by Stephen Bryen
It is time for the US government, critical infrastructure components, the military and important businesses to dump Microsoft and Google. The products of these two companies, and many others, built primarily for entertainment have no place in sensitive government and business operations. All of them represent a time bomb whose chain reaction has already started. The constant hacking and intrusion of these systems is robbing the American taxpayer blind and undermining national security.
Our government has long been two-faced about the vulnerabilities of popular operating systems, open source software and the total lack of security that dominates America’s software industry. That’s because NSA and other intelligence organizations in the US government take advantage of the stunning weakness of these platforms for spying. So, while the government opines about hacking and foreign governments, it is busily at work spending billions of dollars to spy on anyone and everything.
I am not at all against government spying. It keeps me and my family safe. It is important and if we decide to curtail it we may pay too high a price enabling terrorists and foreign regimes to bring harm to our country.
My problem is that the two faced approach has blocked any chance to put real security in place for critical computer networks providing essential services, and it has left our military vulnerable to hacking. Today we know that our energy companies, banks, transportation systems, even our health care delivery has been heavily assaulted from within and without, by foreign and domestic hackers. Key defense programs have been compromised and billions of dollars worth of data stolen. Important stealth combat systems have been stolen.
America is a rich country, one of the richest in the world. But can we afford the losses we are taking? Because of the two faced approach, we do not have accurate reporting on how much has gone out the window, but it is a lot. Our government will not own up to the true danger so long as its spying trumps security at home.
Risks are multiplied by the fact that almost all our computer hardware comes from China. Certainly American companies make some of it although production is abroad, but none of that really matters. The opportunity to slip micro code into mobile phone and computer platforms is there and plain to see. But our government offers no guidance on this sore subject, and in fact continually encourages production outside our borders.
Surely at some point in the not so near future tragedy will strike. Someone will penetrate a nuclear power plant and generate a Three Mile Island type disaster; or Amtrak will end up with trains on the same track heading in opposite directions; or the power grid will go out as it did on overload in 2003; or Air Force One’s elaborate systems could cause a crash landing. There are plenty more dire scenarios.
The Chinese have got sick and tired of NSA and GCHQ. Thus China is investing in new hardware for its government and military systems and a Chinese operating system without Google and Microsoft. In a few years China will be better protected than America. Maybe we should pay attention. What the Chinese are doing is not just a curiosity. It is a serious investment that may give them more secure systems than we have.
We waste billions each year trying to graft security onto open, public computer systems and networks that were never build to be secure. Thousands of software engineers from all over the world work for America’s software companies. Computer technology has become so globalized that trying to manage production and keep any semblance of security is strictly impossible. Recent bugs found in open source software widely used in all computer systems came from Germany. It could just as well come from France, the UK, India, Israel, Singapore or China. It seems everyone is playing in this field and these is zero auditing of the final products. The rush is to get to market. It can be patched later! But as we know, once a vulnerability is introduced, it lives on. The myriad systems that use these products can’t possibly track the known bugs; and the unknown holes in the system rise to the surface at an increasingly fast tempo.
No one can, or needs to, fix the globalized software and hardware industry. What is needed is a trusted solution that is available only to qualified government, military and critical industries that is build on rigorous, tested security standards and on hardware that is strictly controlled in the United States. Building a secure system is costly, but the investment is far less than what is going out the window today and certainly less than the risk exposure we currently have.
Some would say that a trusted solution will not stay up with the times and will become a costly and useless artifact. There are two answers to this complaint. A security system has a limited purpose and is not like commercial systems with features more geared to entertainment than productivity. Moreover, a security based system should not be divorced from the real world. If important communications, processing or data management solutions are important and attractive, nothing would prevent these from being adapted to a security-based system.
I am far from optimistic our government will throw out Microsoft and Google and all the Chinese hardware it has bought. But without a new way of protecting ourselves we will pay dearly for our government’s short sighted approach to protecting its citizens.