The link between James Blunt, the singer songwriter, Stanislav Yevgrafovich Petrov, a lieutenant colonel of the Soviet Air Defence Forces who played a key role in the 1983 Soviet nuclear false alarm incident and Microsoft Engineer Andres Freund may not be obvious.

Before his rise to fame with "You're Beautiful," Blunt was an officer in the British Army. During the Kosovo War, he was ordered to seize an airfield, a directive that could have brought British forces into conflict with Russian troops who had also occupied the position. Blunt questioned the order, which was later rescinded, potentially preventing a military confrontation.

In 1983, during the height of the Cold War, Stanislav Petrov was the Soviet officer on duty at a nuclear early warning centre when the system falsely reported the launch of US missiles. In a moment that could have led to a nuclear war, Petrov's decision to question the warning and determine it to be a false alarm prevented a potential catastrophe.

Andres Freund recently joined the list of people whose actions have prevented disaster. For cybersecurity professionals, both his quick thinking and consideration of the consequences if he had failed to spot the issue should prompt introspection. Is exposing SSH to the internet a necessity and a good idea?

On 29 March 2024, the world was unknowingly on the brink of a digital disaster when threat actors  attempted to embed a piece of malicious code into the internet's backbone. This code, if activated, could have compromised global internet security systems, leading to widespread disruption.

However, during what seemed to be a routine day at Microsoft, Partner Software Engineer, Andres Freund encountered an anomaly. SSHD processes were inexplicably consuming high CPU resources, despite failing login attempts due to incorrect usernames. This unusual activity led Freund to probe deeper, eventually uncovering a backdoor in SSH—a protocol used globally for remote computer administration.

Freund's discovery revealed a vulnerability that could have allowed threat actors to gain control over countless systems, with the power to disrupt or shut down essential services. For anyone running SSH, effectively most companies, they would have had access to everything. The potential damage is vast, with the ability to paralyse websites and payment systems, remove firewall protections and access data worldwide. The compromised code, known as Xz Utils, was prevented from being used through a collective effort of cybersecurity officers and government agencies. It is a near miss that should serve as a warning shot.

The threat actor(s) managed to embed malicious code into a small open-source utility through a flukey combination of social engineering and supply chain compromise. This utility was chosen by the threat actors as it is part of mainstream software that is used across the world within systems like webservers, firewalls and applications. Many people are unaware that their everyday software is comprised on millions of lines of borrowed open-source public code the cyber community and hobbyists maintain. The cyber insurance market has evolved markedly over the last two decades. Where once we were seen as intrusive third parties, we are now genuine partners, supporting insureds with their defences and providing round the clock updates on their vulnerabilities.

I have long been an advocate of minimising SSH protocols facing the internet. If you are not using it, close it. While not vulnerable today, who knows about tomorrow?