by Stephen Bryen
The United States is losing the cyber war. Despite hugely increased expenditures on cyber security, every day the situation worsens and we continue to fall behind. As I write there is no government or military website that has not been hacked and vital information stolen. It is not just the government –banks, health care systems, financial transactions, credit card data, identity theft, social security numbers, legal briefs, strategy documents, corporate secrets, intellectual property –the list is nearly endless.
When you are in a war you look for metrics to understand just how well you are doing and what the conflict outcome will be. An Army general surveys the battlefield, estimates his resources, evaluates his technology, and decides on his strategy. If the general believes he will lose the war, he tells his political leaders and waits for guidance.
There are four possible outcomes in a war: fight to win; fight to a stalemate of some kind; negotiate with the enemy; surrender.
Looking at the current state of affairs in the ongoing cyber war, we can reach some conclusions.
Firstly, right now we cannot fight to win because we do not have either the troops or the technology to win. No one has figured out a satisfactory offensive strategy other than to convert cyber war into a traditional war. This is impractical and no one is really willing to go down this path (other than to threaten some sort of offensive cyber warfare).
Secondly, there is no stalemate in cyber warfare available to the United States. One of the most serious potential threats, China, is too important economically and politically to be seriously challenged. Beyond China there are plenty of other cyber war makers, as in Russia, Iran, Syria and even hackers embedded in countries around the world. While the US and some of our friends have tried to prosecute some hackers, the triumphs are few and far between. None of the threats are under sufficient pressure to stop hacking; in fact they are more emboldened than ever.
Thirdly, there is no one to negotiate with today. Attempts have been made to talk to the Chinese; they deny everything and blame the US for spying on them.
This leaves the surrender option, but unlike territorial war, there is no one to surrender to so we face the prospect of going on losing. Our critical infrastructure is exposed, our government is losing control of its systems, and our military is watching as its command and control and its vital technology spills out through the back end of its networked systems or through its industrial partners.
Throwing more money at “the problem” is not a panacea. Our government, military, and critical infrastructure cannot continue running around like chickens with their heads cut off. That is the sum of what is happening today.
The entire infrastructure of information technology is based on mostly an open architecture approach to computer systems and network infrastructure. That is conducive to a fairly rapid spiral development of new commercial technology. Unfortunately, the commercial approach downside is that security plays second or third fiddle to the push for bagging commercial dollars from investors and customers alike.
It is very well known that spending money on security does not “produce” anything, so putting money and resources into security systems is resented by investors and corporations, even by individual users who often chafe under security restrictions and operational limitations.
The commercial computer space is heavily tilted toward entertainment and not to business or industry, No where has the entertainment element enjoyed more success than in mobile devices such as smartphones and tablets; for the most part there is not even a pretense of security in these systems.
We have to recognize that the entertainment function of computer systems and networks, mobile and fixed, is a fact of life. Where we go wrong is to use the same operating systems and network support for entertainment as we do for government, business, and the military. Adding to that, the same underbelly developmental system, a global collection of non-vetted persons and risky manufacturing locations, adds to the conundrum.
A great indicator of the collective mindset today is shifting everything over to so-called cloud systems, even where we don’t have the slightest idea of how these clouds are managed or how easily they can be compromised. The Pentagon, which obviously knows better, is today endorsing cloud systems that are big risk, just as they are supporting mobile platforms that have been hacked to death.
It is time to break free from the open source globalized approach when it comes to government, military and critical infrastructure mobile and fixed computers and networks. Instead of wasting billions on hopeless security “solutions” while we continue to fall behind in the cyber war battle, is senseless, wasteful, frustrating and demonstrates bad leadership and hopeless management. Let’s stop.
What we need a an American secure operating system and an American secure network environment built in a trusted environment by reliable people in safe manufacturing locations. Not in China. Not offshore. Here.
The talent to do this surely exists, it is just being wasted today on “other” projects.
A Strategic Plan would look like this:
1. Replace all critical infrastructure operating systems and networks with a US developed secure operating system in three to five years.
2. Assure that connectivity outside of the secure environment is carried out separately from vital secure computing.
3. Impose the massive use of encryption and truly protected authentication on the new secure operating system.
4. Make sure all OS and Secure Network users are properly cleared and vetted.
5. Put in place a compartmentalization system based on need to know and create a series of decentralized and regulated security centers to make sure the thresholds on need to know and a permission based environment are carefully maintained.
6. Do not use any equipment made outside the United States in the critical infrastructure.
7. Create a T&E center to check all hardware, firmware, software with independent auditors and engineers.
8. Create a Red Team to constantly try and break the system, point out vulnerabilities, and fix them immediately. The Red Team should be large and heavily incentivized to find problems.
9. Never, ever, share the US system with anyone outside the US. Make sure that the technology is controlled fully by the US government. And design the system so that if a piece is lost, it can be deactivated remotely and never be useful to an adversary or enemy.
10. Make sure the intellectual property, the technology developers, the Red Teams, and the system of compartmentalization are secret.
Clearly we cannot continue to run our country when there is global knowledge parity of computer systems, hardware and software we use and where most of our critical products are produced outside the US, especially in China. Nor can we sit around and wait for the inevitable collapse of our military command and control, electrical grid, transportation network, banking services or our health care system.
The above proposal sets a direction for a solution. We can win the cyber war.