Forwarded from: William Knowles <wk@c4i.org>
http://www.gcn.com/vol1_no1/daily-updates/36688-1.html
By Patience Wait
GCN Staff
08/17/05
HUNTSVILLE, Ala.- A professor from Auburn University has made the case
that the United States may face a war in the future in which not a
single shot is fired, but yet America loses.
There could be "pre-emptive achievement of military objectives
strictly by information warfare techniques," said John "Drew"
Hamilton, associate professor of engineering and director of the
Information Assurance Laboratory at the university.
Hamilton projected that such a conflict could take place by 2015 - the
time it would take to infiltrate computer development programs and
insert malware into operating systems, applications software, firmware
and hardware.
Acquisition trends in the military actually facilitate the possibility
of such a scenario, Hamilton added. "You don't expect the military to
go to Home Depot to buy a [rocket launcher], but we expect them to go
to Staples to buy software," he said.
Software developers have always written back doors into their code,
and even secure, partitioned systems such as the Secret IP Router
Network have them.
"I learned that when I got e-mail from Joint Forces Command to scan
their attachments" for viruses, Hamilton said.
The risk in pushing the use of commercial, off-the-shelf software is
compounded by private-sector outsourcing, he said. Microsoft Corp.,
for instance, has outsourced some programming tasks to China and
Russia.
Hamilton said that Dan Wolf, information assurance director of the
National Security Agency, told an academic group in June that "DOD
agencies have been outsourcing IT services to [Section] 8a firms that
are fronts for foreign intelligence agencies."
Nor is the problem limited to the Microsoft environment. Linux, touted
by open-source proponents, has its own vulnerabilities. "NSA [National
Security Agency] recompiled the kernel so you can't turn off [key]
logging, which is good for forensics," figuring out what happened
after the fact, Hamilton said.
Finally, the military has not made software a "core competency,"
according to Hamilton. "Some government agencies have contracted for
software code they don't own the rights for."
Hamilton suggested several steps that could be taken to pre-empt and
prepare for this kind of warfare, including reverse-engineering
software architecture to find weaknesses, identifying sensitive
parameters that can be exploited and looking for undocumented
functionality.
He also said that the Defense Department should stop funding
university research conducted by foreign nationals. Hamilton added
that this is not a xenophobic reaction, but a reasonable response to a
potential threat.
*==============================================================*
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*
_________________________________________
Attend ToorCon
Sept 16-18th, 2005
Convention Center
San Diego, California
www.toorcon.org
