Fill­ing ‘cy­ber-cracks’ isn’t enough

The Washington Post Sunday - - SUNDAY OPINION - Robert Big­man, Rockville The writer is an in­de­pen­dent cy­ber­se­cu­rity con­sul­tant.

Re­gard­ing the July 9 Econ­omy & Busi­ness ar­ti­cle “DARPA seek­ing sys­tem that finds, fixes cy­ber cracks”:

The De­fense Ad­vanced Re­search Projects Agency’s (DARPA) plan to “build a fully au­to­mated, com­pu­t­er­driven sys­tem that would find bugs in soft­ware and patch them on its own” rep­re­sents yet another fail­ure to un­der­stand why we have a cy­ber­se­cu­rity cri­sis. Find­ing “bugs” in de­ployed soft­ware and firmware as­sumes that one un­der­stands the con­stantly chang­ing code base that con­sti­tutes to­day’s In­ter­net and can fix se­cu­rity ex­po­sures be­fore hack­ers can take ad­van­tage of them. But what if the hacker in­stalls his own bad code (as hack­ers of­ten do) into a sys­tem or uses a hack to write over a com­puter’s mem­ory and then loads mal­ware nanosec­onds later?

A hacker can be in and out of a sys­tem with the bug-fin­der none the wiser. If hack­ers can ma­nip­u­late a com­puter’s code base (es­pe­cially while it is run­ning) at will, build­ing a faster bug-fin­der and patch­ing sys­tem will ac­com­plish very lit­tle.

DARPA would be wise to build more trust­wor­thy com­puter sys­tem firmware, op­er­at­ing sys­tems and pro­gram­ming lan­guages that would min­i­mize hack­ers’ abil­ity to at­tack sys­tems and to find and patch buggy code that could be ex­ploited.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.