The software industry is the one sector that never learns from its mistakes. When bridges have collapsed due to poor engineering practice, such as not calculating stress from side winds, the engineering community has corrected its approach and now bridges don't suffer from the same weaknesses. The same goes for the food industry, the manufacturing industry, and the automotive industry. All these sectors correct poor practice.
The emergence of the malicious spyware Regin last week suggests that software industry doesn't - and it really needs to.
Regin is worrying for many reasons. The first is that it is the latest in a long sequence of malicious code exploiting vulnerabilities that make the software we use every day untrustworthy, and designed never to be discovered. Appearing in 2008, disappearing in 2011 and re-emerging in 2013 it has been with us for a while – burrowing deep into the technology we rely on, acting without our knowledge. It suggests that this is merely the tip of the iceberg and there are a lot more ‘Regins' out there still to be found.
The second is that it is much more sophisticated than any previous spyware we have seen. It demonstrates a step forward in the ability to target specific organisations and individuals. Most attacks by this type of spyware result in a certain amount of collateral damage but Regin is very focused and very specific. The ability and time required to create such a sophisticated tool hints at state sponsorship. If that is true – this is an extremely risk free way for nation states to gather information, which begs an important question – do they actually want a society based on trusted, dependable, safe software given they appear to rely on software vulnerabilities to maintain information superiority?
By far the greatest concern about this particular discovery is that the existence of Regin demonstrates our underlying operating systems still have vulnerabilities. If vulnerabilities remain in this foundation layer, the applications we build on top can also be vulnerable and this is a totally unsustainable situation.
Patching software continues to be the short-term fix advocated by the software community but as Regin shows, it is not working and absolutely cannot be considered a long-term security strategy. We need to learn from our mistakes and work to decrease the need for patching in the future, focusing on treating the root cause. To achieve a more stable and secure technology environment in which businesses and individuals can feel truly safe, we have to peel back the layers, start at the bottom and work up.
This is utterly symptomatic of the historic neglect we have seen for the development of a dependable and trustworthy baseline upon which to develop a software infrastructure for the UK. Ultimately, this is a life cycle problem. It's here because we are continuously making the same mistakes over and over again. Until we learn from the problems we have created for ourselves, Regin will prove to be just the latest in long line of increasingly sophisticated tools designed to exploit the vulnerabilities that make our software difficult to depend upon.
Contributed by Tony Dyhouse, director of the Trustworthy Software Initiative.