by Stephen Bryen
The latest eye-popping cyber-scandal involves the vulnerability of critical microprocessors vital to all things “computer.” This means computers themselves, smartphones and equipment that needs a sophisticated microprocessor to function. In all these categories America’s security systems –including the entire critical infrastructure– is at risk. But it is even worse, because many important weapons have computers embedded in them, many running old operating systems like Windows XP and Windows NT. Beyond the military, industrial SCADA controllers used in nuclear power plants and in air traffic control (for example) also embed commercial computers and operating systems, either as a whole or in part.
The entire infrastructure of information technology is based on mostly an open architecture approach to computer systems and network infrastructure. That is conducive to a fairly rapid spiral development of new commercial technology. Unfortunately, the commercial approach downside is that security plays second or third fiddle to the push for bagging commercial dollars from investors and customers alike.
A number of vital software modules in commercial operating systems are produced by “volunteers” under a community-sourcing system that is already known to be responsible for the infamous Heartbleed bug. Community sourcing is international in scope where individuals and small groups work on solutions that are offered to the cyber “community” at no charge. These modules are often taken up and incorporated in commercial products. In the case of Heartbleed, a volunteer named Robin Seggelmann, then a Ph.D. student at the Fachhochschule Münster, implemented the Heartbeat Extension for OpenSSL in 2011. Seggelmann’s work was reviewed and no problems were found –it was not until 2014, three years later that the flaw was discovered. The bug affected what is known as Open SSL which is an encryption module widely used on the Internet for secure transactions. The bug offered a way around the encryption and X .509 certificates in Open SSL which exposed everything to theft.
Community sourcing in the case of heartbleed was a programing error; it was neither intentional nor malevolent in motive. But the “community” has unvetted members all over the world, meaning that a cyber assassin (my term for cyber criminals) could cleverly bugger codes under development and probably get away with it.
The same unfortunately is the case with our major technology companies including the “biggies” such as Microsoft and Google. There are three reasons why this is so: (1) as a matter of practice and commercial objectives, big companies build their software and hardware primarily to satisfy their customers who are focused most heavily on entertainment, not security. These companies are under pressure to outperform their rivals, and this drives innovation but also sloppiness when it comes to protecting their customers; (2) America’s top companies outsource software work and do so based on price, availability and speed of performance meaning that a lot of the outsourcing is done by foreign workers either operating outside the United States or brought to the United States under special visas (the H1-B visa program most of all); (3) Top companies often don’t reveal a vulnerability or bug, even to the government until they are sure they can fix it (if then). The only corrective in the system is when a competitor finds a flaw and reveals it to encourage sales of their own products. The latest two bugs known as Spectre and Meltdown were known for some six months (or longer) before word about them got out in two professional research papers.
It is surprising and worrisome that the Pentagon, military, White House, CIA, NSA and other sensitive agencies use commercial off the shelf products that include word processing, spreadsheets, CAD-CAM, Power Point® and anti-virus programs (some including products made in Russia). It is even more surprising that these agencies, that support millions of computers have not invested in proprietary, encrypted software products for their internal use. While it is quite true that there are some encrypted networks, these don’t help much if the source computers and their software can be attacked, bypassing the encrypted networks.
It is a sure thing that commercial products are bought by US government entities en masse from vendors and are never checked for security or tested against known vulnerabilities. Despite massive losses of technology and compromises of secret and sensitive information, not to mention the potential loss of billions of dollars in tax-payer financed investments, the government has never set up any organization to check commercial products for security before they are deployed. While the Pentagon has an automated security check list for systems already running, the system is cumbersome and poorly implemented and, in any case doesn’t work.
It is worth mentioning that the “test” that the GSA uses to list software and hardware that can be bought easily by US government agencies (and by many city and state organizations too) is not the security of the software or hardware but that the software or hardware has demonstrated “commerciality,” meaning that the vendor has ample sales in the broader marketplace. This only adds insult to injury when it comes to safe systems.
We have to recognize that the entertainment function of computer systems and networks, mobile and fixed, is a fact of life. Where we go wrong is to use the same operating systems and network support for entertainment as we do for government, business, and the military. Adding to that, the same underbelly developmental system, a global collection of non-vetted persons and risky manufacturing locations, adds to the conundrum.
A great indicator of the collective mindset today is shifting everything over to so-called cloud systems, even where we don’t have the slightest idea of how these clouds are managed or by whom or how easily they can be compromised. The Pentagon, which obviously knows better, is today endorsing cloud systems that are big risk, just as they are supporting mobile platforms that have been hacked to death. (One wonders whether they have bothered to visit the places where the cloud systems are hosted, or had a look at who works there.)
It is time to break free from the open source globalized approach when it comes to government, military and critical infrastructure mobile and fixed computers and networks. Instead of wasting billions on hopeless security “solutions” while we continue to fall behind in the cyber war battle, the result is senseless, wasteful, frustrating and demonstrates bad leadership and hopeless management. Let’s stop.
What we need is an American secure operating system and an American secure network environment built in trusted laboratories by reliable people in safe manufacturing locations. Not in China. Not offshore. Here.
The talent to do this surely exists, it is just being wasted today on “other” projects.
In 2014 I proposed the following Strategic Plan, which I described as a Manhattan Project for Cyber Security.
The Plan would look like this:
1. Replace all critical infrastructure operating systems (including all government, military and intelligence systems) and networks with a US developed secure operating system in three to five years.
2. Assure that connectivity outside of the secure environment is carried out separately from vital secure computing.
3. Impose the massive use of encryption and truly protected authentication on the new secure operating system.
4. Make sure all OS and Secure Network developers and users are properly cleared and vetted.
5. Put in place a compartmentalization system based on need to know and create a series of decentralized and regulated security centers to make sure the thresholds on need to know and a permission based environment are carefully maintained.
6. Do not use any equipment made outside the United States in the critical infrastructure.
7. Create a T&E center to check all hardware, firmware, software with independent auditors and engineers.
8. Create a Red Team to constantly try and break the system, point out vulnerabilities, and fix them immediately. The Red Team should be large and heavily incentivized to find problems.
9. Never, ever, share the US system with anyone outside the US. Make sure that the technology is controlled fully by the US government. And design the system so that if a piece is lost, it can be deactivated remotely and never be useful to an adversary or enemy.
10. Make sure the intellectual property, the technology developers, the Red Teams, and the system of compartmentalization are secret.
The cost of the system initially is estimated at around $2 to $4 billion in development and more for replacing equipment and software. But keep in mind that the US government is presently spending around $28 billion each year on cyber security. Every projection sees big increases in cyber attacks affecting everything from computers, networks, cloud systems, smartphones and the Internet of Things. Even two-thirds of the security cameras in use for President Trump’s inauguration were successfully hacked and controlled by Romanian hackers.
Intellectually keeping the system we have and endorsing the current practices of purchasing IT equipment is essentially a death warrant for the functioning of our government and military. It needs to change.
Just as in the Manhattan Project the United States developed an atomic bomb we can use America’s best and brightest to build a top notch security system that works. But we have to start from scratch and we have to use the best science and technology America has to offer coupled with top drawer serious security measures in development and in deploying the new system.
Most of all we need some intelligent leadership to change the way we do business.