By Jack Ganssle
Securing Cyberspace
Published 2/20/2003
The Bush administration has released a policy titled "The National Strategy to Secure Cyberspace" (http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf).
The usual preamble outlines the usual security concerns and identifies the usual threats against our digital infrastructure, focusing on the usual high visibility network nodes: enterprises, government and SOHO. The word "embedded", however, isn't to be found.
Today very few of these are networked, but that's rapidly changing. An array of different kinds of wireless services removes the hassle of connecting appliances and other smart devices to the net. Really compelling reasons (like remote management of complex equipment and distributed sensor arrays) will accelerate the race to connect these applications. Silly consumer products, like toasters that broadcast their status, will also create a push for more networking.
I'm not concerned that a smart refrigerator will take over the world, and worry little about cyberterrorists changing a microwave's cooking profile. Instead, it's the coming ubiquitity of networked embedded systems that may form a threat of stunning proportions. Tens of billions of hijacked network nodes could create a DoS attack (http://www.denialinfo.com/) that can't be imagined. Or a vulnerability in an engine controller, exploited by an adversary or just a malicious teenager, could leave every Ford suddenly stalled in traffic. A computer expert won't be "on-site" to press a reset button or implement new security protocols.
But those are minor compared with the possible threats. Remember the 1984 Union Carbide accident in Bhopal? Today most chemical plants are controlled by computers. If hacked, who knows what catastrophe could result? Other nightmarish disasters are easy to imagine.
One might argue that embedded systems are mostly immune to being co-opted, since they use so many different processors running unique and proprietary code. That's changing. Networking remains complicated; few engineers have the skill or time to design their own protocol stacks. They're using one of a handful of common platforms, like Linux, embedded flavors of Windows, or one of a few commercial RTOSes. Today these products' security weaknesses are managed by a never-ending stream of patches installed by a priesthood of network administrators. But few patches will propagate to the vast array of embedded products - and even smart dust (http://www.eetimes.com/at/news/OEG20020405S0015) - of the future
The President's proposed strategy for dealing with cyberthreats is long on generics, short on specifics, and totally lacking in action items - who does what when. It embraces training and education, asks for new laws, and suggests we reduce bugs. All good and important ideas. It leans on private industry rather than government intervention - probably wise, though so far, that has not worked.
I think most of our computer security ills stem from an unsophisticated public who have not demanded secure computing. Most consumers of desktop OSes and connected embedded devices accept the status quo. They feel they have no other viable options, and don't have any idea how to decide if the latest product is spyware, a trojan, riddled with buffer overflow problems, or as solid as Fort Knox.
Secure cyberspace requires consumers who demand security. I'd like to see the President add another chapter to his strategy. Form a public/private organization whose charter is to attack computer-based products and software. Hire hackers, steal employees of big vendors who may have useful inside knowledge, and by all means use automated regression testing that looks for previous vulnerabilities to stress software and firmware. Grade products and post the results prominently.
Sort of like a Consumer Reports (http://www.consumerreports.org/main/home.jsp ) or Underwrites Laboratories (http://www.ul.com/), companies will seek the approval of such an agency; those whose products score well will splash their "A" grade all over their marketing literature. Non-compliant companies will have no choice but to fix security holes to remain viable competitors.
A "Trusted Computing Initiative" is a very Good Thing. Securing cyberspace is absolutely critical. Both will fail unless consumers have an independent and quantitative way to measure security.