Software poses terror threat to UK
Leading IT consultants have warned the US military, government and "critical infrastructure agencies" that their widespread use of outsourced commercial software is putting the nation more at risk from a cyber terrorist attack.
Security experts at the Cyber Defense Agency (CDA) believe that central agencies as well as gas, electricity, telecoms and banking providers could fall foul to cyber terrorists who exploit the life-cycle weakness buried deep in the software code.
Life-cycle attacks occur when one line of code out of millions of such lines is rigged to open vulnerabilities within the software, thus exposing the software and the organisation to external threats, CDA stated.
Speaking to Contractor UK, a spokesman yesterday confirmed that the Agency has warned the US government of the threat to national security posed by outsourced commercial software, but it has not told UK officials.
"We expect they are aware of the concern; [but] we have not [warned them] because we are not currently in contact with the UK government.
"We would be happy to discuss this with them, or with critical infrastructure protection (CIP) providers in the UK," the security specialist said.
The Agency highlighted fresh research commissioned by The Department of Defense, carried out by top national security experts, to "report and analyse the threats of foreign influence on the government's and military's use of commercial software."
Ominously for both the national security of the US and the UK, the report warned that software built "by less expensive overseas labour is exposed to several threats such as the insertion of malicious code."
These so-called 'time bomb' authors were identified as "transnational criminal and terrorist groups" who could later exploit the pieces of inserted code in a "strategic attack against the US."
Sami Saydjari, a former leader of the National Security Agency and chief executive of CDA, said: "Outsourced commercial software used by the military and critical infrastructures poses a silent, but significant security risk to the defense and welfare of the United States.
"The chances of strategic damage from a cyber- terrorist attack on the United States increases the longer it takes the US military and critical infrastructures to remedy the risks posed with using outsourced software."
All large software houses should insist on application security reviews on their own code as well as on third party code, including open source code that they integrate into their systems, according to the Agency's Dan Thomsen.
"One of the most straightforward preventative steps is an in-depth security review of the code to look for life-cycle attacks.
"A side benefit of this is cleaning up non-malicious sloppy code. Doing an application security review can be done manually by security professionals or automatically with software."
He recommended contract software developers should adopt an attitude of "healthy skepticism regarding inputs from other modules."
"Always performing appropriate checks on input data to ensure it is properly formatted and in bounds as best practice would dictate.
"This is important in this era of complex, evolving systems, where the set of interacting modules changes as the system evolves or as code modules are adapted for new systems.
"Another approach to protect against life cycle attack is to isolate applications where possible. For example, if the application doesn't need to interact with the customer database, set up the security permissions so that it can't. This is called a least privilege security policy, where each application only has the permission it needs to do its job and nothing more."
Under such a policy, hackers face difficulty in 'leapfrogging through the system,' so their malicious aim of jumping from 'one weak application to another' is effectively thwarted, the CDA said.
Set up correctly, the least privilege security policy can help protect against the more common problem of applications 'gone wild.'
"If the security policy prevents them from spewing garbage at other applications the rouge application can be contained," Thomsen continued.
"A third approach of defense is having multiple layers of protection. Castles of old, had moats, and stone walls, and an inner sanctuary where the most valuable items [were kept]. Applications can be separated by networks, on different hosts or by special user accounts.
"Furthermore, there were many castles that were never conquered by force, only by treachery from the inside. Companies must also be aware of insider threats and those protecting the most valuable assets."
Government agencies, businesses and infrastructure providers are also advised to architect critical systems with defence-in-depth security mechanisms from different vendor sources under the assumption that some of the software contains life-cycle attacks.
"Critical infrastructure and the US government's use of commercialised software, often built overseas by less expensive software developers, presents an opportunity for
cyber terrorists and rogue nations to threaten the security and welfare of the country," the Agency said.
The warning comes after the US Cyber Consequences Unit, an advisory group to the Department of Homeland Security, warned that Al-Qa'ida "is becoming capable" of launching cyber attacks on power plants, grids and other key industries with critical control/data systems.
Speaking to The Independent, Unit director Scott Borg claimed "up until now," companies have been fretting over the malicious IT reach of "adolescents" and "petty criminals", not terrorist "grown-ups".
Asked whether the threat of cyber terrorism has been overhyped, a CDA specialist yesterday refused to downplay its seriousness, saying its operation was now on an ever-expanding global scale.
"Internet cafes are prevalent throughout the world as technology is seen as a tool. Cyber terrorists don't face the physical risk, so they could be potentially easier to recruit for fame, money or political motivations," he said.
"Also, younger tech-savvy individuals who don't have the experience to understand the breadth and depth of the consequences of terrorist actions could be at risk."