September 11, 2007

The Financial Times of London

Tomorrow’s cyber-attacks could well be inside jobs

By Michael Franz

From Prof Michael Franz.

Sir, I greatly enjoyed Stephen Fidler’s thoughtful article “The biggest threat from cyber warfare lies in the future” (September 8). May I add two facets that his article did not mention, both of which indicate that the threat may be more immediate and more severe than it appears?

First, it talks about “hacking” by foreign intelligence services, which implies that the attackers are completely on the outside. But what about the possibility that agents of such foreign services are working on the inside, as developers employed by Microsoft and other leading software companies? It is probably cheaper to place 1,000 moles inside Microsoft than to launch a single spy satellite.

Every month, Microsoft finds and fixes dozens of “critical” vulnerabilities in its operating system. A significant proportion of these vulnerabilities are so severe that they enable a remote party to take complete control of an unattended machine over a network connection. Quite frankly, nobody knows what proportion of these vulnerabilities are simply programming errors and what proportion are craftily inserted back doors that merely look like programming errors.

Second, the article mentions resiliency and redundancy in networks: if emails fail, we can use mobile phones or landlines. Unfortunately, we are in the midst of a transition to voiceover-IP, in which long-distance carriers increasingly route all traffic across a joint voice and data network. It may well be that redundancy is an illusion on the surface and that all traffic eventually goes across the same IP-based network that is susceptible to cyber attacks.

Unfortunately, there have been documented cases of “critical” vulnerabilities also in the IP routers that are used across the backbone of the US internet. So how many foreign moles work at Cisco? The future may already be here.

Michael Franz,
Department of Computer Science,
Donald Bren School of Information and Computer Sciences,
University of California,
Irvine, CA 92717, US
Tomorrow’s cyber-attacks could well be inside jobs