- By Thomas E. RicksThomas E. Ricks covered the U.S. military for the Washington Post from 2000 through 2008. He can be reached at firstname.lastname@example.org.
By John Scott
Best Defense guest columnist
It’s Wednesday, and that means another story about the looming threat of cyberattack, how vulnerable the United States and its infrastructure is, how bad the Chinese are, how to retaliate, etc. But what seems to be left out of the discussion is what can practically be done about it (beyond scolding bad people).
The first thing that should be done is to shrink surface area for attack. What does this mean? Right now the U.S. government and industry runs a pretty homogenous set of operating systems and applications that have shown to be a big part of the problem; specifically, Microsoft and Adobe are two companies whose wares have become amazing attack vectors. Why? For a few reasons: 1) if you want to create a virus/exploit weapon you tailor one for largest adoption, 2) attack large morphing code bases that give rise to known-unknown software vulnerabilities, and 3) updates don’t always filter out in time once new vulnerabilities are detected and patched.
A great example is how Stuxnet is reported to have entered the Iranian nuclear program:
The main (and initial) infection vector is the transmission of the Stuxnet malware via USB devices: if an infected USB device is inserted into a clean PC and later accessed with the Windows Explorer, then the infection of that PC is triggered. This is due to either a malicious ‘Autorun.inf’ file present on the USB device (for the oldest variants of Stuxnet) or to the usage of the ‘LNK’ Windows vulnerability (MS10-046,CERT-IST/AV-2010.313 advisory) for the variants found in June 2010.
The Iranians were probably running older versions of Microsoft operating system software that wasn’t updated (and was probably pirated to boot). Further, the Iranians were a victim of Microsoft’s business model of stitching together source code to lock-in users and conversely lock-out other software, which allowed the virus carte blanche access to anything.
So what should we, the government, or private companies for that matter, do? First thing, we’ve got to get our own house in order to limit our vulnerabilities (or "know thyself," to paraphrase Sun Tzu).
- First, get rid of software for which we have to continually make excuses. Just as the U.S. military doesn’t promote smugglers (Han Solo) and farm boys (Luke Skywalker) to general, stop deploying software that requires additional fixes and comes stitched together. Microsoft and Adobe might be less expensive software, but if it leaves a backdoor open, is it really "cheaper"?
- Second, only install operating systems and applications where the source code is available for widespread public inspection. Keeping source code secret increases its widespread vulnerability to exploitation when a defect is detected.
- Third, increase heterogeneity of operating systems and applications to create gaps so that a virus/exploit can’t transverse between different systems.
- Fourth, fund research into more secure operating systems and make the fruits of that investment public: A rising tide lifts all (security) boats. A small investment in maturing source code can have a large impact.
John Scott is a senior system engineer for Radiant Blue Technologies and was a co-author of Open Technology Development: Lessons Learned and Best Practices for Military Software (Department of Defense, 2011). He occasionally blogs at Powdermonkey.
John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.| The Complex |
Kevin Baron is a national security reporter for Foreign Policy, covering defense and military issues in Washington. He is also vice president of the Pentagon Press Association. Baron previously was a national security staff writer for National Journal, covering the "business of war." Prior to that, Baron worked in the resident daily Pentagon press corps as a reporter/photographer for Stars and Stripes. For three years with Stripes, Baron covered the building and traveled overseas extensively with the secretary of defense and chairman of the Joint Chiefs of Staff, covering official visits to Afghanistan and Iraq, the Middle East and Europe, China, Japan and South Korea, in more than a dozen countries. From 2004 to 2009, Baron was the Boston Globe Washington bureau's investigative projects reporter, covering defense, international affairs, lobbying and other issues. Before that, he muckraked at the Center for Public Integrity. Baron has reported on assignment from Asia, Africa, Australia, Europe, the Middle East and the South Pacific. He was won two Polk Awards, among other honors. He has a B.A. in international studies from the University of Richmond and M.A. in media and public affairs from George Washington University. Originally from Orlando, Fla., Baron has lived in the Washington area since 1998 and currently resides in Northern Virginia with his wife, three sons, and the family dog, The Edge.| The E-Ring |