Saturday, March 6, 2010

power grids and cybersecurity

First -- thanks to Mitzi Wertheim and others on this list for getting me invited to
the energy conference at the National Defense University a few months back. It was
a great learning experience. One thing I learned -- really high priority that DOD assigned to the security and vulnerability of the electric power grid.
(Though I did hear the same message in a couple of hearings last year as well.) Because
the integration of renewables and the optimal use of plug-in hybrid cars requires more of a "smart grid,"
there is every reason to worry about the risk that the cybersecurity grid problems and trends might be even worse in the future
than they have been lately.

On many, many occasions I have heard electric utilities say things like "oh yes, we get attacked 50,000 times per day."
And once, over beer, a utility guy I was particularly close to confided with me about the really scary cat and mouse games they have to play, routinely,
just to keep things going even now.

And so... I don't have a complete picture of this issue, the way I think I do with energy. Please forgive if I report impressions which turn out to be false.
But in doing some due diligence for some personal computer issues, I have had to grope and do my best on some things that others might find interesting.
If one of you corrects some of my wrong extrapolations, please be tactful about it -- but please do not just regurgitate flawed conventional wisdom.

First -- some background. You have probably heard that "there is no such thing as an unbreakable operating system. First and foremost, security is a human thing
and a frame of mind and..." This is only a half truth. There is a lot of very important useful stuff going on in areas like
avoiding insider threats and in intrusion detection. (My friend the electric cat sure had use for a good sniffer to help him.)
But -- a lot of people who make useful products, in all areas of human endeavor, have a tendency to be unfair to other folks
who also make useful products different from theirs. There really is such a thing as an unbreakable operating system, and it has a crucial role to play
in areas like this. For example -- I'm willing to bet that those 50,000 attacks per day, AND the more serious ones my friend told me about,
were not insider attacks. An unbreakable operating system would help a WHOLE lot, especially since it feels like a kind of wrestling match where the sheer volume of attacks
is becoming hard to deal with. And the computer horsepower available for cyberattacks is growing per Moore's Law -- or faster.

Where to find an unbreakable operating system? As it happens, I was very lucky in graduate school to get to work on the GE-then-Honeywell Multics operating system,
which was developed as an outcome of very serious and rigorous research at leading universities. Theorems have been proven and books written. It became
the first operating system certified as approved for multiple security level jobs. It was the core of the World Wide Military Command and Control System (WWMCCS)
in the Pentagon for several years. (In time, Moore's Law and the market caught up with it.) They told me that a tiger team was sent to break it, with full access to
all the code (which was in PL/1, and far more intelligible than usual operating systems); they found just one trap door, easily closed, and that was that.
Multics embodied a then-new system called "ring brackets," among other things. Microsoft and Apple have both talked a lot about getting back to ring bracket types of security
in recent years, but there are certain issues in implementation. To put it mildly. Theorems only work if one is strict about making the assumptions of
the theorem valid. People tell me that the MOST reliable, unbreakable operating system available today is the Unix-based
system developed by Roger Schell for the National Security Agency (NSA). I believe that his famous "orange book" is available on the web.

But what about Windows? I have certainly known experts who say that use of Windows for really critical missions (like power grid operation?) is a security risk.
My older daughter once dated boys who wrote code for microsoft, and it was VERY clear that they were not enforcing the kind of rules required to comply with
unbreakability theorems. (My daughter did.) More seriously -- when Vista came out, I did a quick google scan through a lot of the new literature, and it became apparent
that Microsoft was more effective in enforcing their own ability to control a user's computer from the outside -- inevitably leaving the open spaces which make it actually easier
for a well-informed hacker to get in there. It cut back on ordinary USER control, not on hackers' rights. But still, I have used windows at work and at home, for a number
of practical reasons -- not least of them, pressure from IT groups, who have certain vested interests vis-a-vis microsoft, security or not security.

About a month ago, the winds of change started blowing -- HARD.

First episode we all saw -- on the surface. You probably remember the great "China raids google" scandal, which people are working hard to get past
on many levels on. Neither google nor China like wars; they have some common sense about Pareto optimal arrangements, even if it does
imply some mutual safeguards. One side effect -- google told a lot of customers: "It's not our fault that the government of China saw so many
of your emails. For god's sake, what do you expect when you use unencrypted wireless links?" And to all gmail users (including me) they inserted a discrete note
at the top of all gmail web pages, announcing "new security relations". Click on it and you see... https security is now the DEFAULT. We don't
want people hurting themselves by accident. You can change back if you want, but you have been warned. (Additional comment:
at a hearing on cybersecurity last year for Senate Commerce Committee, the guy who runs networking for AT&T basically said
"there might be some hope that someone might someday develop a way to make wireless communications REALLY secure, but it's not clear to us that this is really possible."
The Terminator 3 scenario is not so far off as people think.)

I checked with my wife, and she was skeptical. Sure enough, the change was ONLY for wireless connections. To get full security for ALL your gmail,
you need to click the "ALWAYS" http option in gmail settings. I do that, and it doesn't slow things down. Does it work? Two weeks ago,
I heard some pretty wild and fiery speeches threatening to overthrow the government of Iran, especially using facebook and Utube and twitter and such.
No mention at all of google. The fiery people were openly disdainful of the ancient email generation. So who did Ahmeijad complain about and crack down a week or two ago?
Not one word about facebook. It was gmail. I guess someone else thought enough about security to check the box. And, I hope, maybe google's https
is strong enough that the Revolutionary Guard, at least, would find it hard to crack routinely. Not so bad, on the scale of things. On modern computers, I don't detect any slowdown.

Next episode: after a year on the Hill, I come back to NSF to be told "We have determined that Eudora 7 is a security risk. We have put measures in place
to get rid of it, forcibly, from all computers at NSF." I said: "But wait, this is my entire file structure for the last 10-20 years. Even if I could find a way to
forward it to Outlook, it would be like taking a warehouse full of files on all subjects known to man, and just dumping all the contents into a huge heap on the floor."
But they said: "No exceptions. And no Eudora 6 or 8 either." I was not kidding about Outlook; it was hard enough to approximate real intellectual standards for even
one year, dealing with just a few subjects, on the Hill, using Outlook, even exploring its outermost limits. So I looked a lot closer.

First, the folks I rely on most tell me that Apple's new OS X, version 10.6, really is a close enough cousin of Roger Schell's kind of unix-based system.
Indications are that it's the closest thing to a truly unbreakable operating system I could get on the market, with a limited budget. On a close study -- Apple Mail
(PERHAPS with the add-on "leap") has the features I found essential in Eudora. Microsoft's Entourage 2008 was the next best competitor, but .. not quite for reasons
we could get into. So at this moment, I am now looking at a really beautiful new Apple computer, and about to make the final transitions. No need for
buying conversion software; IMAP servers (like gmail!!!) and OWA make it much easier than in the past to transfer email. (Difficulty of transfer was the main
problem with Eudora 7 -- even transfer to Eudora on a new computer!) I do wish I had noticed the IMAP option in google years ago. (google "gmail IMAP.")
So now -- I will be migrating to all Apple Mail for official work, all gmail/Eudora7 for all personal or less official stuff, and outlook at times as a kind of backup repository store but not active use.
An interesting related story -- did you notice the recent announcement from China of pervasive standards for all computer software and hardware products?
Part of this is undoubtedly "the great firewall of China" and neo-mercantilism, but not all. China has been worried about ITS cybersecurity
just as much as we have -- and perhaps a whole lot more effectively! I did try to discuss some of these issues with US government folks in past years.
For example -- to really protect all government agencies and infrastructure, it would be possible to enforce an incremental forced compliance (in all government procurement)
of software which not only meets unbreakability standards, but has a way the government can do AUTOMATED checking of all new source code to
be put in critical areas. I feel confident that Microsoft would be willing and able to respond to a proper phased-in rule. (If not, there's Apple...)

But what about the hardware aspect? If the hardware itself does not implement what the software thinks it is going to do... could chip builders
insert their OWN back doors? Not a joke. I once proposed that we broaden cybersecurity research to include crossdisciplinary hardware/software stuff...
but research is often a SOURCE OF MONEY. Certain local fat cats in computer science wanted to avoid the dilution of funding that would come if some
of the cybersecurity money went to hardware experts. (I doubt that recent liposuction has changed them much, but we should try to be open...)
The new Chinese standards do seem to suggest total awareness of all this. But in all honesty... I was not looking forward to the possibility of having to
learn about chip diagnostic procedures myself... it's not obvious what can be done if the chip manufacturer is not part of it. Most of that is overseas now.

There are some folks who will say of cybersecurity: "the Chinese may have standards, but we have a czar." But the Chinese and the Russians are
not the only ones on earth who have ways of dealing with czars.

========================================================
-- Have received some interesting feedback from that posting.

-- Some folks in industry are enthusiastic about SE-Linux which, they say, is a publicly available
version of NSA's unbreakable operating system. If you have a PC, and don't want to be a branch office of
China's data collection effort, you can just set this up and use it for ALL your network connections.
It has a package called Evolution -- at least two varieties, providing essentially the same capabilities as Office,
including email like Outlook. (I deeply respect China's active curiosity, but the same paths they use can be used
for many other purposes.)

-- BUT: the new national cybersecurity plan appears quite different in flavor, from the (limited) newspaper accounts.
There has been a long-standing dilemma -- to "build higher walls" to protect government and critical infrastructure
from things like overseas takeover attacks (which can literally burn out expensive power generators), or to create big
breaches in the walls and lower the walls, so that investigators can peer inside and keep an eye on things.
This relates to a point I alluded to -- do we protect the user from all others, including Microsoft, or do we protect microsoft
from the user? Logic says we COULD aim for stronger, higher and more transparent walls... but I haven't seen much of that.
It is possible that we are now moving towards greater ability to see terrorists living in America, but greater vulnerability
of critical computers outside the NSA.

-- One guy says:
Do read the second public draft of NISTIR 7628. It is at
http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-7628

He reiterates the common theme of folks being funded in this area "there is no
such thing as an unbreakable operating system. You only need to reset a few wires.."
BUT: there have been string theorems proven guaranteeing unbreakability in a useful, practical way
**IF** certain conditions/assumptions are strictly fulfilled. Sure, there is always a risk of someone
changing the hardware and invalidating the conditions. Sure, those risks do need to be taken very seriously
as part of any general plan. BUT a quantum improvement in our ability to fend of attacks by people who DON'T
have physical access to the wires would be well worth the trouble... and may be downright urgent, given
the strain that I hear our power system is already under. Not to mention how viruses and crime and such have become
more and more of a hassle.

That said -- I have no idea what the security tradeoffs are between SE-Linux, Mac OS X and the real NSA unix system
derived from Schell. Nor do I know how theorems from folks like Berkeley researchers have been updated to account for varying
ways of handling communication with the outside world.

On my PC at home, I do not really plan to install SE Linux. It's not a sensitive government installation, and the power
of Evolution and of raw Office is just not enough for my purposes. I will probably migrate at home from Eudora
to Outlook, and use an add-on, Neo Pro, to maintain organization -- and PERHAPS use it as a client for gmail,
using gmail's IMAP capabilities, or even use Eudora as a way to access gmail using the IMAP capabilities (even though
it won't give true google and Eudora access together for anything but the inbox). At work, the new Mac does fine.

1 comment: