How the Pentagon has Messed Up Cyber Security & Lost its Way
By Stephen Bryen
First Published in InFocus Magazine
For years, the Pentagon has been pretending to be securing its computer networks from Russian and Chinese hacking. But while wasting huge resources on an impossible futile task, it has sponsored the development of weapons systems that themselves are wide open to hackers. The net result is that cyber insecurity has escalated exponentially.
You don’t have to look far for examples.
If you were somewhere near the South China sea, on the islands and reefs China has seized illegally, you might be buzzed by one of China’s Stealthy J-20 fighter bomber. How can China, a country that has always needed a lot of help to build warplanes, field an airplane that uncannily resembles the F-22, America’s overall best stealth fighter bomber? Because, while the Europeans, Israel, and most of all Russia have supplied aircraft designs to China, the US is the single biggest supplier.
No. The United States does not sell F-22 blueprints to China; but China has them. They were obtained mostly by hacking the Pentagon’s defense contractors and their suppliers. How did they know where to look? They hacked Defense Department computers to get the lists of all the suppliers, subcontractors and equipment manufacturers. From there, it was easy.
What is true of the F-22 is true of many other weapons systems and programs. America spends tens of billions of dollars on R&D, testing and re-testing, and super-secret technology. But China is privy to much, if not all the developments taking place in US defense laboratories and US defense contractors. It even stole from Los Alamos.
In March 1999, The New York Times revealed that China had stolen the design of the W-88 nuclear warhead from the Los Alamos National Laboratory. The W-88 is a miniaturized design that allows for mounting multiple nuclear warheads (called multiple independently targeted reentry vehicles, or MIRV) on long range missiles. Senior officials from the Energy Department, who manage U.S. nuclear weapons development, found that not only was Los Alamos compromised by Chinese espionage, other development centers were as well.
U.S. security on small nuclear warhead design was so poor that the same W-88 design appears to have got into the hands of the Khan-Pakistan nuclear technology smuggling network – whether from the Chinese or others. A possible copy was found on a Dutch businessman’s computer linked to the Khan network, and possibly similar documents were uncovered in Libya.
The New York Times story explained that there was extreme resistance to investigating the Los Alamos leak of nuclear weapons information, mostly in an American government effort to protect US-China economic relations.
Behind the internal struggle was the fact that American companies saw huge potential markets in China and allegations of espionage and data theft could well derail the chance to enter and develop US business there. Even today, now that most if not all of America’s top companies are not only selling but manufacturing in China, America gives lip service to the danger of Chinese hacking, but does not retaliate when it happens, even if the result is the compromise of US military equipment and the corollary of endangering the lives of our men and women in uniform.
Indeed, one of the key reasons we do not have a serious missile defense capability is that we do not want to antagonize China. It was only the emergence of the North Korean threat on one hand, and the Iranian one on the other that has prompted more, though still hardly adequate, American investment in missile defense programs such as PAC-3, SM-3 and Thaad.
And there are other reasons the U.S. has trouble dealing with Chinese espionage, whether cyber or human.
Before the late 1980’s, the Pentagon relied on specially designed electronics comprised of parts made in the United States and shielded to limit electronic emanations that could be intercepted.
The idea was that Russia could intercept information from computers and equipment that had embedded computers using radio intercept technology. The program was called Tempest and it was required anywhere classified information was being used.
Aside from shielding from the Russians, Tempest had practical application, for example protecting the electronics of aircraft from civilian hazards, such as powerful radio transmitting towers. In 1984, a German Tornado fighter aircraft crashed when it flew too close to the VOA transmitter near Munich, Germany. During a B-52 nuclear long-range bomber missile interface unit test, an un-commanded missile launch signal was given. Among the contributing factors was crosstalk in the systems’ wiring and EMP (radio wave) interference. And now that we use GPS for navigation and warfighting, the Russians and Chinese can jam our systems, as the Russians recently did in Norway.
By the early 1990’s, the Pentagon decided it did not need to have Tempest computers (although it kept Tempest building enclosures for a few highly classified meeting rooms, referred to in Pentagon lingo as “tanks”). But outside of the tanks, the Pentagon turned to “commercial off the shelf” (COTS) technology for tens of thousands of computers, deciding it was more cost effective. As the name implies, the product are the same ones you can buy in stores. The earliest popular COTS computer in the Pentagon was the first PC made by IBM (now Lenovo, a Chinese company) in 1981. Assembled in Boca Raton, Florida, it cost about one-fourth as much as the Raytheon Lexitron, the Tempest desktop.
Many of these IBM PCs were connected through networks to larger mainframe computers. Some of them like the IBM-360/370 in the Pentagon network had already been obtained illegally by the Russians (ES EVM or ЕС ЭВМ, Единая система электронных вычислительных машин, Yedinaya Sistema Electronnykh Vytchislitel’nykh Mashin, meaning “Unified System of Electronic Computers).
The original IBM PC was made up of parts sourced both in the United States and abroad, and as PC technology evolved quickly and so did manufacturing outsourcing. Integrated circuit assembly migrated to Asia followed by floppy drives and hard disks, and soon everything except the Intel microprocessor was produced abroad, increasingly in China. Today somewhere between 70 and 80 percent of all commercial electronics are made in China meaning that 70 to 80 percent of the Pentagon’s COTS computers are Chinese in whole or in part. The same applies to computer network equipment and communications hardware, even sensors of all types.
Most of China’s electronics technology manufacturing know-how and production equipment comes from the United States or from other advanced producers such as Japan, Korea and Taiwan. American export control laws have been systematically liberalized to enable the China market to grow and flourish. America’s allies and friends sell manufacturing technology freely to China, set up factories in China and manufacture for global markets, often under well-known brand names. For example Foxconn (Hon Hai Precision, a Taiwan-owned electronics company) is the world’s largest electronics contractor company. It builds products for Acer, Apple, Amazon, Blackberry, Google, Hewlett Packard, Microsoft, Motorola, Sony and Toshiba. It employs over 800,000 people, with the largest number in China where it supports twelve factory locations (many of them with multiple factories at each location) in nine different cities. The bottom line is, if it says Apple, or Dell, or HP on the box, more than Intel is inside.
China has been known to compromise the products it sells. A good example are memory sticks that are widely used for storing data. Recently a new generation of memory sticks can store up to 1 terabyte of data. A single stick can hold 75 million pages of data or text, or around 18,750,000 documents, assuming four pages per document. The market naturally enough, is robust, with approximately 16 million sticks sold each year.
Unfortunately, there is no easy way to secure commercial memory sticks, and even so-called “secure flash” memory sticks may have vulnerabilities.
The Pentagon has an official policy banning commercial memory sticks as serious security risks, but it is poorly enforced and the Pentagon has granted so many exceptions as to make the ban meaningless.
China has also bugged equipment sold commercially, including web cameras, microphones, and routers. Yet DOD is using Chinese cameras at sensitive military bases where they are part of perimeter security systems. Other government agencies, including the State Department have installed Chinese cameras in embassies, including in Kabul, Afghanistan. Despite understanding the massive vulnerability of Chinese cameras (and American cameras that are put together from Chinese parts), the U.S. still has no government policy against using Chinese cameras for security.
Recently, China was discovered to have “sneaked spy chips into Super Micro servers used by Amazon, Apple, the US government, and about 30 other organizations” according to Bloomberg news. The servers were supplied by Elemental Technologies, and according to Bloomberg, “Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.” The “chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”
One of the problems facing the Defense Department is the use of embedded computers, which, like their desktop and server counterparts, often are produced in Chinese factories and typically run old versions of Microsoft Windows software.
America’s Virginia-class attack submarines – our most modern nuclear powered attack submarines – use Windows XP for vital functions. XP, which has always been a security nightmare, is no longer supported by Microsoft although the Pentagon recently financed additional Microsoft support at least for the next couple of years. That’s because they have no way to easily switch out these computers in major weapons systems.
In 2014, then-head of Naval Sea Systems Command Vice Admiral William Hilarides verified that key systems included processor chips running Windows XP, and worried about hacking – as submarine machinery control systems are analyzed in unclassified computers onshore at warfare centers. “That means a virus that gets onto the unclassified network could work its way into crucial systems on a submarine,” he said.
Even tactical systems are clearly at risk today because of commercial software and vulnerable data links.
Consider drones. Drones are increasingly used to carry out vital surveillance, follow and kill terrorists and for many other security tasks. Drones use COTS software and hardware including Windows XP and other Windows operating systems that are equally problematic.
On December 4, 2011 a U.S. “stealth” drone known as the RQ-170 Sentinel, was captured by Iran as it operated overhead near the city of Kashmar in northeastern Iran. The Iranians were able to control the drone and guide it to a landing on their territory. According to Iran, this was accomplished by a special cyber team that was able both to jam the incoming signal from a satellite and replace it with their own commands.
Also in 2011 a computer virus infected the cockpits of America’s Predator and Reaper drones that carry Hellfire missiles.
Something similar happened in Israel. In 2013 an Israeli Shoval (Heron) drone was hijacked on a mission over the Mediterranean Sea between Tel Aviv and Netanya. The hijacking was done either by Hezbollah or Iran, with the betting being on Iran. Israel grounded the fleet until better security could be implemented.
There is a good chance that the Israeli drones, like the American ones, use commercial operating systems software to manage drone missions. Presumably the Iranians had little trouble figuring this out.
Patching and Fixing
While DOD and its counterparts in NATO and Israel, as well as in the Asia Pacific region (Korea, Japan, Taiwan, Singapore, Australia) and neutral countries such as Finland and Sweden, buy COTS including embedded computers, there is no centralized security review of COTS products. Vulnerabilities, when they are found, are (sometimes) patched if they can be and if the affected agency doesn’t get a waiver to delay implementing a change. Waivers are given for such reasons as the system being in use and that shutting it down would disable a vital requirement such as an aircraft, a missile or a submarine on a mission.
A Better Solution
It is time to consider dumping COTS products, with those containing Chinese parts first on the scrapping list. It is reckless for the U.S. government and military to use these products since they are exposed to systematic hacking.
Short Term Fix
A partial short term fix is for all data on US computer networks to be encrypted with strong encryption. This does not prevent certain kinds of attacks on our networks including denial of service and border gateway protocol attacks (that recently redirected Google’s Cloud network. Ironically, Google has refused to sell its cloud services to the Pentagon for “moral” reasons. Does that mean the Pentagon isn’t obliged to help Google out if it is attacked by a foreign adversary? That would seem to be fair play!). But it makes it hard for a competitor or adversary nation, e.g., China or Russia, to read our mail. But to keep command and control military networks viable, and key parts of the critical infrastructure operational (like power plants and communications), the short term fix is not good enough.
A Long Term Fix
The U.S. has to invest in a completely new type of computing environment that does not use commercial software, is triple encrypted – meaning the network, the nodes on the network, and the individual sites are separately encrypted. This way cracking into sensitive networks is nearly impossible and denial of service and border protocol attacks can better be prevented or contained.
We are already vulnerable, and our security and economic interests are being eroded daily. So, either we move to a new solution and completely overhaul our computer networks and their embedded counterparts, or we will become a second-rate power intimidated by Russia and China, or even worse.
Until there is change, the Pentagon is not a responsible steward of American national security.