This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
CounterPoint If you define "critical infrastructure" as "things essential for the functioning of a society and economy," then software is critical infrastructure. For many companies and individuals, if their computers stop working, they stop working.
It's a situation that snuck up on us. Everyone knew that the software that flies 747s or targets cruise missiles was critical, but who thought of the airlines' weight and balance computers, or the operating system running the databases and spreadsheets that determine which cruise missiles get shipped where?
And over the years, common, off-the-shelf, personal- and business-grade software has been used for more and more critical applications. Today we find ourselves in a situation where a well-positioned flaw in Windows, Cisco routers or Apache could seriously affect the economy.
It's perfectly rational to assume that some programmers--a tiny minority I'm sure--are deliberately adding vulnerabilities and backdoors into the code they write. I'm actually kind of amazed that backdoors secretly added by the CIA/NSA, MI5, the Chinese, Mossad and others don't conflict with each other. Even if these groups aren't infiltrating software companies with backdoors, you can be sure they're scouring products for vulnerabilities they can exploit, if necessary.
On the other hand, we're already living in a world where dozens of new flaws are discovered in common software products weekly,
Marcus is 100 percent correct when he says it's simply too late to do anything about it. The software industry is international, and no country can start demanding domestic-only software and expect to get anywhere. Nor would that actually solve the problem, which is more about the allegiance of millions of individual programmers than which country they happen to inhabit.
So, what to do? The key here is to remember the real problem: current commercial software practices are not secure enough to reliably detect and delete deliberately inserted malicious code. Once you understand this, you'll drop the red herring arguments that led to Check Point not being able to buy Sourcefire and concentrate on the real solution: defense in depth.
In theory, security software programs are after-the-fact kludges because the underlying OS and apps are riddled with vulnerabilities. If your software were written properly, you wouldn't need a firewall--right?
If we were to get serious about critical infrastructure, we'd recognize it's all critical and start building security software to protect it. We'd build our security based on the principles of safe failure; we'd assume security would fail and make sure it's OK when it does. We'd use defense in depth and compartmentalization to minimize the effects of failure. Basically, we'd do everything we're supposed to do now to secure our networks.
It'd be expensive, probably prohibitively so. Maybe it would be easier to continue to ignore the problem, or at least manage geopolitics so that no national military wants to take us down.
Please send your comments on this column to firstname.lastname@example.org
Coming in November: Do federal security regulations help?
This was first published in September 2006