The rash of computer glitches expected in January 2000 may create a golden opportunity for hackers, who tend to thrive when IT attention is focused elsewhere, some security experts warn. But a Computerworld poll of 102 executives found that 90 percent already have considered the possibility and are examining ways to thwart such opportunist hackers.
Of those surveyed, 23 percent said their companies are taking extra security precautions for their computer systems as part of their year 2000 planning. For those who aren't, many said the Internet and electronic commerce posed bigger potential threats.
Not everyone agreed that there will be heavy hacking at year's end. Some argued that increased year 2000 systems monitoring could help security, while others noted that would-be attackers could suffer year 2000 systems problems of their own.
"People can attack whenever they want, but there's going to be so much monitoring of the system that any anomaly would be noticed," said Mike Riley, director of Internet development at R.R. Donnelley & Sons in Downers Grove, Illinois. "If anything, there's going to be a heightened sense of awareness."
Nevertheless, a half-dozen consultants contacted by Computerworld urged companies to prepare. "If I was a hacker, I'd attack companies on December 1999. I'd be almost untouchable. They'd never find me," said Darek Milewski, president of Cmeasures, a consulting firm in Berkeley, California.
What to look for
Those consultants recommended that companies -- in addition to testing their security systems' year 2000 compliance -- anticipate the following possible year 2000-specific attack methods:
-- With so many people expecting systems problems this January 1, bugs caused by malicious intruders may be misidentified as year 2000 woes -- and thus left unfixed.
-- Those trying to penetrate corporate systems, particularly economic spies, may have set up year 2000 outsourcing firms. "What better way to get in the front door than to be in the fix-it business?" asked Frank Cilluffo, director of an information technology task force at the Centre for Strategic International Studies, a Washington think tank.
-- Any change in computer coding, no matter how simple, can cause unintentional problems somewhere else. Those problems could include opening up security holes.
-- Even those who have secured their own systems face potential security gaps via partners.
-- Security spending, like many other IT budget items, will likely take a backseat to year 2000 efforts this year.
-- Year 2000 also opens up a nontechnical hacking possibility. For example, an outsider calls into a company on Monday, January 3, 2000, claiming to be the firm's year 2000 consultant and asking employees for their user names and passwords to check that everything's OK. "The best time to attempt a security breach is a time of chaos," said Philip Carden, a consultant at Renaissance Worldwide Consulting in Hoboken, New Jersey.
William Ulrich, a year 2000 consultant and columnist for Computerworld, advises clients to include a security specialist in year 2000 projects, but only one firm he works with has such a person who regularly attends meetings.
An audit team should "be on very, very high alert -- not just [at year's end], but right now, looking for financial irregularities," said Ulrich, president of Tactical Strategy Group in Soquel, California.