by Stephen Bryen
For the past five years I have been alone in arguing that the use of commercial computers and electronics is a direct threat to national security. The latest revelations about Intel microprocessors, now expanded to include microprocessors made by AMD and ARM cover just about every device on the market that uses a microprocessor, including all PCs, all smartphones, and countless devices that fall into the category of the Internet of Things (IoT).
The two vulnerabilities are known as Meltdown and Spectre, with Meltdown applicable to all Intel powered devices produced since 1995 and Spectre applying to Intel, AMD and Arm and by far the more pervasive vulnerability. According to what has been reported, intruders, hackers and criminals can steal passwords and data by exploiting these vulnerabilities, although so far there are few reports this has actually happened.
My own guess is that government spy agencies –here and abroad– have known about these vulnerabilities for some time. Even Intel has known about it at least since June of last year but apparently took no action except that its CEO unloaded $24 million in Intel stock before the storm hit . The Spectre vulnerability was first reported in a technical paper Spectre Attacks: Exploiting Speculative Execution authored by Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz and Yuval Yarom and a separate paper titled Meltdown by Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin Yuval Yarom and Mike Hamburg. Google Project Zero carried out its own research that partly “overlapped” with the two papers cited here. From the reports it seems that as far as computers are concerned the top operating systems, Windows, Mac and Linux are all impacted.
No one knows if any of the proposed “fixes” actually work (one consequence of a partial fix is that computers will be slowed down by 30%), and in any case Intel-powered devices are so pervasive and so thoroughly embedded in military systems including nuclear submarines, that trying to fix them could take years if ever carried out. Meanwhile the military and the government are more vulnerable than ever, and all the billions spent on so-called “security” are down the drain.
The government has got itself in the position it is in through abject stupidity and cupidity. If we lived in a proper dictatorship we would stand those responsible up against a wall and shoot them. But, alas that is not what happens in democracies.
The problem is this: the government decided in the mid to late 1980’s as an “economy measure” to replace specially secure government sponsored and manufactured equipment with commercial off the shelf systems –known in the trade as COTS. COTS was cheap and plentiful and the USA was in the midst of the PC revolution where IBM had quickly captured 25% of the emerging market with its Intel-8086-powered PCs. These were assembled in Boca Raton, Florida, but the parts mostly came from Asia. In a short time, foreign-made computers, especially laptops started to dominate the US-government purchases; one of the big suppliers was Toshiba. While Toshiba was screwing America by selling advanced machine tools to the Soviet Leningrad shipyards to make silent propellers for Soviet attack submarines, it was selling billions in laptops to the Pentagon.
But that was only the beginning. Today, most of the electronics the Pentagon buys comes from China, either directly or when you look inside the box. Instead of Intel inside, Intel (or AMD or ARM) are joined by a chorus of Chinese, Korean, Japanese and Taiwanese companies, with China dominating (probably accounting for 80% of all COTS electronics). Countless vulnerabilities have been uncovered in PCs, routers, memory chips, graphics processor, flash memories, infected smartphones, phoney battery chargers and other equipment dumped onto the U.S. market.
Typically one would say, caveat emptor –buyer beware. Or you get what you pay for.
But now the Intel vulnerability raises an even uglier spectre (to pun on the latest vulnerability, if indeed it is a pun). That’s because Intel is an American company from good ol’ Silicon Valley –the same guys who have been outsourcing American jobs for the past 40 years and getting richer and richer doing it (forget about the American people, these folks are Globalists which entitles them to do what they want). They are the modern version of late-19th century Robber Barons, but they are darlings on Wall Street and have built strong relationships in the Democratic Party that is supposedly pro-Labor.
In any case all this leaves a huge mess. Security has not only taken a back seat to selling gadgets, it has put our security and survival at risk.
My proposal is to replace all COTS systems with government-approved and security screened hardware and software made in the U.S. and fully vetted and completely capable of being fixed if even after a real security layer is put in place, something amiss is found.
Today’s COTS equipment is not engineered for security. At best it is engineered for entertainment and to keep the masses happy and willing to shell out lots of dollars for equipment they barely understand and are mostly incapable of using. It is not surprising that Apple calls its salespersons “Evangelists” because they are selling the Electron Religion to millenials and millenial wanna-bees.
I wrote the following in US News and World Report on 21 June, 2016:
“The only real way to solve the problem is to throw out existing systems and start over. The United States needs a technological “Manhattan Project,”* staffed with the best and brightest Americans with security clearances and charged with implementing a new security paradigm for government and nongovernment critical infrastructure systems that are essential to the functioning of the nation if it is attacked. Such a plan should place the highest priority on replacing COTS operating systems, communications and internet communications with a proprietary solution developed by vetted American citizens and made available for critical infrastructure users, government agencies and the military. It would prioritize compartmentalization and “need to know,” keeping core functions isolated and hidden in order to thwart espionage, either from corporate entities or foreign powers.”
A Cyber Manhattan Project would cost $2 to $4 billion for R&D and would require replacing all equipment in critical installations and isolating that equipment from any COTS channels. That sounds like a lot of money, but the U.S. government is spending a lot more on fake security right now and getting nowhere. If we don’t get rid of COTS we will pay an inestimable price; and the day will come when our missiles won’t launch, our communications won’t work and out government will collapse.
*The Manhattan Project is the short form for the cover name of America’s atomic bomb program during World War II (1942-1945). Specifically it was hidden under the name of the Manhattan Engineering District Project of the US Army Corps of Engineers. The British equivalent secret atomic bomb project was under the code-name Tube Alloys.