WE’VE all heard about the immediate threat posed by the Bash bug, aka the Shellshock bug: a software flaw that exploits a vulnerability in a standard piece of software code called the Bash Shell, whose functions give users command over computer systems that are based on Linux and Unix. This enables attackers to take control of your systems and run any command they wish.
Bash won’t be the last threat of this magnitude.
The Internet of Things enables new levels of convenience and efficiency, but its comprehensive connectivity also exposes households, companies and whole economies to attack.
We can’t address every bug as a one-off. Company executives, open-source software community leaders and government organizations must join forces and work proactively to create systems and processes that anticipate weaknesses, defend against attacks and enable rapid, coordinated fixes.
We need three levels of response. First, executives must give network security a place on the CEO’s and board of directors’ agenda.
Just as we need financial audits to ensure the integrity of business, we need continuous security audits of all information technology-enabled products and services to ensure that customers and businesses aren’t at risk. Second, organizations must create an emergency response team and plan that can swiftly react and solve problems once vulnerabilities are detected. Executives should plan for worst-case scenarios and run their organizations through drills to ensure that they’re ready to handle problems as they may arise Third, companies, open-source community leaders and government organizations must coordinate their activities to proactively detect weak spots in our digitized and networked devices, services and infrastructure.
The vast majority of the world’s Internet and software infrastructure relies on solutions developed in open-source software communities. Over the past two decades these communities of developers have proved themselves brilliant at creating code.
However, no software system is perfect, and open-source code can have mistakes or omissions, or simply not be capable of evolving with ever changing networked computing systems. The Shellshock bug allowed entry into core systems because there were simply not enough people looking critically at open-source code to detect and defend the networks.
Taking a cue from the banking system, the computing industry must develop an approach that prioritizes proactive stress testing, detection and updating to anticipate and prevent such problems.
Karim R. Lakhani is an associate professor of business administration at Harvard Business School and the principal investigator of the Harvard-Nasa Tournament Lab at the Institute for Quantitative Social Science.