The COTS Danger to American Security
Row, row, row your boat, Gently down the stream. Merrily, merrily, merrily, merrily, Security is but a dream. –Mostly by Anon.
The Pentagon dreams about cyber security, but in many ways it is responsible for the government-wide debacle that is undermining the United States, imperiling the critical infrastructure, and compromising our defense and intelligence systems. For unexplained reasons, given the number of high priced scientists and engineers and a budget that is the envy of the world (despite recent reductions), instead of making progress tightening up cyber defenses, the number of successful attacks has grown exponentially and the amount of damage has escalated with it. No one doubts we are in a cyber war; but instead of fighting it properly, we are falling deeper and deeper in the hole that cyber terrorists have dug for us.
The failure at the Pentagon and throughout the Federal government is a decision that was taken in the 1980’s which has not been changed. That fateful decision was to rely on commercial off the shelf products –hardware and software– because it was the cost effective thing to do. Security did not figure into it: in fact, when the security issue was raised by some they were accused of being spendthrifts and troglodytes.
COTS, as it is known in Pentagon jargon, is equipment that can come from any source provided it is in the commercial market space. Right from the beginning the Pentagon moved to start buying commercial computers and computer and network equipment. It began to throw out its costlyTempest machines, and not long afterward declared that the Tempest program wasn’t really needed at all, because the “threat” had changed.
This meant that the bulk of computers on desk-tops in the Pentagon were COTS boxes. While in the early years these were assembled in the US, as at the famous IBM PC factory in Boca Raton, everyone knew that the components were sourced all over the place, but primarily from Asia. Increasingly the Asian dimension became a China one, as China dominated the space with cheap labor, low-cost engineers, and a domestic market that attracted big companies to shift their product lines to the Chinese mainland. Even the Taiwanese, who had a vigorous domestic computer hardware industry including home-built computer memories and microprocessors, invested in China setting up factories there instead of in Taiwan. Take note, for example, that the world-famous Apple iPhone is made by Foxconn in China, a company that is owned by Taiwan’s Hon Hai Precision Industry Co., Ltd.
Nowhere in America’s high-tech industry, and certainly nowhere in Asia, is there any thought about security at manufacturing plants. The same holds true in software development, much of which has also migrated offshore, to South Asia, Taiwan, Korea and China and beyond.
Most of the COTS products that are part of computer networks in the United States are open source, with a partial exception of Apple, and even here the circle is so wide that and the lackadaisical approach to security so pronounced that it really does not matter. Apple does it for proprietary and marketing reasons. In his famous book Spy Catcher, published back in 1988 just when COTS was gaining momentum, former MI-5 Assistant Director Peter Wright explains how MI-5 bugged an East European crypto room. When the operators in the crypto room wanted to encode something, one of them read the message out loud while the other transcribed the message into secret code using a one time pad, a very secure means of scrambling information. The British spies just bypassed the crypto thanks to their microphones. Today we have nearly the same thing since secret access points in computer and network operating systems make it possible for cyber thieves to listen to everything before it is scrambled (in cases where encryption is used, which is less than 10% of the time).
The bottom line is that commercial operating systems, hardware and software, cannot be secured. To make matters worse, updates and changes in software and hardware, in the fast paced computer world, help assure that new security vulnerabilities are generated far faster than the old ones can be patched, if and when they are. Take just the latest mobile platform debacle where it is shown thatApple’s Siri, and Google Now can be operated remotely by hackers that can compromise a mobile device such that it can be controlled and private conversations, even when the phone is not in direct use, can be easily recorded. Take note that the Pentagon has endorsed both the iPhone and a Samsung Android phone that use this software, proving once again that the Pentagon doesn’t have a clue about security and only is scratching the back of computer companies.
The only practical way to restore security is to use non-COTS equipment that does not run COTS software. This would be equipment built from the ground up to be secure, and the equipment must be designed by American citizens who are security cleared and who work in a compartmented cross-checked system. The end system would be designed so that where there is a point of failure it can be quickly isolated and resolved; and where a point of failure won’t grant access to the wider network or the data storage systems which, in any case, would be encrypted.
It will probably cost a few billion dollars to launch a program and design a system that is really secure. It will take another $10 to $20 billion to replace all the compromised junk in use by the Defense Department, the military, the government and by America’s defense industry.
Perhaps that sounds like a huge investment, but against the loss to our national defense programs it is nothing.
Here is a paradigm to think about. The US Joint Strike fighter program, the F-35, is the future tactical aircraft system for the Air Force, Marines and Navy. It will replace the F-16’s and F-15’s in the inventory. There is no other aircraft on the drawing board, so if the F-35 fails or the program is compromised fatally, the US effectively no longer has a functional air force.
There are many skeptics who are critical of the F-35 program. Its stealth is not so good, it manuevers poorly, its BVR (beyond visual range) systems can be jammed, and it is outmatched by existing Russian and emerging Chinese fighter aircraft.
But let’s say that Lockheed and its many contractors work out the bugs in the F-35, and the airplane proves its initial worth. What happens if all its systems are compromised and America’s adversaries arrive at countermeasures that make the F-35 much less useful than was planned some 15 years ago. What then?
It is public knowledge that terabytes of F-35 data have been stolen by China and probably shared with Russia.
The information was lifted in cyber attacks primarily on the F-35 contractors and subcontractors. If the Chinese got enough to compromise the F-35, which could be the case, then the F-35 is a dead duck already.
The US is planning to sink $1.5 trillion (or more) into the F-35 program overall. That is a fabulous amount of money. If it is a net loss, there will be more than hell to pay. Our country will be at risk, our allies too, and the security system we have labored to keep in place since the end of World War II will, inevitably, collapse. You can’t fight an enemy with your good looks.
Even worse is the propensity of program managers, contractors and policy-makers to cover up failure. So we may not even know the full extent of the damage until the next D-Day.
Of course, this may all be needless worry and the F-35 program is safe enough, or it can be salvaged. But so long as it continues to be worked on commercial (COTS) computer networks, it is a bad bet.
In the past I have written we need a kind of Manhattan Project to fix our computer systems and networks. We have the scientists and the needed skills. We certainly have the money. What we seem to be missing is the leadership necessary to cure the disease before it is too late. COTS is unacceptable anywhere real security is needed.