If ever there were a case when government was too clever for its own good, Corey Bennett and Katie Bo Williams [ Government software may have let in foreign spies, The Hill, 2 February 2016 http://thehill.com/policy/cybersecurity/267826-government-software-may-have-let-in-foreign-spies ] may have the story that captures it. We will never know if this story is pointing the finger in the right direction, but it makes for a thought-provoking article about what happens when governments get involved in putting back doors in commercial software and get caught. It damages both the commercial company and the government program.
Bennett and Williams point to a case with Juniper Networks ScreenOS, discovered in December last, that may indicate a backdoor put into software by NSA may have been exploited by a foreign government for upwards of three years. ScreenOS is used in firewalls and VPN solutions offered by Juniper [http://www.juniper.net/techpubs/en_US/release-independent/screenos/information-products/pathway-pages/screenos/product/index.html]. The Russians have been doing a lot of work in this area for quite a few years, but the Chinese are following along, particularly in forged domain certs and distribution of software. Both are undermining the core security functions of the Internet.
If we discover that the Russians or Chinese are doing something similar, the government usually classifies the discovery as Secret and only will tell people with security clearances. If this sounds narrow-minded, so be it. Nobody is ever going to say in public how the modified software got into a production item like ScreenOS. If we were to do something like the article infers, i.e. getting someone to put a backdoor in software they owned, we would classify that program as Top Secret and hardly ever tell anyone outside of a few people in government. So, almost always, the security and Intelligence services of a country know more about this area than anyone else. The public never finds out what anyone is doing, until there is no way to protect what has been discovered. That is what happened here. The discovery of the modifications to ScreenOS became public.
Most businesses do not want their products modified for any reason like the one the article talks about. If discovered, the impact on global business operations can be staggering. Our telecoms suffered from the loss of business related to the disclosures by Edward Snowden, even though they were not active participants. Other countries used it as an excuse to promote their own telecoms. In this case, it will be sometime before users will be buying devices that use the software that was modified, even if it wasn't Juniper's fault that it happened. I can't see a business like Juniper allowing such a thing to occur, nor not protecting its supply chain for ScreenOS. They are too business savvy to allow such a thing.
There are other explanations for the kind of attack being portrayed here. First among them is the manipulation of code posted for distribution to these devices at the source, something the Russians and Chinese have done before. It is possible it has nothing to do with an "NSA backdoor" being inserted in the software. It could be the Russians modifying the code and getting it back on a distribution site for the ScreenOS. That would be bad for Juniper, but not willfully bad, since they didn't cooperate in it being done. Users download an update and they get the modifications done by someone else other than the manufacturer. There are several reports of this being done in the energy and oil management business, so it is not particularly new. The fingers usually point Russia's way.
Second, if this really happened the way they say, this would be the compromise of a Classified program operated by the Federal government. Like Stuxnet, it will be analyzed, copied, modified and back out for sale in no time. Nobody benefits from this kind of thing, least of all the countries that did the attack.
Other countries would love to say that this was something NSA did and it didn't work out very well, but there are other ways for the outcome to be the same that are more believable. When you look to wholesale interceptions of supposedly secure communications, NSA does not have a lock on the market anymore.
We still have a good bit to learn about security of software distribution and the general area of supply chain security. Let this be a lesson those who have software they have to get to their customers. The damage to a business won't be easy or simple to overcome.
No comments:
Post a Comment