Is there "Strategic Software"?

Point: Marcus Ranum / Counterpoint: Bruce Schneier

In February 2006, the Dubai Port Authority attempted to buy several major U.S. ports from their current (British) owners, but the deal was swamped over concerns that Arabs, as opposed to Britons, might not keep them adequately secure. Never mind the fact that the U.S. couldn’t keep them adequately secure to begin with. Fast-forward a few months and Israel-based Check Point((The full name is Check Point Software Technologies Ltd.)), attempted to buy U.S.-based intrusion detection systems provider Sourcefire, but the deal was swamped over aftershocks from the Dubai Ports fiasco. Never mind the fact that U.S. government agencies can’t keep their networks adequately secure to begin with; questions were raised as to whether Check Point should control a piece of software that is widely used in U.S. government networks.

Is there such a thing as "strategic software"? Of course there is! But a better question to ask would be: "Hasn’t the horse already left the barn on that issue?" More to the point, the horse has not only left the barn, he’s changed his name and moved to another country.

The truth is this: if your software controls your computer (and it does), then the person who writes the software also controls your computer. Does that have strategic implications? Ask the European Union, which, in the past, has voiced varying levels of dismay over the fact that virtually all of their computers are controlled by software from a certain company in Redmond, Washington, USA. A cynic could see the Check Point–Sourcefire acquisition as the U.S. government’s getting a taste of its own medicine.

I’m a cynic, but I’m not amused by the situation. If we accept the idea that software can have strategic implications, it would make a lot more sense for the U.S. government to be thinking in terms of a "strategic software reserve"—you know, kind of like our "strategic helium reserve"—rather than killing a single high-tech acquisition. It’s patently ridiculous to worry about Check Point owning Snort when Check Point already owns Zone Alarm. Zone Alarm is an incredibly widely used personal firewall product that completely controls a Windows computer’s TCP/IP stack and processes: kind of like a rootkit except for good instead of evil.

And why worry about the Israelis owning an IDS company when a Canadian company, Research In Motion, owns all the BlackBerry handhelds’ communications that government bureaucrats simply can’t live without? Remember the panic a few months ago when RIM was threatening a shutdown because of a patent dispute? The U.S. government was complaining about the impact of a shutdown on crucial government communications. If I’m understanding the situation correctly, the U.S. government was afraid that they’d be unable to keep sending "sensitive but unclassified" messages across the northern border to Canada, and back. If that communication is strategic, and is part of the critical infrastructure, it seems to me that there are a lot of barn doors in need of locking! Of course, the Canadians at Research In Motion are our friends (and last time I checked, so are the Israelis at Check Point) and would no sooner spy on U.S. government communications than—I don’t know—AT&T would spy on its customers if the NSA said "pretty please." That would be unthinkable.

What’s unthinkable, really, is how the governments of the world have adopted high tech without thinking of it as a weapon, itself. For all that the Department of Defense has pundits who talk incessantly about "information-centric warfare," they completely avoid thinking about software as a weapons system in its own right—but every important major weapons system today relies of software for its magic. I wonder if it’s simply too hard a problem, and everyone has preferred to shut his brain off and say, "Horse? What horse?" With software as ubiquitous, plastic, and complex as it is today, it’s probably impossible to understand what pieces of software would belong in the "strategic software reserve" if such a thing existed.

Given the level of denial about the issue, it was silly to single out Check Point and Sourcefire; my guess is that if it were possible to even understand the situation, most of us would be terrified, if we allowed ourselves to be that paranoid. Perhaps this is just one of those problems that we’ll leave for future generations to unravel. Like the national debt, it’ll just get bigger, more expensive, and harder to ignore. And, oh, did I forget to mention that key components of Microsoft’s ISA firewall were written by one of their development teams in Israel?