WASHINGTON (04/18/2000) - The federal government intends to make finding Trojan horses and trap doors on computer systems a "research priority," as the risk is one that some companies may be facing as a result of hasty year 2000 problem repair work. That was the message delivered by Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism, at a U.S. Commerce Department-sponsored conference on information security today.
Many companies, said Clarke, "woke up too late" to the Y2k problem and, in the process of doing "quick work," may have allowed malicious code to be implanted in their systems.
A Trojan horse can be as little as two lines of malicious code buried in millions of lines programming, said Clarke. "Even our best people have difficulty finding a Trojan horse or trap door," he said. Trap doors can be used to gain unauthorized access into a system.
The Clinton administration is seeking $1 billion for information security research and development projects in next year's budget and intends to coordinate its efforts with those of the private sector "so we won't be duplicating what the corporations and the IT industry will be doing on their own," said Clarke.
The security conference, which was held with the assistance of several professional auditing organizations, was aimed at corporate board members and auditors - the people who oversee information technology management - to improve information security so as to avoid the risk of damage to the national economy.
Auditors are being targeted by U.S. officials to help raise information security awareness because of their unique roles in corporations: They interact with the companies' boards of directors and can question whether an enterprise is addressing its information security issues.
"We can cajole the private sector to do the right thing - you can actually scare them to do the right thing," said John Podesta, White House chief of staff, at the first of a series of six conferences aimed at top corporate management that are being sponsored by the U.S. Commerce Critical Infrastructure Assurance Office.
Podesta also stressed that any solutions to information security problems will have to be addressed by the private sector. Regulation, which is widely opposed by industry trade groups, won't work. "Our policy is to support industry, not to overregulate it," he said.
For auditors, examining information security practices is no different from examining any other activity at a company, said Jacqueline Wagner, the general auditor at General Motors Corp. in Detroit. But finding people with the right skills is "a different story - that is probably the first challenge," she said.