A friend of a friend suggested to me that I should carefully preserve my Commodores and other vintage computer gear, because it’s the only secure computer equipment available. I said I don’t complain too loudly since security is my job. He then said I’ll always have a job, because so many security threats are deliberate. While he’s not wrong, saying all security threats are deliberate is unhealthy. Here’s why.
Deliberate security threats certainly exist, because planting backdoors in the supply chain is the best way to get into certain highly sensitive networks. But I’ll argue that more security threats are honest mistakes than intentional sabotage.
Why security flaws happen
Security flaws happen largely because of the way we design things. Complexity increases the chances of mistakes, and mistakes lead to security flaws. Modern computing is extremely complex.
I’m not a talented software developer by any stretch. But at one point in my life, I wanted to be a developer. Most of my code is lost to the ages and that’s not altogether a bad thing. When I do find some of my old code, I can recognize problems with it, like buffer overflows. I didn’t put those buffer overflows in there deliberately. They happened because of where I stored my data in memory. I stored the data where I did because it made the program more efficient. Maybe it made the program take less memory. Maybe it made it run slightly faster. Sometimes it did both. And in a world when 10 MHz was a fast computer, you were happy to make those trade-offs.
I thought I was good at writing clever, compact code. Then I went to college. How many security flaws lurked in the clever code my professors taught us to write in the mid 90s? Far too many, I’m sure. They weren’t malicious or careless. They were teaching us ruthless efficiency, and we were blissfully unaware of the tradeoffs we were making.
Intel Spectre and Meltdown as an example
A perfect example is the myriad of recently discovered security flaws in modern Intel CPUs. Security agencies told Intel in the 1990s, in the Pentium Pro era, not to make certain design decisions in the future. A few years later, Intel hit a wall in terms of performance and went against that advice. Maybe Intel ignored the NSA’s advice. More likely they simply forgot it. But here’s a case where a spooky government agency tried to help a key supplier make its products more secure, not less.
This was a classic case of the market deciding against security. Intel designed processors that took efficiency and performance to new levels, and the market bought them in huge numbers. Many years later, we discovered there was a problem. But I don’t remember anyone complaining at the time.
And in all fairness, other CPU makers made similar decisions for exactly the same reasons. Some chips fared better than others. It wasn’t nefarious, it was just something that looked like a good idea at the time. Sure, the road to hell is paved with good intentions, but some good intentions work out.
Examples of deliberate security threats
That’s not to say deliberate security threats, including those planted by hostile governments, don’t exist. As of 2019, it seems like Huawei equipment is banned in more countries than it’s allowed, largely out of concerns its equipment is backdoored. But concerns about Huawei equipment are hardly new. I literally don’t remember when I first heard about those accusations. It may predate Cisco’s legal action against Huawei back in 2003.
Similar concerns have existed regarding Lenovo equipment off and on since at least 2006.
In both of these cases, there were at least concerns that the equipment in question had backdoors in it, either in hardware or software, to aid in the theft of trade secrets and/or classified information.
In other instances, I’ve seen reports of counterfeit (or modified) equipment that looks and behaves enough like the real thing to function containing backdoors and ending up in places it shouldn’t. These types of attacks can be harder to detect and prevent. It’s one thing to avoid buying products from companies who appear too cozy with a hostile foreign government. It’s another to get a product from an approved vendor that contains a little something extra inside the case.
A word about conspiracies
It’s natural to jump to the conclusion of conspiracies when we find something that troubles us and we don’t understand it. But conspiracies are hard to pull off and even harder to conceal. Also, since there aren’t a large number of companies supplying these technologies, sabotage can hurt you as well as your target. It’s like polluting the stream that supplies drinking water to both you and your enemy. One relatively recent security conspiracy theory was driven by misunderstanding the technologies in question.
In the 1980s, the NSA concentrated on offense. Late in the decade, it started to realize it needed to start playing defense too, and its counterparts in other governments did the same.
And when it comes to security, there are enough existing flaws, generally speaking, that you don’t need to plant new ones. I help companies figure out how to apply security updates for a living. The people who go on security podcasts and talk about still finding vulnerabilities from 2008 floating around aren’t exaggerating when they say that. It doesn’t happen everywhere, but it still happens far more often than it should. Even security products have them.
Finding and exploiting existing security threats is usually easier, cheaper, and more productive than introducing deliberate ones.