Treating Software as a Strategic Technology

by Marcus J. Ranum on March 29, 2010

Lately I've been thinking a lot about the problem of software security - "lately" being the last 15 years of my life, give or take. It seems to be a topic that's perennially on the horizon, because only a few cutting-edge software companies take it seriously enough to engage in some kind of secure software development lifecycle. I think that we security practitioners have "screwed the pooch" with regards to software security - 'vulnerability researchers' have done a pretty fair job of convincing most vendors that it's useless to even try; whether you get targeted or not has more to do with whether you're unpopular or market-dominating than with whether your software is foundational. Where have we gone wrong? It's simple: we treated it as a security problem. It's also a reliability problem - a quality problem. We asked the users to demand security, but what they needed to be demanding about was software that worked. Not just sometimes, but all the time - even if someone is deliberately trying to make it crash.

Afterbytes: Chinese Academics Paper on Cyberwar Sets Off Alarms in U.S.

by Marcus J. Ranum on March 26, 2010

The article: Chinese Academics Paper on Cyberwar Sets Off Alarms in U.S.:

Larry M. Wortzel, a military strategist and China specialist, told the House Foreign Affairs Committee on March 10 that it should be concerned because "Chinese researchers at the Institute of Systems Engineering of Dalian University of Technology published a paper on how to attack a small U.S. power grid sub-network in a way that would cause a cascading failure of the entire U.S."
If you've been following the China cyberwar hype, you need to read the article referenced above. It offers some deep insight into how the hype-meisters spin the "facts" to increase the apparent magnitude of the threats. If you want to read some of the "fully spun" material, you should read Northrop Grumman's paper entitled: "Capability of the People's Republic of China to Conduct Cyberwarfare and Computer Network Exploitation". As a pretty serious amateur military historian, I'm fascinated by such documents because they illustrate the bizarre gyrations of the military/industrial complex's group-think. They seem so - rational - when you read them, but when you ask yourself "what does this mean?" you realize that it's an attempt to justify insanity. "One of the chief strategies driving the process of informatization in the PLA is the coordinated use of CNO, electronic warfare (EW) and kinetic strikes designed to strike an enemy's networked information systems, creating "blind spots" that various PLA forces could exploit at predetermined times or as the tactical situation warranted."