by Stephen Bryen
founder and former head of the Defense Technology Security Administration
I have been writing about cyber security for many years. I believe I have some credibility in this field. I headed and ran the Defense Department’s program for technology security as the Director of the Defense Technology Security Administration and as a Deputy Under Secretary of Defense. I also started and ran two cyber security companies, one in the 1990’s called SECOM which was the world’s first secure chat program, and currently Ziklag Systems which markets secure mobile smartphones. Over the years I have been increasingly concerned about the vulnerability of our critical infrastructure and the risk to America. My concern has escalated along with growing and successful cyber intrusions into our power, energy, transportation and government grids and networks. And I have found it shocking that no one seems to know what to do about the menace.
Somehow our leaders in the administration and Congress, even Admiral Mike Rogers who heads NSA and the US Cyber Command, all of whom clearly understand the threat and risk, seem clueless on how to fix the problem.
Meanwhile China, Russia, Iran, Syria and plenty of rogue operations are increasing the pressure on us by attacking our computer networks. Nothing is safe. Not our defense Command and Control systems, our missile defenses, our energy grid, our refineries, our nuclear power plants, not even our telecommunications, transportation, water supply or health care systems are secure.
The reason for that is easy to see. All our computer networks rely on computer operating systems hardware and software that has been distributed all over the world. Since almost everything about those systems is public, it is easy for attackers with sufficient resources to take them apart. It should surprise no one that virtually all of our hardware is made in China, introducing a massive vulnerability into our critical infrastructure.
Add to this tremendous weakness the problem of SCADA systems. SCADA is the supervisory control and data acquisition system used by nuclear and conventional power plants, heating and cooling systems, manufacturing centers, refineries and lots of other automated systems. There are only two or three SCADA systems in the market with wide acceptance, and they are used worldwide. Once again, both the hardware and software for SCADA is accessible to foreign regimes and terrorists as well as other rogue actors. It is the SCADA that was the center of the attack on Iran’s uranium enrichment centrifuges where the US and Israel hoped to slow Iran’s acquisition of an atomic bomb. What was done with the Stuxnet worm to damage Iran’s nuclear program likewise can happen to us.
Patching computer operating systems and fixing SCADA software won’t work. This is proven empirically by the growing frequency of successful attacks on critical infrastructure systems,. If patches worked, they would save us from attack. But the plain fact is that they may help a little but not enough to stop a determined and resourceful adversary.
China, one of the countries known to be tampering with our critical infrastructure and helping to finance its growth by stealing defense designs and technology from our leading companies is already taking steps to keep us out of their networks by producing their own computer operating systems they won’t share with us. We should take a clue from China. For critical infrastructure security we need secure operating systems and a new secure SCADA that replaces all the commercial equipment and software we have been using.
Changing over to a government proprietary secure system is a vital step in locking down our networks and management systems. It requires a bold and determined initiative by the US government, and it needs to be accompanied by security measures that are well drawn and deeply monitored to provide an additional layer of protection.
Above all we need a policy based on “win win” not on hopes and fictions we can make what we have work. It is foolish to wait for the worst to happen, as it surely will.