[ISN] Professor 'horrified' by poor security
isn at c4i.org
Thu Oct 28 04:31:23 EDT 2004
Forwarded from: William Knowles <wk at c4i.org>
By Edmund Tadros
October 26, 2004
Western computer systems are becoming more vulnerable to
cyber-attacks, according to an information technology expert.
Most commercial software makers have "abrogated" their responsibility
to create truly secure software, says Professor William Caelli, head
of the school of software engineering and data communications at the
Queensland University of Technology. Caelli told last week's
Australian Institute of Professional Intelligence Officers conference
that he was "horrified" at the thought that intelligence-related
systems might be developed on unprotected off-the-shelf platforms.
"Under no conditions should anyone in their sane mind run intelligence
analytical systems on a Microsoft platform," he says. He recommends
"Solaris version eight or better" as a secure platform for
intelligence systems and says the only way to secure a Microsoft-based
system would be by "air gapping", or disconnecting the computer system
completely from the internet.
"I'm talking about the problem of putting highly security-relevant
systems on a totally insecure base," Caelli says.
He believes there is no commercial motivation for the information
technology industry to develop truly secure systems. "The problem is,
essentially, the (information technology) industry itself abrogated
its responsibility relating to security some 20 years ago. Today's
servers and client systems are less secure than (the) mainframes I
used in the 1970s."
He says manufacturers are unlikely to improve their standards unless
there is "some sort of legislation" to mandate security levels.
Outsourcing and moving systems offshore also increase the risk of
cyber-attack because it is a "delegation of information security to a
Caelli is also critical of the lack of deep technology skills being
produced by universities, singling out the US, Japan and Australia as
being too focused on producing "business ready" IT graduates.
"There are many cases now where (the universities) are training IT
personnel and IT professionals who really have no idea how the
underlying structure of their systems work."
Caelli contrasts this with the deep technology skills coming out of
countries such as Russia, Estonia and Hungary.
"I've seen code coming out from these guys written in assembler
language. We don't do that any more. They do. They have (the)
He says similar skills will emerge from countries such as India, China
and Indonesia, and warns that automated spyware will become a "major
threat over the next five years".
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
More information about the ISN