Flexing digital muscles
The period between the mid-1940's and the early 1990's came to be called the Cold War, a time characterized by conflict between the Soviet Union and the Western world. That period was paved with an arms race, and military muscles were flexed to their rupture limit. The superpowers, the Soviet Union and the United States, threw themselves into a "tech-race" that took the rocketeers and humanoids to where no man had gone before - to space. The Cold War period also encompassed concepts such as the "proxy-wars" which account for the fact that the main combatants never came to face each other in direct battles. So what has changed since then?
The Space-Race in Cyberspace
The space-race has moved to Cyberspace and the technological proxy-wars are ongoing in the shadowland of the competitive technological development. China has expanded its superpower-family and is, like all the other family members, focusing on the development of a super-secure operating system; this is to be protected against possible cyber-warfare attempts, attacks that could be launched by any party, at any time. The cyber-combatants are spying on and suspecting each other of ongoing and planned espionage and exploitation attempts. The situation raises the need of security-hardened digital environment minimizing and locking-down risky and exploitable functions.
The Need for Bullet-Proof Security
I previously reported about the U.S. Air Force "special edition" of Windows XP with more than 600 settings that are "locked down tight". China's security-hardened OS is called "Kylin" (developed by the University of Science and Technology for National Defense in China) and it is based on the kernel code of FreeBSD5.3. The European Union's secure OS solution is called Minix (a micro-core minimizing the functionality). The EU is stated to have supported the Minix project with 2.5 million Euros in order to assist it's further development. The goal of the Dutch researcher Andrew Tanenbaums, the man behind Minix, is to put all drivers in the Minix system into multi-layered "straight-jackets" in order to secure the system. This way, the drivers will be prohibited from tasks such as: establishing contact with applications, transferring signals, and from writing to memory addresses without the explicit permission of the administrator. The original 12,000 rows (currently 4,000 rows) of code in Minix will be reduced further into an even smaller micro-core solution. Russia has also shown interest in the development of a Russian operating system in order to ensure their "digital independence".
The U.S. - China Economic and Security Review Commission's opening statement, by the Technolytics representative Kevin G. Coleman, states that the risk of espionage and exploitation attempts is imminent:
"It is my belief that this threat is real and we must take a proactive posture on acts of cyber aggression and espionage. For over two decades, China has been attempting to do what the Soviet Union never accomplished; covertly acquire western technology, then use it to move ahead of the west". Coleman also referres to a report authored by Cambridge University that states that "sophisticated computer attacks have been devastatingly effective and that few organizations, outside the defense and intelligence sector, could withstand such an attack". Coleman continues by stating that "there are other reports of malicious code being found in the computer systems of oil and gas distributors, telecommunications companies, financial services industries and other pieces of our infrastructure".
The statement creates a real feeling of Cold-War cyber-winds that are calling for the usage of minimalistic, locked-down and hardened operating systems!
It could be argued that the "unofficial" movement towards the usage of security-hardened systems conflicts with the fact that many of the operating systems offered to the public contain a plethora of pre-activated features and services that are considered to be unsafe by many state authorities. The amount of applications and features on a newly purchased pre-configured computer is often overwhelming, and the set-ups are hardly "locked-down" at all. According to Coleman, the computer hardware is "just as susceptible as software is to hackers through the inclusion of malicious logic; and the consequences of such an attack could be serious!".
Cyber Product Liability
Coleman ventilates the matter of Cyber Product Liability. The question is: what level of liability should hardware and software vendors bare for product-based vulnerabilities? Software vulnerabilities would, according to Coleman, fall under the "Design Defects" cause of action in the liability claims of a product. According to the U.S. National Vulnerability Database, there have been 1,647 software vulnerabilities reported during the last 3 months (as of May 15, 2009); these vulnerabilities may allow a third party or program, locally or remotely, gain unauthorized access. Coleman also illuminates that most software vendors do not investigate the root cause of reported vulnerabilities:
"I consulted a 25 year veteran of the software industry that hails from one of the icons of the software industry and posed the following question to him: Based on your experience, how often do software vendors investigate the root cause of reported vulnerabilities? He said, They Don't -- they jump in and try to create a patch".
Hopefully, the software and hardware vendors become more security-aware instead of mainly focusing on the functional richness of their products. Software vendors bear, at least an ethical, responsibility to ensure the security of their products.
In addition to that, hopefully at least some features from the "super-secure", "hardened", "locked-down" systems will find their way to the systems offered to the public. The authorities could, for example, provide the "recipes" for such systems. Or, they could even provide easy-to-comprehend security hardening guides to the public in order to enhance the overall security of global networks. This would be essential as the chain of security is no stronger than its weakest link!
Pekka Andelin
Lavasoft Malware Labs