Once, flaws in software design could simply be reported by consumers and fixed by manufacturers. However, the current state of cyber warfare has turned such flaws into wide open opportunities for malicious attacks on computer systems.
The significance of avoiding these vulnerabilities illustrates the importance of including those with cyber security training in the design of today’s software to make it capable of resisting such attacks.
In a recent interview with USA Today, Richard Bejtlich, a former cyber security specialist for the U.S. Air Force in the 1990s, said he had an eye-opening experience while working in the military’s early days of dealing with cyber warfare. He and other members of his team found a “zero-day vulnerability” – a previously unknown flaw – in routing equipment designed by Cisco. They reported the flaw to Cisco, where officials said they would fix the problem.
Only days later, when he was talking to those who worked on the attack side of the cyber warfare division, did he learn of the lost opportunity. They were dismayed.
“They said, ‘You did what? Why didn’t you tell us?’” Bejtlich told USA Today, adding that his co-workers were upset they had missed a chance to use the flaw as a method to “get into all these various hard targets.”
That opened his eyes to how flaws could be used as backdoors into systems, giving cyber terrorists unprecedented access to computer systems. From then on, a standing order required any future flaw to be reported to the offensive unit, who would then decide what to tell the manufacturer.
The government’s silence about such flaws is a source of controversy in some areas, where concerns are high that consumers are going to pay the price for the secrecy about software design flaws.
However, the strategy has already been put into play. The United States and Israel used a flaw in a Microsoft Windows operating system to launch the Studnex worm against computers that controlled nuclear devices in Iran.
ACLU technologist Christopher Soghoian told USA Today that the interest in finding software flaws has gotten to the point that researchers are dedicating time to finding them – and in some cases, cashing in.
He said, “For every researcher who is doing the right thing and getting a modest reward, there are plenty of researchers who are selling these things for what they deem to be the true market value.”
It’s also led to an increased interest in training people to handle cyber security issues. Universities and colleges are offering online and traditional on-campus classes in cyber security degrees and certificates.
And there seems little likelihood of a let up in demand – the U.S. Bureau of Labor Statistics projects an increase of 22 percent in the number of cyber security jobs by 2020.