The United States recognises 16 distinct sectors of critical infrastructure, which are systems that are considered crucial to national economic security and national public health. Other countries have similar lists. Many of these sectors are common sense, such as food, water, and energy.
One sector is information technology, which encompasses hardware and software systems and services. I would argue that this is the single most important sector, a kind of ur-sector on which every other sector depends.
Think about it:
• The healthcare and public health sector cannot operate properly without information technology. Recent ransomware attacks against hospitals have demonstrated this dependence.
• Information technology is deeply embedded in the communications and financial services
• Information technology systems are even used in sectors like water and wastewater systems and chemical, both in industrial control systems and in administrative systems.
Everyone relies on information technology. Everyone understands the importance of information technology.
Why, then, do we see a persistent parade of headlines about data loss, system compromise, and failures?
A warm, moist environment
Fungus thrives in a warm, moist environment. Similarly, software vulnerabilities thrive in complexity. If one developer writes 100 lines of code, how many vulnerabilities might you expect to find? Modern software is measured not in hundreds of lines of code but probably in hundreds of thousands of lines. How many vulnerabilities would you expect to find lurking inside 100,000 lines of code? Millions of lines of code?
We are building systems that are more complex than anything we’ve ever built before. The technology is constantly evolving, and we are assembling functionality faster that we can figure out how to secure it.
Don Knuth once said, “Software is hard,” and by golly was he right. We can build amazing things, but we can neither guarantee that they work as intended nor unequivocally protect them from malice.
Asymmetric advantage
Software vulnerabilities are an attractive attack vector for threat actors of all kinds.
1 The mind-boggling complexity of modern systems is fertile ground for exploitable vulnerabilities.
2 Executing cyber operations over the internet grants a degree of anonymity and safety to the attacker.
3 Cyber operations are often cheaper and faster than physical operations.
In brief, the required effort is low, risks are low, and rewards are high. This asymmetry means that breaches, compromises, and other cyber calamities will continue until the cost and risk of cyber operations increases to match the potential rewards.
The turn of the tide
We’re at an inflection point — as a species, we are starting to understand our dependence on the machines we’ve built, and we are learning how to drive down the risk of the software systems that are the foundation of our societies.
Fundamentally, reducing risk happens when we get better at building software and buying software. A coherent software security initiative (SSI) helps organisations reduce risk overall; a secure development life cycle (SDLC) helps organisations build more secure, safer software.
The thing that’s hardest about software security is grasping the big picture. In the heat of the moment, it is easy to make the wrong decision. When your company’s bank account is low and everyone’s telling you, “We have to release this product NOW,” it’s going to be hard to say, “It’s too risky to release because we aren’t meeting our security policy.” When your biggest customer says, “I need you to open this port in your firewall NOW,” it’s hard, to say “No, let’s take little time and find the right way to get this done.”
In the end, it’s simple: Software is critical infrastructure. The resources required for security in the short term are justified by reduced risk and lower expenses in the long term. This is a significant shift from the get-it-done-and-ship-it-yesterday mentality that’s been the status quo, but if we’re going to build all our other infrastructure on top of software, we need to change our thinking and our processes to build software right.
Jonathan Knudsen is Senior Security Strategist at Synopsys Software Integrity Group