number, what does she have to fear from the FBI? Whom do you call when you discover someone in Asia has stolen your social security number?

The State of New Jersey was shocked to find that the company to whom it had “outsourced” telephone support for various social programs has moved its operation to India. In other words, New Jersey took confidential information about its citizens and, with no concern for data security, handed it over to a third party - then expressed shock when the data winds up in a third world country; a scene right out of Casablanca.

Congress must address computer security. At a minimum, these steps must be taken:

Access to critical software in American computer systems should be restricted to the U.S.

Foreign guest workers should undergo security checks before having access to U.S. computer systems.

The U.S. needs to implement a privacy policy with regards to personal information of Americans, such as social security and credit card numbers. Foreign nationals should not have access to personal data. Corporations should not be permitted to export this personal data outside of the U.S.

For a while after 9/11, there looked like there would be one positive development on the data security front. The Defense Department had announced plans to limit the access of foreign workers to its computer systems. The plan was bashed by the usual suspects (cheap labor advocates, immigration lawyers, politically-correct reporters). And the Defense Department caved in. Foreign workers still can have unfettered access to personnel records and the like.

In the Defense Department.

It is impossible to legislate against stupidity. If companies want programmers all over the world to have access to their business plans, where they can be stolen and sold to the competitors, it is their risk to take. But corporations--and governments--should not be allowed to give the entire world access to Americans’ personal information--let alone to computer systems that could jeopardize American security.

September 10, 2002