A Cyberwarfare Reality Check

By Chris Wysopal, Veracode
Let’s take a step back for a moment from who the actors are in the recent DDoS attacks and look at the root cause of the problem, because that isn’t going away. We have a horribly insecure software ecosystem that lets the bad guys take advantage of all the insecure software that vendors have shipped in the last 5 years to build distributed denial of service (DDoS) armies. The attackers then target these DDos armies at whoever they choose and are able to shut down their networks.

Let’s take a step back for a moment from who the actors are in the recent DDoS attacks and look at the root cause of the problem, because that isn’t going away. We have a horribly insecure software ecosystem that lets the bad guys take advantage of all the insecure software that vendors have shipped in the last 5 years to build distributed denial of service (DDoS) armies. The attackers then target these DDos armies at whoever they choose and are able to shut down their networks.

It is time to stop thinking about computer security as a castle wall and moat problem and to start looking at it as an ecosystem problem. We can’t secure our networks or those of our allies by building bigger walls any more than the President of the United States can keep our air clean for government workers by enacting tougher emmision standards for US government vehicles. It is a global problem that requires a global solution.

There has been no global cooperation to date to help the average computer user keep his or her computer secure. Yet we talk about keeping car emmisions down. But the effect of both is similar. In a shared environment, be it the water and air or an information infrastructure. Each individual user contributes to the health of the system.

Each insecure computer is much like a polluting car. By itself there is little risk of harm. But when the software on that computer is compromised and taken together with all the other computers with that software, the risk builds up until it reaches a critical mass. We see that critical mass when groups, nation state sponsored or simply criminal, are able to destroy network connectivity for their targets using these compromised computers

Make no mistake. The root cause of these denial of service attacks is insecure software. It might be an operating sytem vulnerability or a vulnerability in a media player, web browser, or the latest cool social networking widget. These vulnerabilities let the attackers chip away one by one at the internet ecosystem like cancer cells. At some point the malignacy is great enough that it can destroy a high value target.

The only solution is to protect those individual cells from becoming malignant. Each and every computer system, and each and every software package running on them must be made secure. There is no easy fix. This is a hard problem. I have been studying it for 15 years since I was a researcher at a group called the L0pht which testified before the US Senate in 1998 that we knew how to take down the internet in 30 minutes. I wish this was an easy problem to solve, but it is not. It will only get worse as more computers are connected to the internet and we rely on the internet to be a safe place to exchange information and conduct business.

The solution is to make sure every piece of software we run is secure. It is much like the environmental problem were every car or every factory must meet an emissions standard. It can’t just be the cars driven by wealthy people or the factories making one type of product. It must be all. Until we start to think of the computer security problem as a global ecosystem problem with the root cause individual computers running everyday software, we are destined to fail.

The solution is to test all software before we run it. It can’t be a crapshoot whether something is going to cause harm if it is running on a million computers. We need to know.

Chris Wysopal is the CTO of Veracode.

 

Suggested articles