Kevin Kelly featured in Jane’s International Defence Review:
According to Kelly, when designers develop code, they build in hooks so that maintenance teams can access network equipment and get behind the operating systems and monitor functions. “Well, that same monitoring function can be very valuable to an adversary who is looking to intercept traffic or copy traffic, or disable a communications system,” Kelly said. “No firewall or intrusion detection system is really setup to monitor the interworkings of the software that operate the machine itself.”
Unintentional vulnerabilities in software may also have not been designed with O&M functionality in mind, but were instead developed for a different module or placed by another piece of code.
Many hardware developers outsource development of modules of code, Kelly explained, or acquire open-source code or libraries of code that perform certain functionalities developed for past systems that are incorporated into later systems of integrated or aggregated software. Some backdoors are left over from testing scenarios, but no one really spends time going through old code line by line looking for vulnerabilities. “For efficiency’s sake, the developer did not go in and remove the original code,” said Kelly. “They just simply layered on a replacement code or a patch, and the predecessor’s code is still running on the machine.
“There are very practical reasons why these vulnerabilities exist,” Kelly continued. “The extent that developers would have to go through to remove all of them is really counter competition. If developers of these systems had to go through line by line and remove all of these, they are going to add an awful lot of cost to the cogs of each of these systems and potentially make themselves uncompetitive. So they simply don’t do it. And there is no requirement. There’s no international [standard] and there’s no national standard that requires them to go in and remove these.”