22 May Company issues warning on outsourced software
Wisconsin Rapids, Wis. – Cyber Defense Agency, a Wisconsin Rapids-based information security and research company, is warning that widespread use of outsourced commercial software by the United States military and other organizations could expose the nation to cyber terrorism caused by life cycle attacks buried deep within the millions of lines of software.
The agency, which specializes in services for the U.S. government and various infrastructure sectors, said critical infrastructure and the U.S. government’s use of commercialized software, often built overseas by less expensive software developers, presents an opportunity for cyber terrorists and rogue nations to threaten the security and welfare of the country.
Sami Saydjari, president and CEO of the Cyber Defense Agency, said outsourced commercial software used by the military and critical infrastructures poses a silent, but significant security risk to the defense and welfare of the United States. “The chances of strategic damage from a cyber-terrorist attack on the United States increases the longer it takes the U.S. military and critical infrastructures to remedy the risks posed with using outsourced software,” he stated.
Life cycle attacks occur when just one line of code out of millions of lines is rigged to open vulnerabilities within the software, exposing the software and the company to external threats.
Software built by less expensive overseas labor is exposed to several threats such as the insertion of malicious code – time bombs, for example – by adversarial foreign interests, transnational criminals, and terrorist groups. These actors could exploit the pieces of inserted code in a strategic attack against the United States.
Recently, the U.S. Department of Defense commissioned an evaluation for top security experts to report and analyze the threats of foreign influence on the government’s and military’s use of commercial software. The report is still being developed, but Saydjari said the very same cautions also exist for the private sector, including critical infrastructures that could be strategic targets of an adversary – entities that provide gas, electricity, telecommunications, banking, and water. All power utilities use supervisory control networks to run their generation, delivery, and maintenance processes, and attacks on those systems could result in widespread outages.
One of the suggested remedies, better management and control of software development for the most critical of critical components, does not mean the United States should handle all functions domestically. Saydjari, who founded Cyber Defense Agency in 2002, suggests that management make a risk assessment as to whether a given function is critical.
“If it’s managing a bowling score for the company, it’s probably fine for it to be outsourced,” he said. “But if it’s critical to the mission or operation of the company or the organization, then they might want to reconsider outsourcing that piece of software.”
Neither the military nor the private sector should assume that Al Qaeda or other adversaries lack the sophistication to take advantage of this vulnerability. “That’s a terrible assumption,” Saydjari said. “A good designer always assumes that an adversary knows as much as we do about how one would go about doing these kinds of attacks.
“I would point out that a large percentage of United States graduate students in computer science and engineering are foreign graduate students, and these graduate students often go back to their own countries and bring their knowledge of computer science and engineering back to their home countries. We have to assume that a percentage of them are working for governments that don’t necessarily have our interests at heart.”
Among the protective steps that any organization can take would be to constrain the privileges of software using fine-grained security control software technology already developed under government research programs, and to configure intrusion detection systems to uncover the activation and use of life-cycle attacks.
Saydjari, who spent 13 years with the National Security Agency and three years as a program manager of information assurance for the Defense Advanced Projects Agency, reiterated that organizations have to be careful about how they respond to this threat. He said the military might have a knee-jerk reaction to bring everything inside and custom design all of its software, when the issue is one of assessing risks and evaluating trade offs.
Otherwise, they will end up “spending themselves to death” or being trapped in time-consuming design processes that delay even non-critical functions.
“That is not a reasonable outcome in the sense that it would make things way too expensive,” Saydjari said. “They have to deal with the commercial, off-the-shelf software, whether it’s made here or overseas.”