In Gary McGraw’s work “Cyber War is Inevitable (Unless We Build Security In)”, he uses a few examples of how relatively simple it was for malware attacks to be successful and then extends that idea to conclude that our whole cyber infrastructure is vulnerable and thus we must have software security programmed in at the base level. McGraw believes that every new piece of hardware after construction must then have a software package installed that focuses on securing the hardware from external attacks.
However, his viewpoint is not one I find myself agreeing with. The Stuxnet example that McGraw seems fond of using was a targeted attack on Iran’s nuclear centrifuges by exploiting multiple zero-day bugs. McGraw also picked up on the zero-day bugs idea and presented McQueens’ et. al. conclusion that on average there are about 2500 zero-day vulnerabilities in existence on any given day. This includes those that the company has found in their own software, so this number does not mean that all of these vulnerabilities are found by malicious programmers. Considering the idea that targets for these programmers would have a sort of defense in depth scenario, some vulnerabilities that are found may not be enough to gain access for the programmer in question.
One point that I have to contest in McGraw’s work is his quote “What sometimes passes for cyber defense today – actively watching for intrusions, blocking attacks with network technologies such as firewalls, law enforcement activities, and protecting against malicious software with anti-virus technology – is little more than a cardboard shield”. I will admit that the defenses that he lists out are able to be maneuvered around: with the correct vulnerabilities, one could maneuver around firewalls and code that restricts entry to the system; law enforcement is extremely difficult due to the ability of spoofing one’s origin when sending the program; and finally most anti-virus technology is comprised of signature matching of the virus to a database, which can be prevented by using the rootkit tools available online to change the signature and prevent detection. However, these are not the only ways that are available for protection. One company called FireEye sells specialized protection hardware and software that can integrate into large company servers to scan through the whole system and detect malware, isolate it and, if needed, delete it. This is done by the FireEye system taking the program to be scanned, placing it on a virtual machine and allowing it to run while looking for malicious actions, completely different from what McGraw was mentioning in his fatalistic view of cyber defense. I believe that we are already developing the cyber defense that McGraw was mentioning in his work, but not nearly as specialized as what he demands.
Some questions I would like to pose to you:
- Do you believe that what we consider software security in the US is sufficient already for any foreign national attacks, i.e. cyber war?
- Which do you believe to be more effective in the short and long term for security: the software tailored to both functionality and security as McGraw mentioned, or the development of other methods to use security software to protect ourselves as FireEye does?
- Do you agree with McGraw’s idea that if cyber warfare is inevitable that the best offense would be a good defense?
- Considering that the Iranian’s alleged response to Stuxnet was reported to be taking control of a drone, is tracing the origin of a program as certain as McGraw claims when discounting the possibility of a first strike being effective in cyberspace?