Making Our Nation Safe From Computer Hackers

By Stephen D. Bryen

Stephen D. Bryen

WASHINGTON, D.C. — Some small-minded sages are chortling in America that people with electric cars don’t have to worry about the Colonial Pipeline, shut down by a cyber attack, because they can get their “gas” from the electric company. They go on to argue for more electric cars.

Of course if it was the power company that was knocked out, the electric cars would not run. And power companies have been knocked out.  The Russians killed one in Ukraine, putting it offline for some time.

There is, unfortunately, a related argument in Washington, in the CIA and Pentagon.  The CIA has already taken the plunge; the Pentagon tried in a $10 billion project, but it is tied up in litigation.  The idea?  To put everything in the cloud.  In other words, create a single point of failure, ripe for attack by state and non-state actors.

The DOD and CIA cloud ventures illustrate, better than anything else, just how dumb government officials are when it comes to security. And the Pentagon are specialists in creating monstrosities and single points of failure, such as the F-35 that is supposed to replace just about everything “tactical” in the Air Force, even though the plane was never in combat.  Crazy.

When it comes to cyber security and dealing with cyber attacks, the U.S. government, even though it has spent hundreds of billions of dollars since 1988, is worse off today than ever.  So is the critical infrastructure which includes energy, transportation, water supplies, food supply, communications, chemicals, critical manufacturing (most of which today is offshore), financial services (including the U.S. Treasury, Banks, Stock Markets), health care and more.

In the United States most of the critical infrastructure, other than government and the military, is in private hands, and the U.S. Congress decided in 1988, when the first Computer Security Act was passed, not to require that the private sector meet certain network and computer standards.  The private sector was left free to decide on its own what the right amount of protection might be.

In fact and to be fair, today no one knows what the right amount of protection is, because no one actually knows how to protect any computer system with any degree of certainty.

Virtually all the computers used in the United States are made abroad, other than highly specialized supercomputers and certain processors made for defense applications. This includes not only machines that do information processing, but specialized controllers used in manufacturing and for operating power grids and pipelines.

These are known as SCADA-based systems (SCADA stands for Supervisory Control And Data Acquisition systems).  The same SCADA boxes that help run power plants and pipelines, control water supplies, and manage transportation and critical manufacturing are commercial devices produced mostly abroad.

One of the most famous SCADA systems is made by Siemens in Germany. It is the same one that runs Iran’s uranium centrifuges and will help assure Iran can have nuclear weapons.

While it is possible to build some security “walls” around computer networks and SCADA systems, most of them have been penetrated one way or another.  For example, most computer networks are open and store data without any protection. Operating systems, likewise are commercial (off the shelf) and are not encrypted.  Network protocols and the internet all rest on standards shared globally and are easily hacked.

Even much of the Defense Department’s intellectual property is stored without encryption protection because of obsolete rules the Pentagon follows.  These rules say that if an item is not classified, in the Pentagon it isn’t supposed to be stored in encrypted format.  The National Security Agency (NSA) controls encryption in the US government, and the strict separation of classified from non-classified information is their mantra.

While the Pentagon has begun characterizing some information as “sensitive but unclassified”, it is not entitled to NSA sponsored encryption.  Whether sensitive but unclassified information can be protected by law from disclosure appears highly questionable, because DOD says it is not national security information.

Unfortunately this is complete nonsense.  Probably 80 to 90 percent of DOD information is unclassified and much of it relates to technology and weapons systems information. It is ridiculous to say it isn’t national security information.

A key example: China stole almost all the plans and data for the stealthy F-35 fighter plane, most if not all of it unclassified and unencrypted, thereby seriously compromising a front-line defense program that will cost taxpayers in excess of $1.5 trillion over its life cycle.  If this information is not national security related, what is?

When it comes to cyber attacks DOD and the FBI are on a little firmer ground in the sense that they understand the magnitude of the threat.  But does the U.S. response reflect the danger to U.S. national security?

DOD, the military departments and other government agencies continue to buy computer and network equipment from China while attempting to put in place security measures. Virtually all the equipment is commercial.

Despite buying billions in computers, laptops, modems, tablets, cell phones, routers, hard drives and tons of other equipment such as GPS and Internet enabled security cameras (with a free backdoor to connect Beijing to U.S. military bases!), DOD has no hardware or software vetting system.  In other words, they buy equipment without knowing if it is compromised or full of malware.

If DOD is sloppy, you can imagine what the rest of the government is like, or just how “protected” the critical infrastructure is.

The Colonial Pipeline Case raises another big red flag, since “ransomware” is a major threat in three ways.  The first is that ransomware disables computer networks including SCADA systems, from working by encrypting everything with an unbreakable code that you have to pay to get lifted.

The second is that ransomware often includes the theft of information before the ransom encryption kills the network.  The stolen information is used partly as a threat to force the network operators to pay the bribe.

And the third matter is that even if you pay, and Colonial has paid $5 million in crypto currency that can’t be traced, there is no assurance that the unlock key will work or work effectively.  Colonial apparently paid the bribe early on (without telling anybody), but the decryption key they got was working very slowly, if at all.  In other words, Colonial got the shaft from the perpetrators.

Suppose that next time the U.S. Strategic Air Command is shut down?

It is clear that commercial networks including hardware and software, much of it from foreign sources, isn’t the right way to protect the critical infrastructure to safeguard national security.

Adversary nations have set up elaborate and well trained teams who focus on specific targets and work full time to take them down. And disciplined semi-independent teams of hackers, like the ones who have hit Colonial, are criminal operations.  Yet we tolerate both.

Here are a few suggestions before the next disaster happens:

  1. Put in place a national program to create secure networks that use hardware built by secure vendors
  2. Require all critical infrastructure networks to be vetted by in a Third Party Audit for Security under the aegis of NSA or any other security agency capable of doing it
  3. Vet all hardware before it is used by the U.S. Government or critical infrastructure components
  4. Go after malefactors, domestic or foreign, and impose stiff penalties on perpetrators
  5. Make it clear to foreign governments that if they sponsor or shelter criminal operations they will find their networks destroyed

So far at least our government always promises to make things better (but that never seems to happen) and does not act as if our national security was at stake.  It isn’t clear if this will continue, but if it does it will have a devastating impact on the United States.

*

Stephen Bryen is well versed on technology security policy, twice being awarded the Defense Department’s highest civilian honor, the Distinguished Public Service Medal. His most recent book is Technology Security and National Power: Winners and Losers.