If Donald Trump wants to take one important, indeed, vital step he will create a well-funded new Cyber Security Agency that is free of NSA and other deeply compromised interests.
by Stephen Bryen
The possible solution to escalating cyber insecurity has been staring us in the face for a long time. But the road has not been taken because most companies that manufacture electronics today build the stuff in Asia, primarily in China. This has created an unprecedented risk, because China is not at all adverse to bugging just about any product they can get their hands on. Consequently everything from computers, cameras, routers, flash memories and smart TVs are potential targets for the Chinese government to exploit.
But, as any half decent cyber expert can tell you, when you put a backdoor, or a bot, or just a hole in the code, once discovered it can be exploited by almost anyone smart enough to find it.
This is exactly what NSA has been doing for years, as leaks by Edward Snowden have shown in a conclusive manner, by presenting NSA’s Power Point presentation of how it has bugged just about everything.
But what may be good for the spying community is not good for national security. It leaves the entire critical infrastructure of the United States –power systems, communications, military, government, transportation, water and food supply– vulnerable to attack. It is well known that foreign entities have been targeting the critical infrastructure, carrying out many “dry runs” and also stealing sensitive information of all kinds –personnel records, medical information, law enforcement data, designs for vital defense systems, nuclear secrets –the list has no end.
Because cyber policy is made by NSA and that is a big problem. NSA cannot be the guarantor of security and insecurity at the same time. If Donald Trump wants to take one important, indeed, vital step he will create a well-funded new Cyber Security Agency that is free of NSA and other deeply compromised interests.
So let’s say President Elect Trump agrees to support a new Cyber Security Agency. What will it do?
Security is only possible with trusted systems; it is impossible if the systems are made up of commercial off the shelf products (COTS).
Starting in the mid-1980’s the Pentagon began shifting procurement wherever possible in favor of COTS. There were immediate benefits: better technology, more rapid product evolution and lower procurement cost. The US government followed the Pentagon model, and today virtually every department and agency, from the CIA to Agriculture, from Homeland Security to the Army, from Health and Human Services to Social Security, all use COTS. That is why all of them have been targets for hackers.
The threat is in two major dimensions: the ability to shut down and kill systems, or fill them with false information; and the ability to steal just about all the information the government holds, from tax returns to the design of stealth aircraft.
No one has yet been able to make any government or critical infrastructure system secure or safe. In fact, all the evidence points exactly in the opposite direction: attacks on systems have grown exponentially and the time it takes to know that a system has been compromised has grown from a few minutes to months, even years. Thus the free bonanza of sensitive information and American technology is stolen with brazen ease. In short, cyber security is a total failure.
The new Cyber Security Agency needs to change the paradigm to have any chance to fix the problem.
The first thing to know is that COTS cannot be the source of any solution.
COTS today is
- designed through a globalized process where the work can be done on any continent and by teams of designers who speak different languages and have different interests and pressures;
- even when developed on US soil, there is considerable risk because the employees are recruited from all over the world and many are here on special visas and are not citizens
- there is considerable use of so-called open source solutions because most of them are free; but open source is done by international groups with no accountability, one of the reasons the infamous Heart Bleed bug ravaged US systems
- hardware is manufactured abroad with a majority of the equipment and parts produced in China;
- even reliable Asian producers such as Taiwan, Japan and South Korea outsource much of their product manufacturing to China and use low-cost Chinese engineers and technicians for design work and production
A Cyber Security Agency needs to develop and support a new approach that would
- Develop a new generation of product –hardware, firmware, software– for use by the US government, military and trusted parts of the critical infrastructure;
- Use only vetted Americans to execute the designs
- Manufacture only in the United States in secure facilities owned by Americans
- Build a system that works on recognized security principles, is compartmented, and is available to users only on a need to know basis (no Snowdens)
- Use multi layer encryption throughout the system and for all kinds of stored information, not just so-called classified or sensitive information
- Apply the new technology to computers, computer networks and SCADA controllers and to new IoT applications
Obviously the new systems would not use any open source code. The system would be triple redundant to guard against any failure (today’s systems are generally not redundant). The government will have to estimate the risk of using cloud-based computing and any cloud system authorized has to be under US government control and not shared with any cloud users who are not authorized and not part of the government, military or critical infrastructure.
The above steps would take place quickly so that in as little as 5 years the entire government and critical infrastructure cyber systems can be replaced.
The Cyber Security Agency will be responsible for creating the hardware, firmware and software and establishing the security mechanisms and standards for protection. Funding needed is anticipated to be in the $3 to $5 billion range (not counting procurement of new platforms and ancillary equipment by agencies). The development cost is thought to be less than what today is being spent by the government on failed cyber security solutions.
The Cyber Security Agency will also be responsible to recommend to the President retaliation against malefactors at home and abroad. In the case of hacking attempts in the United States, it is proposed that the criminal part of the law be substantially strengthened and the Justice Department and FBI be encouraged to prosecute those attempting to hack US systems. In every case, the charges against wrong doers would be Federal charges, and the punishment would be served in Federal prisons.
In regard to foreign-generated attacks on the government, military or critical infrastructure there are two important principles: (1) without exception the government of a foreign country where a cyber attack originates will be held responsible for the attack and the US will demand that the perpetrators be arrested and extradited to the United States; (2) where a foreign country refuses to cooperate, the full range of retaliation against the institutions of that government can be recommended by the Cyber Security Agency to the President.
This is superior to the current system which apparently relies on a Pentagon-created approach called Plan X. There is little or no public evidence that Plan X has been useful or effective. The Pentagon should certainly have the capability to execute orders to retaliate from the White House, but the recommendation should initially come from the Cyber Security Agency and be agreed by the National Security Council and the President.