Is There Strategic Software?

By Bruce Schneier
Information Security
September 2006

This essay appeared as part of a point-counterpoint with Marcus Ranum. Marcus's side can be found on his website.

If you define “critical infrastructure” as “things essential for the functioning of a society and economy,” then software is critical infrastructure. For many companies and individuals, if their computers stop working then they stop working.

It's a situation that sneaked up on us. Everyone knew that the software that flies 747s or targets cruise missiles is critical, but who thought of the airlines' weight and balance computers, or the operating system running the databases and spreadsheets that determine which cruise missiles get shipped where? These sorts of systems are more vulnerable around the edges than they are head-on. And over the years, common, off-the-shelf, personal- and business-grade software has been used for more and more critical applications. Today, we find ourselves in a position where a well-positioned flaw in Windows or Cisco routers or Apache could seriously affect the economy. (Some researchers have suggested that well-designed worms could overwhelm the Internet in fifteen minutes.)

And it's perfectly rational to assume that some programmers—a tiny minority I'm sure—are deliberately adding vulnerabilities and back doors into the code they write. I'm actually kind of amazed that the back doors secretly added by the CIA/NSA, MI5, the Chinese, Mossad, India, Pakistan, and everyone else don't conflict with each other. And even if these groups aren't infiltrating software companies and deliberately inserting back doors, you can be sure they're scouring the actual products for vulnerabilities they can exploit, if necessary.

On the other hand, we're already living in a world where dozens of new flaws are discovered in common software products weekly, and the economy is humming along just fine. But we're not talking about this month's worm from Asia, a new phishing software from the Russian mafia, or even some terrorist wannabe trying to disrupt something-or-other—we're talking national intelligence organizations. “Infowar” is an overhyped term, but the next war will have a cyberspace component, and these organizations wouldn't be doing their jobs if they weren't preparing for it.

Marcus is 100% correct when he says that it's simply too late to do anything about it. The software industry is international, and no country—not China, not even the U.S.—can start demanding domestic-only software and expect to get anywhere. Nor would that actually solve the problem, which is more about the allegiance of millions of individual programmers than which country they happen to be living in – or a citizen of.

So, what to do? The key here is to remember the real problem, that current commercial software practices are simply not secure enough to reliably detect and delete deliberately inserted malicious code. Once you understand this, you'll drop the red herring arguments that led to Israel-based Check Point not being able to buy U.S.-based Sourcefire and concentrate on the real solution: defense in depth.

In theory, security software like firewalls and IDSs are just after-the-fact kludges because the underlying operating system and application software is riddled with vulnerabilities. If your software were written properly in the first place, you wouldn't need a firewall—right? But in practice, we can never assume that our software is secure. That's why we spend billions of dollars on security software.

If we were to get serious about critical infrastructure, we'd recognize that it's all critical and start building security software to protect it. We'd build our security based on the principles of safe failure; we'd assume security would fail and make sure it's okay when it does. We'd use defense in depth and compartmentalization to minimize the effects of failure. Basically, we'd do everything we're supposed to do now to secure our networks, only we'd do it with a national military as the adversary.

It'd be expensive. Actually, it would be very expensive, probably prohibitively expensive. Maybe it would be easier to continue to ignore the problem, or at least manage geopolitics so that no national military wants to take us down.

earlier essay: Refuse to be Terrorized
later essay: Quickest Patch Ever
categories: National Security Policy
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..