Software Has Become A National Security Vulnerability
Software seems harmless: virtual, ephemeral, abstract. Yet software controls every transportation, communications and energy system in America and is now a national security vulnerability.
Over the past year there has been a new class of cyberattacks by China and Russia where software was an integral part of the attack. For example, this year DHS banned Huawei’s 5G equipment for containing surveillance software while Russia tested a new type of cyber weapon on Ukraine. The important characteristic of these new cyberattacks was that software is used as an offensive weapon (for more background and history on this trend see Software Ate The World: Now it is both a corporate and national security threat).
Cyberattacks have evolved quickly from phishing, server exploitation and data exfiltration to software-based attacks that operate as native processes. And being native, these new types of cyberattacks can bypass many existing security controls. Attacks that leverage native processes are bad, but to computers these attacks just seem like normal operation. Code is being run.
Software and our internetworked computer systems are more complex than ever. Which means to develop countermeasures to these new types of cyberattacks we have to work harder than ever.
Here’s a quick rundown of some of the issues security professionals and national security policy makers need to consider:
Communications Equipment: It should not be a surprise that Huawei’s 5G equipment was banned by DHS for having a backdoor given the company is managed by the Chinese People’s Liberation Army (PLA). However banning Huawei is no more than a short-term fix as Chinese intelligence will infiltrate other equipment vendors (if they haven’t already done so). Alternatively, other nations are launching attacks targeting infrastructure devices which are infrequently updated like the compromise of home and business routers.
Countering China’s infiltration of the telecom equipment market will require a partnership between service providers and the Intelligence Community to develop new standards to procure and operate services. Unfortunately this is as complicated as it sounds and will take a long time. In the short term organizations should consider building a Zero Trust Network (ZTN) overlay until secure communications services are available.
Self-Propagating Malware: Unlike China, Russia does not have deep commercial footprint into America so they have focused their efforts on self-propagating malware. The NotPetya attack in June 2017 demonstrated the lethality of Russia’s self-propagating malware in action – within a few days 300,000 computers were wiped out, with the economic damage making this the most costly cyber attack known.
The best countermeasure to self-propagating malware is eliminating the open, flat network that many organizations still operate. Fortunately there are many ways to partition enterprise networks from Role-based Access Control (RBAC), Software Defined Networking (SDN) and Software Defined Perimeter (SDP). They all work so you just have to find the right set of techniques for your environment. Next consider an endpoint protection system designed to spot self-propagating malware as an added security control.
Third Party Software: The growth of Open Source combined with Cloud-based software has greatly reduced the time and cost of enterprise application development. The one downside of plug & play software is that the rush to field solutions means there is usually not an inspection of the code. Developers that build upon stacks of services are also building things that run on stacks they have no visibility into. There are too many cases where end capabilities are fielded where no one knows what software is in the capability – a fact foreign intelligence agencies are taking advantage of.
Whether you utilize proprietary code, open source, cloud or packaged software you must set aside time and budget for a vulnerability analysis. It’s painful process to lock down APIs, encrypt stored data, partition servers, implement a secure boot process and access controls but it’s the only way to ensure there are no backdoors in your enterprise apps.
Legal Business: Perhaps most difficult attack vector to stop is legal business. America’s wealth is based on the software inside its products and services. Thus is extremely easy for America’s adversaries to legally purchase items to understand their vulnerabilities. Best of all, if they ask nicely, the sales departments of most companies will offer a free trial. Note: this is not a joke – Iran has well-developed reputation for taking advantage of free stuff.
At some point the Board of Directors of leading technology firms will just have to say “NO” to working with countries hostile to America for the sake of national security. To help them along Fortune 500 and US government agencies should also develop procurement strategies that reward companies who voluntarily don’t supply America’s enemies.
It’s critical for those involved in national security and enterprise infrastructure to internalize how the software that powers their organization can be turned against them.