Commercial software opens cyber-terror backdoor

Software can be exposed to threats such as the insertion of malicious code

US military, government, security and critical infrastructure agencies are being warned against using commercial software which could be hacked by foreign cyber-terrorists.

The warning was issued by Cyber Defense Agency (CDA), an information security consulting and research company specialising in services for the US government and infrastructure sectors.

CDA said that gas, electricity, telecoms, banking and water companies are among the critical service providers that could fall victim to cyber-terrorism caused by so-called life-cycle attacks buried deep within millions of lines of software code.

Life-cycle attacks occur when one line of code is rigged to open vulnerabilities within the software, thus exposing the software and the company to external threats, CDA stated.

The firm claimed that the US Department of Defense recently commissioned an evaluation for top security experts to report and analyse the threats of foreign influence on the government and military's use of commercial software.

It went on to suggest that software built by less expensive overseas labour is exposed to "several threats such as the insertion of malicious code".

These so-called "adversarial foreign interests" or "trans-national criminal and terrorist groups" will then be able to exploit these pieces of inserted code in "strategic attacks against the US".

"Outsourced commercial software used by the military and critical infrastructures poses a silent but significant security risk to the defence and welfare of the US," said Sami Saydjari, chief executive and president of CDA.

"The chances of strategic damage from a cyber-terrorist attack on the US increases the longer it takes the US military and critical infrastructures to remedy the risks posed by using outsourced software."

The company advises governments, organisations and firms responsible for critical infrastructure to architect critical systems with defence-in-depth security mechanisms from different vendor sources under the assumption that some of the software contains life-cycle attacks.

It is also necessary to limit software privileges using fine-grained security control software technology already developed under government research programmes, and to configure intrusion detection systems to detect the activation and use of such life-cycle attacks.