Turtles and Cybersecurity

By Stephen Bryen

An old friend of mine, not especially well known for his humor, tells a joke about a small child who asks his father “What holds up the world?”  His father thinks about the question and then answers the young man as follows:  “The world,” he says, “is held up by a huge elephant.”

The child thinks for a minutes and next asks, “Daddy, what holds up the elephant?”  The father responds quickly that “the elephant is held up by a hugely large turtle.”  Just as the child is about to follow up on the father’s answer, the father replies: “And don’t ask, because it is turtles all the way down.”

What is true for the child’s question is also true in cybersecurity, though here the question is “what holds up the computer?” and the answer is “China” and it is China “all the way down” when it comes to components.  China today reportedly has 87% of the global computer and electronics business, and there is no escaping that any computer device you buy, whether a desktop or laptop computer, a tablet, a mobile phone or any gadget linked to the Internet of Things is either made 100% in China or it is full of Chinese made components.

Why should we care about China making our electronics?  There are multiple answers, but the one that should get our immediate attention is cybersecurity.  How can the United States preserve its sovereignty if all its defense systems, government agencies and critical infrastructure rely on China for electronics?

China’s exascale supercomputer

The answer to the little boy’s question in cyber terms is that there is no other available answer. That is, right now there is no alternative to China-sourced electronics.  This means that America’s sovereignty is, factually a potential hostage to China’s political, economic and strategic intentions.

The only actual counterbalance is that China will not push their advantage too far because their economy needs to generate revenue from the sale of China-sourced electronics.  But that does not mean China won’t try and wring out maximum advantage so long as they can get away with it; and won’t when the time arrives use the full force of their leverage against the United States when there is a clear cut and significant payoff from doing so.  Thus China’s strategy is to increase the competition against the United States by systematically extracting defense information and vital intellectual property (“IP”) so long as the U.S. tolerates China’s doing so.

Thus we have two parts of a larger proposition which are: (1) that China dominates in electronics and there is no alternative and (2) that China will systematically exploit its advantage to gain defense secrets and critical IP, knowing that the U.S. will do very little about it.

Washington’s answer to the problem has been to spend billions on cybersecurity –the idea is to make secure already compromised systems.

Logically it is not possible to make compromised systems secure unless you know (a) what the source of the compromise is and (b) that you can keep updating the “fixes” provided fixes are available.

Very often it takes time, sometimes years before a vulnerability is understood.  During the time between its actual appearance and its discovery the potential intruder has significant access to computer networks, systems, communications links and databases.  Once it is “fixed” the repair has to be integrated into all systems immediately.  Experience says this is never the case and that “patches” to systems are late in being applied or never are.  Indeed, to put an exclamation point on the problem, the highly vulnerable outdated operating system Windows XP is still used by nuclear submarines, aircraft carriers and sensitive defense systems.  These systems are hard to change out because in many cases the operating systems have been customized to perform certain non-standard tasks and cannot be patched without breaking the mission-purpose of the system.

Not everything has a patch.  There are certain types of hardware, for example that are unfixable. These include hardware-based flash memory system, because flash memory is an inherent and untamable security risk.

Then why is it that the United States has just tried to keep patching up commercial software and hardware?

I do not believe we have been given a proper answer to this question, and security practitioners don’t ask because they want to keep their Mr. Fix-It contracts from the government and private sector flowing.  Thus the huge security industry that has grown up because of poor quality commercial software and hardware depends on an exponentially increasing flow of insecure hardware and software to keep their businesses humming.

On top of the institutional bias to keep things as they are, the Chinese are certainly not the only folks that know how to exploit shoddy software and hardware.  NSA is pretty good at it, as we have learned as Snowden let a lot of the cat out of the bag.  Governments around the world, hackers of all kinds, corporate elites all compete by backdooring computer-related systems of their targets.  Like the computer security vendors and operators, governments and hackers have a vested interest in keeping things as they are.

All of this means the bottom line is that the U.S. is seriously risking its sovereignty should China become more confrontational.  There are many possible triggers for a down-spiral in US-China relations including the South China Sea dispute, Taiwan, North Korea and trade issues (to name just some currently near the top of the list).  Taking the possibility of real confrontation into account, the U.S. should prudently be exploring alternatives at least for vital defense systems and critical infrastructure elements.

What alternatives could be considered, or is it turtles all the way down?  One solution is to throw out commercial hardware altogether and replace it with systems that do not use commercial operating systems or foreign-made hardware and that do not follow standard communications protocols or Internet standards.  In short a completely new, secure system that is unknown to hackers and inaccessible.  

While this sounds like a formidable undertaking, I think the economics for it outweigh what we are spending to little avail on security that does not work.  Think about it, or think about the turtles.