The biggest security vulnerability in U.S. national security computer systems may be the commercial software they’re built on, Symantec’s CEO Greg Clark said Wednesday.
The inner workings of Tomahawk missiles aren’t publicly available and the computer systems that store sensitive national security data shouldn’t be either, the leader of the anti-virus firm said during an address at George Washington University’s Center for Cyber and Homeland Security.
Under the current system, U.S. cyber adversaries can find out which software systems the U.S. military is most reliant on simply by searching federal contracting databases, Clark said. Then they can set about searching for vulnerabilities in those systems.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
“We are handing our adversaries the key…the map to how to beat us,” he said.
The comments echoed an op-ed Clark published in The Hill newspaper earlier Wednesday.
Clark’s argument runs counter to the traditional logic that consumer software is typically more secure than custom-built software because it’s being tested in the real world every day by both malicious hackers and ethical security researchers. Each time one of those hackers or security researchers uncover a hackable vulnerability, the company can patch it and the overall system becomes more secure, the conventional wisdom runs.
Custom-built software, by contrast, can never be so fully vetted.
Clark responded to that criticism Wednesday by saying the wisdom of the crowds-style vetting that consumer software receives is very useful for consumers who, for the most part, aren’t being targeted by extremely talented, nation-state-backed hacking groups looking for any possible opening.
For national security systems that are being targeted by those groups, however, the delay between when hackers discover a new vulnerability and when companies patch it can be extremely dangerous. Those systems, he said, would be better off relying on custom systems that adversaries can’t tinker with.
It also might be useful to build national security systems with a combination of consumer and custom software, he said.
The Homeland Security Department recently ordered all federal agencies to begin removing Kaspersky anti-virus, a major Symantec competitor, from their systems out of concerns the Russian company is too cozy with the Kremlin.
Asked about the directive, Clark replied the U.S. intelligence agencies that have determined Kaspersky poses a threat are “very good at what they do.”
“They don’t like [Kaspersky software] and let’s leave it at that,” he said. He declined to state a personal opinion on whether Kaspersky software was compromised by the Russian government because the two companies are competitors.
Symantec and Kaspersky are among the most popular anti-virus software in the world, though it’s difficult to compare the two companies because there’s limited data on anti-virus market share and Kaspersky is not publicly traded.
Clark hopes the U.S. government’s Kaspersky move won’t lead to retaliation against western companies, he said, though he noted Symantec has a very limited footprint in Russia, partly because the company refused to comply with a recent Russian law requiring companies that do significant business in the country to share their source code with the Russian government.
Clark does worry that the U.S. move might set a broader precedent for governments to be wary of foreign anti-virus and other security software, he said.
Symantec has struggled to convince numerous national governments that it is not allied with U.S. intelligence, he said.