GEEKONOMICS

According to a June 5, Washington Post article:

Cyber Incident Blamed for Nuclear Power Plant Shutdown

A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer. The incident occurred on March 7 at Unit 2 of the Hatch nuclear power plant near Baxley, Georgia. The trouble started after an engineer from Southern Company , which manages the technology operations for the plant, installed a software update on a computer operating on the plant's business network.

The computer in question was used to monitor chemical and diagnostic data from one of the facility's primary control systems, and the software update was designed to synchronize data on both systems. According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant's radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown.

Southern Company spokeswoman Carrie Phillips said the nuclear plant's emergency systems performed as designed...

Yes, but the software did not, and that is the point.

The article goes on to say:

Computer security experts say the Hatch plant incident is the latest reminder of problems that can occur when corporate computer systems at the nation's most critical networks are connected to sensitive control systems that were never designed with security in mind.

Really?!? And what of the consequence for this lack of foresight? What incentives exist to address the problem at the source? Should the contractor applying the patch really be the only culpable party here? Please excuse my rather sarcastic tone on this one. Some might say that this is "nothing new" and we should let it float by. No, we should not.

When will we exhaust our feelings of relief over catastrophes that could have happened because of “bad” software but did not simply because of happenstance (or, more accurately nuclear engineers that are more accountable for their blunders than software engineers)?

Oh, I know there are all sorts of arguments why software developers weren't at fault here, or that plenty of other incidents would lead to the nuclear power plant's emergency systems kicking in but really, isn't this getting a little old? If this is truly "nothing new" it implies software hiccups are a long standing problem and that really is the problem.

So I'd like to coin what I'd like to think is a new phrase: "Shit happens. This is true. But more shit happens with software."

Anton Chuvakin, co-author of Security Warrior, posted a powerful review of Geekonomics on his blog:

It Changed My Life: My Review of "Geekonomics"

An excerpt:

I suspect that, by now, every human on Earth who ever laid their hands on a computer knows:

software = might NOT work.

Now, we expect roads, bridges, toasters, chainsaws, bicycles, cars (until they put software in them...) to work and work they do. And if they don't - the company who manufactures them usually makes them work for us fast - or goes away, cut down by the "benevolent" axe of capitalism. Now, software is totally different (my thinking about this one).

And everybody knows it. But nobody was brave enough to take a hard look at this and analyze how that simple fact affected, affects and will affect our society. And, for my extra-paranoid readers: "... and how it might end that very society."

Until "Geekonomics!"

This book might not reveal any secrets about how software works to an IT professional (it will reveal how law works though!), but it will explain why bad software is everywhere, why we are stuck with it, why it will not improve by itself and - sorry for a hysterical note here! - how we might all fucking die because of it. It then unemotionally predicts why more people will certainly die because of bad software.

It studies the complicated dynamics of today's software market such as who is more at fault for bad software - buyers who agree to buy or vendors who make it (or both). It also suggests that many of today's regulations and compliance "thingies" are a little misguided (e.g. in a battle a PCI DSS-compliant enterprise and a 0-day-wielding hacker, any sane person will bet on an 0-day). It is also very well-written; it won't bore an experienced IT  or security pro and it will not overwhelm a mere IT user.

First, it explains why the software is the "foundation of our civilization" today, and how it will be more so in the future. Next, it casts a look at "innovation" and ponders how innovation-driven software development relates to the  fact that users don't touch 90% of features of a typical software. In the third chapter is presents the view of the "0wned world" where "only the stupid [cybercriminals] get caught."  Next chapters looks at how government oversight works in other areas (e.g. FDA), how it might work - and how it might fail (and did fail in the past). While doing it, the book dispels the "government will just  make it worse" myth (basically, because some things are really bad and quickly streaming towards worse already). The amazing chapter 5 gives the clearest explanation of litigation (torts, etc) that I have ever seen (the book is worth reading just for chapter 5 alone!). Chapter 6 takes a super-pessimistic look at open-source software (no comment - just read it). Finally, several possible future - "the way forward" - is discussed.

...

So, everybody in software business, security business - in fact, just everybody who uses a computer - MUST READ THIS BOOK! Seriously, understanding the point made there might be a matter of life or death for some (all?) of us.

Anton has started a new website: KilledBySoftware.info

Thank you for the review, Anton.