Root causes of vulnerable systems

It seems staggering to read that militants in Iraq were able to intercept live video feeds from aircraft and Predator drones using a $26 software package. And this problem is reported to be difficult to fix. How can this happen in a world in which ordinary consumers have sophisticated encryption at their fingertips?

We don’t know exactly what happened in this case. But there are several common factors that contribute to such situations. Cost constraints, ignorance and gaps in standards, testing or accreditation processes are obvious candidates. A further factor is insufficient foresight in anticipating future developments. 

Costs should not be an issue for such expensive hardware. After all, we all have strong encryption in our mobile phones. But lack of foresight might be a major contributing factor. Systems are often rushed into operation with little or no attention to the longer term consequences. A further issue is ignorance. This system was designed a decade ago, when security threats were not well understood by engineers. That’s why, for example, we find weak security in older SCADA systems. These developments were below the radar and responsibility of IT security managers.

The learning point is that security policies, standards and compliance processes need to extend beyond the traditional scope of business information systems. They also have to anticipate emerging and future threats. In today’s business world, decision making takes place through mobile devices (fortunately protected by encryption). Tomorrow, it might be left in the hands of embedded devices. Security needs to switch its focus to safeguarding dynamic flows of information, wherever they go. It should not just concentrate on the protection of old-fashioned, static databases.