Software Terrorist Threat

A year ago, we closed our site for nearly a week out of respect for
the 9/11 dead. This year, we offer a practical memorial: a
reminder of another threat to America about which nothing has been
done.

Our author, John Miano tells us that he was a computer programmer for
18 years. He has written two books on computer programming as well as
numerous technical articles for various computer publications. He has
also written articles on the state of the computer industry for
publications ranging from ComputerWorld to USA Today. He was also the
founder of the Programmers Guild, a professional organization for
computer programmers.

In 2002, due to the saturation of the programming job market by
foreign programmers, he left the profession to go to law school.

By John Miano

[See also 10/10/01 - Ten Principles of Immigration - John Miano

In my first computer job I learned an interesting lesson about the
security of data within computer systems. A coworker and I were
installing some equipment in an office belonging to Human Resources
(HR) when we were told that we had to leave immediately. The HR folks
used this office to enter data about employees into the computer .
Since they considered this data to be top secret, no one else could be
in the room when it was entered.

As we left my coworker asked me "Do you want to see something
interesting?" I followed him to his office where he sat down at his
terminal, opened up a database then showed me the data the HR people
had just entered.

As the administrator of the HR database, my coworker had free access
to data that was supposed to be so secret no one could be in the same
room when it was entered.

Since then, I have learned few corporations have any concern with, or
any idea of, who has access to their computer systems. This could
provide terrorists with new opportunities for making attacks upon the
U.S. Serious action in this area should have been taken immediately
after 9/11. It was not.

Potential computer terrorism threats come in three broad categories:

[redball.gif] Denial of Service - the computer system is simply made
to shut down. Telephone systems going down, computer trains stopping
in their tracks , stock market trading being halted.

[redball.gif] Malicious Action - where computer system does things it
was not intended to do. Examples include banking systems making
unauthorized transfers or flight control software causing airplanes to
crash.

[redball.gif] Theft of information - credit card numbers, social
security numbers, corporate plans.

Look at some famous software accidents:

[redball.gif] Problems in the software controlling the Therac-25
radiation therapy machine caused the system to fry patients, resulting
in deaths and serious injuries. Some patients received more than 100
times the amount of radiation they were supposed to get.

[redball.gif] A software failure in the bond processing system at the
Bank of New York halted Treasury bond payments for more than a day,
triggering a panic in the precious metals market.

[redball.gif] Programming errors have caused both European Arianne and
American Delta III rockets carrying satellites to explode, resulting
in losses of hundreds of millions of dollars.

If simple programming errors can cause this level of damage, imagine
what could be accomplished through deliberate malicious action.

Where computer terrorism is unique is that many such acts can be done
in such a way that it would be impossible to distinguish between a
deliberate act and an accident . The atrocious (and steadily
declining) level of quality in software today would assist
concealment. The last time your PC crashed, was it a programming error
or sabotage?

This is where immigration policy comes in. In a quest for cheap labor,
corporations have been importing hundreds of thousands of foreign
computer programmers into the United States on guest worker visas.
They receive little scrutiny of credentials and no security checks.

There have already been cases of information theft and computer
sabotage by foreign guest workers. In a recent case, a U.S. Attorney
noted that the Chinese accused came to the U.S. posing "as scholars.
In reality, they were nothing more than sleuths" who were "ripping off
cutting-edge, one-of-a-kind computer technology without spending a
dime for it" then selling it to a Chinese government-owned company.

Most foreign programmers intend no harm. But it would only take a few
to cause serious damage. Remember the September 11^th attack took
only nineteen out of the 8 million illegal aliens in the U.S.

Another risky trend: "offshoring". A company moves the support for a
computer system to another country to take advantage of low salaries.
Programmers sitting in the Philippines, India or Pakistan have free
access to data in computers sitting in the U.S. This is an open
invitation to commit terrorist acts in the U.S. without even coming
here. Imagine the havoc that could be caused by a programmer in
another country simply by downloading and selling thousands of credit
card numbers.

"Offshoring" takes place right now in customer service. Mary, who took
your credit card number when you ordered that jacket from an 800
number may actually be Padma sitting somewhere Asia.

If Padma steals your credit card number, what does she have to fear
from the FBI? Who do you call when you discover someone in Asia has
stolen your social security number?

The State of New Jersey was shocked to find that the company to whom
it had"outsourced" telephone support for various social programs has
moved its operation to India. In other words, New Jersey took
confidential information about its citizens and, with no concern for
data security, handed it over to a third party - then expressed shock
when the data winds up in a third world country; a scene right out of
Casablanca.

Congress must address computer security. At a minimum, these steps
must be taken:

[redball.gif] Access to critical software in American computer systems
should be restricted to the U.S.

[redball.gif] Foreign guest workers should undergo security checks
before having access to U.S. computer systems.

[redball.gif] The U.S. needs to implement a privacy policy with
regards to personal information of Americans, such as social security
and credit card numbers. Foreign nationals should not have access to
personal data. Corporations should not be permitted to export this
personal data outside of the U.S.

For a while after 9/11, there looked like there would be one positive
development on the data security front. The Defense Department had
announced plans limit the access of foreign workers to its computer
systems. The plan was bashed by the usual suspects (cheap labor
advocates, immigration lawyers, politically-correct reporters). And
the Defense Department caved in. Foreign workers still can have
unfettered access to personnel records and the like.

In the Defense Department.

It is impossible to legislate against stupidity. If companies want
programmers all over the world to have access to their business plans,
where they can be stolen and sold to the competitors, it is their risk
to take. But corporations--and governments--should not be allowed to
give the entire world access to Americans' personal information--let
alone to computer systems that could jeopardize American security.