For most of my teenage years, I made a hobby of hacking into some of the world’s largest government and corporate computer systems. I was “lucky” enough to be raided by the F.B.I. when I was 17 years old. After that wake-up call, I eventually started a software security company and now find myself helping to plug security holes, not exploit them.
The nature of hacking has changed, too, since I left it in the late 1990s — from a game of curiosity and occasional activism into a central tool in cybercrime and nation-state attacks.
Alongside that shift has come a loud and often misguided conversation about what to do to stop this new breed of hacking. Too much of the debate begins and ends with the perpetrators and the victims of cyberattacks, and not enough is focused on the real problem: the insecure software or technology that allows such attacks to succeed. Instead of focusing solely on employees who accidentally open e-mails, we should also be pressuring software makers to make significant investments in their products’ security.
When you read headlines about the latest cyberattack, you typically do not hear about how attackers were able to put a virus or other malware on a system in the first place. In many cases, it begins with attackers exploiting a software vulnerability or weakness in order to install their malware.
The unspoken truth is that for the most part, large software companies are not motivated to make software secure. It’s a question of investment priorities: they care more about staying competitive with their products, and that means developing the latest features and functions that consumers and businesses are looking to buy. Security issues are often treated more as a marketing challenge than an engineering one.
A result is an open door to hackers inside some of the world’s most popular software systems. Perhaps most famously, during the early to middle parts of the last decade, hackers discovered a significant number of glaring security weaknesses in Microsoft products (some of which were discovered by my company). Several of these weaknesses were exploited in high-profile computer virus and worm attacks.
To be fair, securing software is not a trivial task. Often it means building in multiple barriers to entry and keeping those defenses current with the latest developments in hacker techniques. Security has to be a central and significant investment in any software development project.
Still, given the heightened impact of recent attacks on both corporate and government operations, we must begin to hold software companies accountable for such vulnerabilities.
Fortunately, there is a lot a company can do to secure its code, should it choose to. After Microsoft’s software vulnerabilities drew significant negative attention — one of the few times the public has correctly affixed blame to a software company — Bill Gates himself addressed the issue in 2002 in his now famous “Trustworthy Computing” memo.
In that memo, sent to all Microsoft employees, Mr. Gates made it clear that the company’s future depended on building software and a platform that could be reliably secure. It was more than talk: in the decade or so since, Microsoft fundamentally changed its software development process to make security a core part of the program.
Too many other companies, though, seem to have missed the memo.
Take Oracle, and specifically the security challenges surrounding its Java software, which the company inherited through its 2010 acquisition of Sun Microsystems. Java, one of the most ubiquitous pieces of software in the world, is so full of security holes — including multiple avenues for hackers to take control of a computer remotely — that the Department of Homeland Security recommends that its users completely disable the software in their browsers.
Oracle is not alone. Adobe, which makes the popular Adobe Reader and Flash applications, has seen a significant number of security weaknesses over the years and also a sharp increase in its software’s being a gateway for cyberattacks. The risks associated with Flash were one reason Apple decided not to allow it on iPhones.
Like Microsoft, Adobe has made strides to increase the security of its technology over the last couple of years, and more recently some of those security improvements seem to be paying off. But it still has work to do.
In his 2002 memo, Mr. Gates cast the security challenge as not just a Microsoft problem, but one for the overall industry. A computer or a network is only as secure as its weakest link — no matter how secure one program might be, a poorly protected bit of software could compromise everything.
That means that on top of investing in their own security, companies have to make efforts to coordinate with other developers to present a united front. Adobe and Microsoft have worked together in recent years to identify and close off mutual vulnerabilities, and other companies should follow suit.
A lot of the talk around cybersecurity has centered on the role of government. But investing in software security and cooperating across the software industry shouldn’t take an act of Congress. It will, however, take a new mind-set on the part of developers. They should no longer see security as an add-on feature, nor should they regard holes in their competitors’ security efforts as merely a competitive advantage. As the world comes to depend more and more on their products, it should demand nothing less.
Marc Maiffret is the chief technology officer of BeyondTrust, an enterprise security management company.