Provide the entry gate for computer attacks. Vulnerabilities persist for a number of reasons, including poor security practices and procedures, inadequate training for individuals responsible for network security, and software products of poor quality.
For example, within some enterprises and government agencies, an important security patch might not be scheduled for installation on computers until some time after the patches are made available by the vendor. This delay tends to happen if a company or government agency fails to enforce its security policy, if the security function is underresourced, or if the patch disrupts the computer when it is installed, causing the system administrator an inordinate amount of time to fix the computer configuration to receive the new patch.
Also, many security experts feel that better training for system administrators would enhance the safety of critical infrastructures in the United States and in other countries. Software vendors are often criticized for commercializing and releasing products with errors. U.S. government experts have stated that 80% of successful intrusions into federal computer systems were caused by low-quality software and numerous software errors resulting from too early release.
Currently, there is no legal liability or regulatory mechanism relating to the problem of a software producer’s selling a product with design defects. The reality is that the licensing agreement accompanying the product includes a disclaimer protecting the software manufacturer from all liability.
Moreover, controversies exist today because many major software companies contract out for the creation of many of their software products in jurisdictions outside North America—particularly in India, Pakistan, and China. Offshore outsourcing, it is argued, may give those in foreign countries the opportunity to insert a Trojan or other malicious back door mechanism into a commercial software product.
In 2004, computer viruses passed a new milestone: The first ones aimed at electronic devices other than computers began to appear in real life rather than just in the laboratory. The first generation of such viruses attacked mobile cell phones. For example, near the end of 2004, Cabir, which infected mobile cell phones produced by Nokia and running an operating system called Symbian, cropped up in Asia and quickly spread around the world. Another more recent virus called Commwarrior appeared on Symbian cell phones, followed by a host of other variants.
A 2005 report by McAfee, Inc. noted that researchers tracked five known cell phone viruses in the last quarter of 2004, and by March 2005 the number of viruses discovered soared tenfold. Most of the viruses came from downloadable games modified to hide the embedded viruses. So far, the reported damage has been light. Cabir, for example, was designed to drain the cellular phone’s battery. Commwarrior sent messages and copied itself to other cellular phones using the Multimedia Messaging Service (MMS)—which hit cell phone consumers’ pockets with a high text-messaging bill but did not damage their phones.
However, security experts’ worries have not stopped, for in Asia, both Cabir and Commwarrior spread from one cellular phone to another through the Bluetooth wireless technology—much as a sneeze from one person passes the cold virus to others close by. According to Russian security company Kaspersky Lab, the implications of this easy spread is unsettling for safety reasons. Because a number of cars connect cellular phones to built-in speakers and microphones using Bluetooth technology for hands-free calling, it is technically possible for a virus to infect a car’s computer system. That is a frightening thought if one considers that more than two billion cellular phones are in use worldwide today.
Buckler, G. Cellphone Acting Sick? Might Be a Virus. The Globe and Mail, May 19, 2005, p. B11; Wilson, C. CRS Report for Congress: Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress. [Online, October 17, 2003.] CRS Report Website. http://www.fas.org/irp/crs/RL32114.pdf.