Hidden Threats from Foreign Software

In the ongoing fight for spheres of economic and political influence, the emphasis is ever more noticeably shifting from open confrontation, including wars, to the reliance on various forms of control over and management of nations’ information resources. They use for the purpose, highly effective and hidden penetration of the software run on the government’s information and management systems, and the tie-in with foreign vendors’ IT technologies that are being imposed with all means available. As a result, the information infrastructure of the nation may become technologically dependent even on a software vendor.

In the ongoing fight for spheres of economic and political influence, the emphasis is ever more noticeably shifting from open confrontation, including wars, to the reliance on various forms of control over and management of nations’ information resources. They use for the purpose, highly effective and hidden penetration of the software run on the government’s information and management systems, and the tie-in with foreign vendors’ IT technologies that are being imposed with all means available. As a result, the information infrastructure of the nation may become technologically dependent even on a software vendor.

Information impact as a new type of weapon

An information impact can be regarded as a weapon, an even more effective weapon, to an extent, than traditional types of armaments and military hardware.

Russia, with its significant military and economic potential, is deemed to be a serious impediment to the policies of economic, cultural and military expansion sponsored by the Western nations and particularly by the U.S. And it is thus at the focus of attention on the part of foreign secret services involved in information warfare.

Today’s software is a very complex product, developed with special programming tools and systems software whose scope and complexity could exceed, by an order of magnitude, those of the applications software. As a result, software verification becomes a virtually unsolvable problem. This is exactly why software developers could never offer an absolute assurance of the reliability of their software product, effectively assuming no liability for any consequences caused by any software defects. It is particularly difficult to detect any defects which might have been introduced intentionally at the software development stage. With the growing tendency in Russia to import software and information technologies there is a higher possibility that the software defects are imported too. There is hence a much higher probability that the critical information systems in Russia could be disrupted by this IT weapon already at the stage of development.

Weaknesses and lapses in IT development, as well as in the rules and methods fundamental to any software security control extensively compromise Russia’s information security. Secure information technologies should be based on domestic systems and application programming tools (operating systems, compilers, debugging programs, cross-assemblers, etc.) that would ensure efficient development of software applications.

Free software for government agencies

According to the government’ special programme, nearly all government agencies are to transition to the so-called free software by 2015. According to calculations, the government agencies spend about 15 billion rubles annually on acquiring licences for international computer software. These substantial amounts flow abroad feeding international software manufacturers, so it would be logical to divert the money to purchase domestic software thus developing Russia's entire IT industry.

Many countries have already adopted government-level programmes to implement free computer software at the government bodies to start with. As a result, about half the government agencies in the Netherlands now use alternative software while one third of all public services to Germany’s population are delivered with such software.

For more information, please go to (in russian): http://expert.ru/expert/2012/08/byit-li-russkoj-windows/

Ensuring security of software

Photo: In 2002, the Dutch parliament has decided
that public sector should use open standards
in IT systems

There are two aspects of information security: technological and operational.

Technological security means there are no sabotage malware defects in the software.

Operational security defines the level of protection of information against unauthorized access or manipulations. Obviously this type of security cannot be ensured solely with steps to protect information and IT systems against unauthorized access. However effective, they cannot rule out the possibility that the protected IT systems may contain some software with backdoors, i.e. software bugs or defects with, the so called, “undeclared options”. Such bugs may be there for some tasks that are outside the competence of the given software (e.g., personal data collection, data on running applications, etc.). Besides, security applications too may have such backdoors.

It follows from the analysis of consequences caused by backdoors, that in a military management system they may block the use of certain types of weaponry or a defensive IT system. In some cases, they could cause information in the government IT and communication systems to be stolen, leaked or altered (or even destroyed), financial or banking data leaked or altered (or destroyed), or environmentally hazardous industries, specifically in the nuclear energy sector, disrupted. It effectively means that Russia, with its powerful deterrent against a potential aggressor, may find itself unarmed and will be pushed to an environmental or financial disaster.

Backdoors in action – case studies

The most notable example of backdoor performance is the military conflict in the Gulf. During the Desert Storm operation, Iraq’s air defence system got blocked for an unclear reason. In spite of the absence of comprehensive information, there were assumptions that the computers - part of the air defence hardware Iraq had acquired from France - were fitted out with special controlled backdoors that blocked the computer system’s operation.

Experts discover, from time to time, undocumented software capabilities. For example, the Information Note by the Computer Emergency Response Team declared that there was a backdoor in the AOS (Alcatel Operating System) operational system, version 5.1.1. used for management of Alcatel OmniSwitch 7700/7800 exchanges. The backdoor activates the telnet service enabling a remote perpetrator to perform unauthorised management of the exchange.

There has been a case when a sacked software programmer stole the data through a backdoor he had left in the software.

For more information, please go to: http://www.anti-malware.ru/software_backdoors#p5

Photo: www.histomil.com
A column of Iraqi armored vehicles destroyed by
air strike after blocking Iraqi air defense system

We shall call critical application systems those automatic and automated systems upon whose orderly operation the security of Russia rests. To make such systems secure one needs to start with developing and implementing advanced automatic and automated information processing systems. Because of the higher requirements to critical management tools and the ever growing scope of the tasks they perform, there is a bigger role to be played by the software in the automatic and automated management systems. And this, in turn, presents still higher requirements for software security and, hence, for the security of the IT used in the development and running of the software programs.

As a result, key to the security of critical areas are the information technologies employed in the development of critical applications software.

IT security means their capacity to screen off (neutralize) or prevent any impact from outside or inside threats to information security, such as:

• malware bugs disrupting systems operations;
• unauthorized access to information to alter or destroy it, or else to be acquired by an unauthorized person using special bugs that are capable of bringing down the defences intended to protect information and IT systems.

In view of the above, it is possible to argue that malware is the most dangerous variety of information weaponry, and with that, ensuring that critical applications are technologically secure is of particular relevance.

What can be done?

Photo: x-technologies.com

What should be the plan of action to counteract the threat? First and foremost, we should offer incentives to any efforts to develop and implement secure information technologies in program development for critical applications, and to focus the work of academic, research and education centres and firms on relevant research and innovations.

In view of the current and expected economic conditions in the country, as well as the specific aspects of the problems, it may be tackled in two stages.

The first stage will be to lay down the theory of information security and the framework for secure information technologies, and to develop and implement priority actions to enhance information security of critical applications systems.

This goal may be achieved through the following objectives:

• developing the concept of software’s technological security and the methodology for defining and controlling security requirements;
• advancing suggestions as to the scope and contents of rules, regulations and laws underpinning software technological security;
• formulating suggestions on the structure of the software technological security control system in critical applications and on logistical and HR steps to implement them.

The second stage will be to leverage off the domestic academic and R&D potential to create a full-fledged control system and ensure technological security of the software used in critical applications.

This goal may be achieved through the following objectives:

• developing suggestions on specific legislation aimed at ensuring technological security of software;
• setting up a network of independent centres of software security validation;
• arranging for training and upgrading as well as retraining of manpower in secure information technologies and software security validation;
• developing a system of measures to ensure ongoing improvement of secure information technologies and methodological support to exercise proper control over the technological security of software.

Software Security Policies

The critical applications IT policies should be based on the following principles:

• government funding of scientific, research and development projects aimed at building and implementing secure information technologies and elements thereof across software development firms, with the government retaining ownership over the technologies thus produced;
• equity financing from government, firms and banks and the key state corporations to fund research and development in the creation and implementation of secure IT in finance and banking industries, and across the critical infrastructure in the production and energy sectors of the economy;
• funding and state support offered to R&D firms and high-tech industrial enterprises capable of developing an interim version of secure IT and their elements, with a possibility of patenting them as know-how and selling them in Russia and elsewhere;
• a network of independent software security verification centres, which, although set up with a government support, should not be barred from conducting commercial business.

In summary, reliance on foreign software may create a serious threat to Russia’s information security, particularly when it is used in critical applications systems. The current procedures for the authentication and certification of imported software products cannot give an absolute assurance that such products do not contain any bugs or backdoors.
Given that, the government should focus more on the efforts to develop software domestically, probably through a creation of a special federal programme complete with a funding budget.