The Ardennes was considered a poor place to deploy armor and without the Maginot Line it would have been the worst choice. But the strength of the line changed the dynamics of the situation and made the previously impenetrable Ardennes look like the most workable solution--underlining the veracity of Clausewitz's observation. And because the French had no strategic reserve to shield themselves from an attack from that direction they lost their territorial sovereignty in just ten days.

In the south where the Italians had no choice but to attack the line, seven French soldiers operating behind the controversial fortification, held up an entire enemy division for more than a week.

Wouldn't Maginot be an appropriate name for a firewall product or any company offering only technical solutions to communications security problems? Good firewalls and other purely technical solutions do their work effectively, but to a clever and determined attacker they are just obstacles to be either broken or sideslipped, whichever is most effective.

It is not just the financially motivated cyber-thief or teenage hacker that is testing the electronic Maginot lines of global corporations. Terrorists and states unsatisfied with the current balance of power are turning to what they consider to be low-risk, high-return cyber-strategies that avoid traditional types of defense. According to Director George Tenet of the American Central Intelligence Agency, "It is clear that nations developing these programs recognize the value of attacking a country's computer systems both on the battlefield and in the civilian arena." He pointed to telecommunications and banking as high-profile targets.

Lieutenant General Patrick Hughes, US Army, Director of the Defense Intelligence Agency in recent Congressional testimony cited a number of threats, some of which can be protected by Maginot-like technical defenses and other "alternative" attacks that are less likely to be well covered by IT managers:

• Trusted insiders who use their direct access to destroy or manipulate the information or communications system from within.
• Modification of equipment during transport or storage.
• Physical attack of key systems or nodes, including the insertion of modified or altered hardware.
• Network penetration to include hacking, exploitation, data manipulation, or the insertion of various forms of malicious code.
• Electronic attack of various interconnecting links, sensors that provide data to the system, or other system components.
• Empowered agents including "sponsored" or individual hackers, cyber-terrorists, criminals, or other individuals who degrade, destroy, or otherwise corrupt the system. In the most advanced case, empowered robotic agents, embedded in the system, could be used to take autonomous (timed) actions against the host or remote systems or networks (cyber war).

Essentially, in the Age of Information Warfare, one is either a target or a victim-- targets have defenses, victims are defenseless. On a national, strategic level, following General Hughes' high-level list above, there are a number of intriguing target possibilities, including:

• Electronic Switching System (ESS) - Nationwide system that manages all telephone communications. Consider the consequences if a nation could not communicate via the telephone or dial-up Internet access.
• Global Positioning System (GPS) - the constellation of geosynchronous satellites that provide excellent navigational data for civilian aircraft, ships, and handheld units used by campers. Provides precise information to military units and attack systems.
• Internet - the communications backbone of science, industry, and society.

A serious vulnerability, not discussed in many circles, is mission-critical systems and infrastructures purchased with the assumption that such products are secure as shipped from the manufacturer. This may not be the case. Numerous vulnerabilities have been discovered in systems marketed as "secure" to industry or government specifications. Why? These companies need to develop and ship rapidly if they are to provide the profits their shareholders expect. As a result their definition of acceptable risk is lower than yours should be.

Today, products are rushed to market, being driven by competitor's schedules and internal marketing efforts. This turns consumer and corporate markets into expanded, "beta" tests. During use or "examination" of such products, systems routinely crash, data gets lost, or other issues arise from implementing not-fully-tested software. While not an "external" attack, such under-tested software applications are a threat to the sanctity of corporate data, information resources and infrastructures.

Installation and reliance on systems that have not undergone peer review or independent analysis is an accident waiting to happen. While UNIX (an open operating system that "runs" most of the Internet), Pretty Good Privacy (the de facto Internet encryption tool), and Navigator have released their source code for public analysis, disclosure, and discussion, other operating system and applications vendors have not, citing "proprietary trade secrets." In these cases where software has undergone worldwide peer review, the result is that user concerns and quality control issues are addressed before the product hits the open market, not after, where a considerable user base exists and is potentially threatened by bad code. Further, users have the opportunity to see how the programming code will interact with existing applications, much like checking a medical prescription for any potential drug interactions or side effects. Software that has been examined by "independent third parties" stands a better chance of being accepted as "secure" and "stable" than products where the vendors announce "our product is secure…trust us!"

The user community demonstrated reluctance to sleep well and rely on untested proprietary software when the NSA (National Security Agency) and NIST (National Institute of Standards and Technology) created a standard encryption system to replace the antiquated American Data Encryption System (DES). "Use it," they said in official reports, "but the encryption algorithm is classified TOP SECRET and not available for independent review." While the implication was "trust us, we're the government," the product flopped and was declassified in mid-1998. Some would argue that the reason why UNIX, PGP, and Navigator became entrenched in the user community was that the software passed review by outside experts who certified the products, algorithms, and software code were robust, stable, and worked as advertised.

While lucrative for security professionals, the increase in known vulnerabilities associated with "proprietary" systems is disheartening. If the industry continues to develop insecure, untested, programs and operating systems - and prohibits independent testing and analysis - the future of truly secure operating becomes uncertain.

In July 1998, news surfaced that the Navy's first ship dependent on commercial off-the-shelf software, the Aegis class USS Yorktown, had a systems failure only hours after departing Norfolk, Virginia. The ship's proprietary network crashed and rendered the vessel unable to continue its mission. Why? Who knows, as the Navy was both legally and technically unable to dissect the operating system to find the flaw.

One final note. The talent pool of gifted programmers is international and mobile, selling to the highest bidder. Because the allegiances of these programmers are as varied as their nationalities, it is not inconcievable that a few could be subverted to insert a few lines of malicious code into the millions of lines being generated for operating systems and mission critical software.

The general technical worker shortage combined with the near panic of reactive Year 2000 solutions is giving unprecedented system and application access to workers who are subjected to minimal background and security checks. This nearly unlimited, unfettered, and unmonitored access to source code affects both corporate and government organizations.

Sadly, most policymakers and some CEOs are not products of the Communications Revolution. They do not understand programming code, the critical value of information, the "virtual" underpinnings of modern society, and the vulnerability of relying on information infrastructures. Nations plan for major military offensives through the procurement of high-profile and glitzy weapon systems, but few are planning for the critical defense of their less visible - but equally critical - infrastructure, the "Soft Underbelly".

While a great deal of press attention has been focused on the pimpled teenage hacker and the egomanical programmer gone wrong, these are actually the least threatening intruders as their motives are childish. The acts of these people can range from bravado to destruction, but they are most often aimed at getting attention or simple greed.

Terrorists and state-sponsored programmers are less likely to want attention guaranteed to stimulate defenses. They prefer to attach themselves like parasitic organisms to government and corporate systems either to create wider security breaches or simply create long-term taps into strategic information. This style of attack can be more insidious than a destructive attack, as stolen or corrupted information (which should be backed up anyway) never actually disappears from its owner. Each day the victim gets sicker, but never knows why until it is too late.

It does not take a genius to develop tools or applications to effectively bring down one of today's mission critical, commercial-off-the-shelf systems. Indeed, there are numerous free "hacker tools" and several legitimate diagnostic tools that can be used for both good and evil. In short, your greatest vulnerability is uncertainty regarding the content and integrity of programs and operating systems that drive commerce and protect security.

While some may scoff at the likelihood of large-scale attacks on corporate and government infrastructure through the medium of commercial software, remember how the best military experts prior to WWII considered the Ardennes to be an impractical axis of attack. In the security business, the very act of dismissing an attack raises the chances of its success.