The Bush administration has released a policy titled “The National Strategy to Secure Cyberspace.”
The usual preamble outlines the usual security concerns and identifies the usual threats against our digital infrastructure, focusing on the usual high visibility network nodes: enterprises, government, and SOHO. The word “embedded,” however, isn't to be found.
Of the eight billion CPUs produced each year only 2% are for PCs and workstations. The rest go into embedded systems, the essence of every electronic device, from toys to nuclear power plant controllers. They run factories, manage weapon systems, and enable entertainment centers.
Today very few of these are networked, but that's rapidly changing. An array of different kinds of wireless services removes the hassle of connecting appliances and other smart devices to the net. Really compelling reasons (like remote management of complex equipment and distributed sensor arrays) will accelerate the race to connect these applications. Silly consumer products, like toasters that broadcast their status, will also create a push for more networking.
I'm not concerned that a smart refrigerator will take over the world, and I don't worry about cyberterrorists changing a microwave's cooking profile. Instead, it's the coming ubiquity of networked embedded systems that may form a threat of stunning proportions. Tens of billions of hijacked network nodes could create a denial-of-service (DoS) attack that can't be imagined. A vulnerability in an engine controller, exploited by an adversary or just a malicious teenager, could leave every Ford suddenly stalled in traffic. A computer expert won't be “on-site” to press a reset button or implement new security protocols.
But those are minor problems compared with other possible threats. Remember the 1984 Union Carbide accident in Bhopal? Today most chemical plants are controlled by computers. If hacked, who knows what catastrophe could result? Other nightmarish disasters are easy to imagine.
One might argue that embedded systems are mostly immune to being co-opted, since they use so many different processors running unique and proprietary code. That's changing. Networking remains complicated; few engineers have the skill or time to design their own protocol stacks. They're using one of a handful of common platforms, like Linux, embedded flavors of Windows, or one of a few commercial RTOSes. Today these products' security weaknesses are managed by a never-ending stream of patches installed by a priesthood of network administrators. But few patches will propagate to the vast array of embedded products — and even smart dust — of the future
The President's proposed strategy for dealing with cyberthreats is long on generics, short on specifics, and totally lacking in action items, that is, who does what when. It embraces training and education, asks for new laws, and suggests we reduce bugs. All good and important ideas. It leans on private industry rather than government intervention, probably wise, though so far that hasn't worked.
I think computer security suffers from an unsophisticated public who have not demanded secure computing. Most consumers of desktop OSes and connected embedded devices accept the status quo. They feel they have no other viable options, and don't have any idea how to decide if the latest product is spyware, a Trojan, riddled with buffer overflow problems, or as solid as Fort Knox.
Secure cyberspace requires consumers who demand security. I'd like to see the President add another chapter to his strategy. Form a public/private organization whose charter is to attack computer-based products and software. Hire hackers, steal employees of big vendors who may have useful inside knowledge, and by all means use automated regression testing that looks for previous vulnerabilities to stress software and firmware. Grade products and post the results prominently.
Companies would seek the approval of agencies similar to Consumer Reports or Underwriters Laboratories; those whose products score well would splash their “A” grade all over their marketing literature. Non-compliant companies would have no choice but to fix security holes to remain viable competitors.
A “Trusted Computing Initiative” is a very Good Thing. Securing cyberspace is absolutely critical. Both will fail unless consumers have an independent and quantitative way to measure security.
Jack G. Ganssle is a lecturer and consultant on embedded development issues. He conducts seminars on embedded systems and helps companies with their embedded challenges. He founded two companies specializing in embedded systems. Contact him at . His website is .