Vulnerability of high technology systems

Visualization of narrower problems
Name(s): 
Fragility of computerized information systems
Risks to computers and computer records
Inadequate safeguards against electronic crimes
Inadequate prevention of computer disasters
Vulnerability of telecommunications systems
Nature 
Computers are widely used in private, commercial, and governmental operations to store vast quantities of information. In many cases the information constitutes a record vital to the continued functioning of organizational systems, particularly in the case of personal data, stock data, and financial or accounting records. Computer systems are vulnerable in a number of ways. Data may be lost due to equipment failure, electrical surges, operator error, software error, over or under heating, theft or computer viruses. Equipment may be damaged in fire, flood, earthquake or any of a number of natural or man made disasters. Programmers, operators or maintenance personnel may damage hardware, software or data bases. Data may be damaged in transit over telecommunications lines or when storage media, such as tapes or disks, are shipped. The losses include replacement or repair of equipment, software or data; lost business or other transactions; and losses of employee time.

The destruction of a computer, its files and backup media through accident can be a disaster. A business' ability to carry on operations can be halted through fire or explosion in a computer room. Records and files of a mainframe, mini or micro computer can be destroyed through operator error, electrical surges like from lightning, radiation from microwave oven and similar devices or physical abuse. A single process failure can cascade through a networked system that handles computing routines in serial fashion.

Vulnerability increases with the increase in quality and performance of modern technology. The higher level of performance of most technological advances relies upon a reduction of the margins of error that a system can tolerate without breakdown. Accidents and management mistakes may still occur, but their effects now have more costly systemic consequences. "Leanness" of systems (in which redundancies, backup procedures and check systems have been eliminated in the name of efficiency) also makes the system highly vulnerable. Compounding the structural fragility of computer systems is that the extent of their interconnectedness with modern life is largely invisible and unpredictable. The problem is only seen as such when the relationships are already disrupted.

The FBI list 3 levels of vulnerability risk for computer systems to outside interference: High - A vulnerability that will allow an intruder to immediately gain privileged access (e.g., sysadmin, and root) to the system. An example of this would be a vulnerability in which a sequence of instructions is sent to a machine by an unauthorized user and the machine responds with a command prompt. Medium - A vulnerability that will allow an intruder immediate access to the system that is not privileged access. This allows the intruder the opportunity to continue the attempt to gain root access. An example would be a configuration error that allows an intruder to capture the password file. Low - A vulnerability that provides information to an intruder that could lead to further compromise attempts or a Denial-of-Service (DoS) attack. The reader should note that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered as a "High" threat.

Incidence 
Most large organizations using computers have experienced disastrous hardware or software failures. Organizations are necessarily reluctant to reveal the insecurity or inadequacies of their systems because of their need to maintain security, competitive advantage or public confidence. The most visible disasters tend to occur in the public sector such as, for example, the case of the London Ambulance Service or the London Stock Exchange Taurus project. Private sector examples are: from 1990, when AT&T's long distance telecommunications system experienced repeated failures. At that time, it took two million lines of computer code to keep the system operational. But these millions of lines of code were brought down by just three lines of faulty code. In May of 1998, 90% of all pagers in the USA crashed for a day or longer because of the failure of one satellite. Late in 1997, the Internet could not deliver email to the appropriate addresses because bad information from their one and only central source corrupted their servers.

One study by the USA Department of Defence concluded that only 30 out of 17,000 computers then used by the DOD met minimum standards for protection from attack. The computers were vulnerable to a broad range of high-tech hit-and-run spying techniques, such as "spoof" programs which appear to be conducting routine activities while they are actually collecting passwords or other useful information; or the implementation of undetectable instructions into the software which might order the alteration or destruction of highly classified data.

Claim 
1. People have not been eliminated from technology. They still figure everywhere. They maintain the equipment. They design, sell, buy, repair and operate it. Human beings make errors and they make unique and unpredictable errors particularly in unique situations. As new technologies are developed, new people are introduced to old technologies errors will happen in spite of any so called the safeguards, especially the foolproof ones.

2. To err is human, but really foul things up requires a computer.

3. Our ability as an economy and as a society to deal with disruptions and breakdowns in our critical systems is minuscule. Our worst case scenarios have never envisioned multiple, parallel systemic failures. Just in time inventory has led to just in time provisioning. Costs have been squeezed out of all of our critical infrastructure systems repeatedly over time based on the ubiquity and reliability of these integrated systems. The human factor, found costly, slow, and less reliable has been purged over time from our systems. Single, simple failures can be dealt with; complex, multiple failures have been considered too remote a possibility and therefore too expensive to plan for.

Counter-claim 
Computers are unreliable, but humans are even more unreliable.
Broader 
Inadequate security system
Inadequate disaster prevention and mitigation
Narrower 
Computer viruses
Electronic piracy
Inflexible technology
Electrical power failure
Poor programming technique
Failure of computer billing
Theft of computer equipment
Technological programme errors
Unreliability of weapons systems
Lack of computer system capacity
Uncontrolled use of computer data
Vulnerability of telephone system
Unreliability of computer software
Errors in document processing systems
Errors in global position system equipment
Vulnerability of nuclear defence control systems
Non-compliance of computer equipment to Year 2000 transition
Related 
Electronic spam
Lack of information
Inflexible computer systems
Dangers of using mobile telephones
Aggravates 
Theft of data
Information warfare
Injurious accidents
Computer-based crime
Infringement of privacy [in 1 loop]
Ineffective data systems [in 1 loop]
Abuse of computer systems [in 2 loops]
Unsatisfactory retail banking [in 1 loop]
Dependence on information technology [in 2 loops]
Inadequate use of information technology
Destabilizing international telecommunications
Inadequacy of national telecommunication facilities
Terrorism
Aggravated by 
Hyperefficiency
Computer illiteracy
Unethical practices by employees
Competitive techno-economic warfare
Prohibitive cost of business security
Human incapacity to respond to computer-generated decisions
Reduced by 
Excessive computer control of social processes
Strategy(ies) 
Safeguarding telecommunications security
Promoting progress and application of information systems
Ensuring information system integrity
Developing knowledge economy
Protecting critical infrastructure
Enhancing scientific and technological research
Risking computers and computer records
Recognizing socio-economic interdependencies
Protecting against computer disasters
Improving safeguards against computer crimes
Reference(s) 
Cooper, Arlin J: Computer and Communications Security: strategies for the 1990s
Clark, David D, et al: Computer Security: risks, technologies and policies
Finch, J H and Dougall, E G: Computer Security: a global challenge
Type 
(D) Detailed problems