Is software warfare “unthinkable”? or is there a rational basis for its adoption?

Abstract

We in the information security community have lost our claim to innocence. We have known sin. For years, we have been viewing ourselves as crusading defenders of the faith, guardians of a mythical "cyberspace" community against the infidels of computing, those who would penetrate, vandalize, and exploit the systems of innocent users. We have painted the security technology we have been developing as good and the intrusive methods developed by the "hackers", "phreaks", and computer terrorists as bad. The labels appeared clear - we, the computer security folks, wore the white hats and the other guys, the black. However, in much the same way that knowledge of computer security flaws aided the penetrators of systems, so our knowledge of malicious software methods has contributed to our ability to build more robust, resilient, intrusion-resistant systems. Where we differ from the bad guys, we think, is in application and motive for use. But times are changing. The spectre of computer warfare, the dark twin to INFOSEC, has arisen. The computer security technology that we selectively considered as benignly good has a darker side which is becoming more apparent, as happened to the technologies for nuclear energy and biochemistry. If history has been any teacher, computer technology, security related or otherwise, will be no exception. We now have a two-edged Sword of Damocles at our disposal. It, like its nuclear and biochemical warfare cousins, is poised to hang over our heads. We need to heed Santayana's advice: "Those who cannot remember the past are condemned to repeat it." and not ignore history in examining early on the threats software warfare may pose now and in the distant future.