Cyber Threats and Nuclear Weapons by Lin Herbert;

Cyber Threats and Nuclear Weapons by Lin Herbert;

Author:Lin, Herbert;
Language: eng
Format: epub
Publisher: Stanford University Press
Published: 2021-08-15T00:00:00+00:00


Alas, neither of these approaches is fully adequate. A large, well-known company could be under the control (either overt or covert) of the government to which the company is accountable by law, and might introduce compromises in the products it delivers due to government compulsion. Passing tests is a necessary but not sufficient condition to declare a component secure. Testing generally cannot demonstrate the presence of unwanted (and hostile) functionality in a component, although it may be able to provide evidence that the component does in fact perform as it is supposed to perform. For example, a component may always perform as it should except when one of the inputs is a particular sequence of digits; upon receiving that sequence, the component can (deliberately) perform some unexpected and hostile action.

Perhaps one could inspect the inner mechanisms of a supplied component (e.g., reading the human-understandable software source code supplied) before integrating it into a finished system. But that would require access to source code, which a supplier may well resist for fear of divulging valuable intellectual property. Moreover, inspection and review can take substantial amounts of time, and waiting for inspection to be completed can unduly affect a schedule. Also, what if the component is a fix to a security problem? In that case, a delay can leave a system more vulnerable.

Many methods have been developed (and some deployed) to mitigate the effects of possible supply-chain attacks. Nevertheless, cyber risk associated with such attacks cannot be avoided entirely.

1. Sources: Fred Schneider and Justin Sherman, “Bases for Trust in a Supply Chain,” Lawfare, February 1, 2021, www.lawfareblog.com/bases-trust-supply-chain; National Research Council (NRC), Toward a Safer and More Secure Cyberspace, ed. Seymour Goodman and Herbert Lin (Washington, DC: National Academies Press, 2007), 103–4, doi.org/10.17226/11925; NRC, At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, ed. David Clark, Thomas Berson, and Herbert Lin (Washington, DC: National Academies Press, 2014), 112–13, doi.org/10.17226/18749.



Download



Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.