A National Commission is Urgently Needed
By Stephen Bryen
To protect national security, the US government needs its own computer operating system and computer and network hardware.
Today the US government, including the military, primarily relies on commercial software and hardware. In the past decades this has led to an epidemic of hacking of government and military systems, mostly sponsored by antagonistic foreign governments. The main culprits are China and Russia, but others such as Iran and North Korea are also heavily involved.
Hacking has done immense damage. The US has lost vital information on defense hardware which has been stolen en masse. Personal information, including security clearances for top level government employees and agents working for the CIA has also been stolen and used against us.
Worse still, the hackers pretty much know how to shut down or cripple key government networks. They have been practicing for years now.
The CIA, NSA and FBI know this very well, but so far have proposed trying to fix what we have.
Even more troublesome, the fast evolving commercial software and hardware world generates new security vulnerabilities regularly. That is largely because most commercial products are hastily made to boost sales and thwart competitors, so the focus on security is secondary at best. Regardless of industry claims that their products are secure, there is not a single piece of software or hardware that is truly secure.
It is not impossible to build secure operating systems, secure software or secure hardware. However it is mostly true that to make really secure computers, you have to surrender many of the entertainment features baked into them including video, music and games.
The government and military needs a computer operating system and supporting software that is strongly integrated with secure hardware. That cannot be any commercial product for the reasons stated above.
Some think they can build up security around commercial systems. Billions of dollars have been spent putting in place security protocols, patches, encryption, firewalls, robust authentication and other steps, but they have not stopped hacking when pitted against a determined and well funded adversary. Even keeping out amateur hackers is difficult, but a government-backed adversary is really tough. That is why the government calls the menace the “Advanced Persistent Threat.”
In the movie Casablanca, Captain Renault says “arrest the usual suspects.” If we are going to fix the problem we cannot rely on the usual suspects in the security community who make their living putting their fingers in the dikes. The time has come to form a National Commission for Secure Computer Networks composed of disinterested experts to work out a new security approach.
The proposed National Commission would have the following general guidelines:
–Tasked to Devise a new computer operating system and new computer hardware that is not based on commercial platforms
–Tasked to Create a security infrastructure to protect government systems from physical and virtual compromise
–Design a registration system for all operating systems, computers and networks
–Propose national security laws to protect the computers and networks used by the government and military
–Design a system that does not use the public internet. Create a new independent secure backbone network
–Make sure to avoid single points of failure for all applications and networks
–Make sure the entire system is encrypted (all information, all software, access to hardware) and is organized on a need to know basis
–Insist that all government and military information as classified without exception understanding that the existing narrow definition for classified information makes it difficult or impossible to protect personal, law enforcement and defense information
–Use only US companies for manufacturing with no component sourced outside of the United States
–Never uses public domain or community-created software routines in building secure systems
–Propose a system to vet all hardware and software intensively in special labs dedicated to this purpose
The trillions the US invests in defense should not be squandered because of computer network vulnerabilities. And in an increasingly volatile world, the US should not risk the lives of its servicemen and women to enemies who know all about our defense systems and networks.
The clock is ticking on the US ability to sustain national security given the information vulnerabilities today. Only a senior level national commission on securing our computer networks can devise solutions that are urgently needed.