Thursday, August 18, 2016

Clear and Present Danger to Your Life As Of Now From Cyberblitzkrieg

Clear and Present Danger to Your Life As Of Now From Cyberblitzkrieg

PLEASE DON’T SHOOT THE MESSENGER!

Overview

This week, the immediate risk to our lives through cyberblitzkrieg has suddenly risen dramatically, due to new events in cyberspace. If there does occur a cyberblitzkrieg on electric power and other critical infrastructure, the level of damage would comparable in general to the kind of damage we feared at the height of the Cold War, when something like half the world could be lost suddenly and the rest in a cascade of events. “Cyberblitzkrieg” is simply a coordinated cyberattack on multiple physical plants, like power generators or large transformers, hard to replace in less than, say, six months. Gingrich wrote the foreword to a novel, “One Second After” (see Amazon), vividly describing what a big EMP event could mean to the US; the possible damage here is similar, and I really hope something can be done to close the doors in time. We really need to get serious about this, because your life and mine are both at risk, really, here and now, starting this very week.  

For me, the week began after I thought through two international meetings led by the Millennium Project (www.themp.org) in the DC area, one on the future of work and one on new ways to cope with terrorism.(http://www.millennium-project.org/millennium/NATO-PredetectionWorkshop.html ). These two challenges, taken together, require new, more conscious strategies for developing the future of IT, and new directions in technology. With any new directions, we naturally ask: “What is the first discrete step we could and should do?” The first step in this case would be to close the loopholes which make our critical infrastructure vulnerable, here and now, and limit what we could do in the future with the Internet of Things. I sent an email on what we need to do to a friend well-placed in cybersecurity. (I post that email below; it gives the technical idea.) I did not send this out more widely, because the folks who actually might want to pull a cyberblitzkrieg here and now tend to be more responsive and agile than our own people, and I did not want to generate the wrong kind of excitement in the worng place.

BUT: this past week, “all hell came loose,” and the risk has become much more visible and much larger. CNN ran a visible story on vulnerability of our power system, with pictures of what cyberattack has done to Ukraine. (Of course, there are other sources which I mentioned below). More important, the widespread nature of backdoors and holes in firewalls and in servers, and tools to exploit them, have been widely publicized; see http://www.wsj.com/articles/group-claim-to-have-u-s-government-hacking-tools-for-sale-1471309022 . Finally, news came out about NSA21, a major restructuring of the NSA which many fear would reduce the capabilities of the Information Assurance part of NSA to actually implement the kind of patch we need most urgently. (Just search for NSA21 on google news!) One guy hinted to me: “The problem now is that we are too busy with political kinds of reorganization even to consider these kinds of changes.” So maybe we are fried. Really.

A Few Details

I do not know whether NSA21 will make our prospects much better, much worse, or whether it will be a mixed bag or of limited impact. I do not know, of course, because many details are not yet final, and many are not open to us publics. Nevertheless, since NSA is the only US institution with leadership in the area of “rainbow book” technology, it will certainly be important here. There are excellent reasons to believe that NSA21 may be very important, one way or another. In an interview, Rogers stressed “fundamentals,” which is what we need. (We really need to understand what we are doing.) But will Information Assurance be strengthened? Will we be enabling a greater fulfillment of the intent of the US Constitution, enhancing the freedom of a free people, or will we be enabling a top-down vision I have seen of IOT as a top-down control system which could suffocate us all to death in the end? The stakes are high.

The news of the week reminds us that router servers and communication systems are just as important, in the long-term, as operating systems. My plan would have a phase two extending the new approach to them as well, and even tacitly accounting for the huge implications of new quantum technology. (This week, the Chinese launched a secure-communication quantum satellite, and our paper in Quantum Information Processing describes how China is a full generation ahead of the US now in critical quantum areas, thanks to the ‘reforms’ of Lamar Smith; see www.werbos.com/physics.htm for a link to a copy of the paper, in case you do not have journal access.)

 ========================

The Email I sent a week ago with overview proposal for immediate action:
  
A few years ago, when I handled electric power grid research at the National Science Foundation (see http://www.werbos.com/PJW_NSF_bio_Feb2015.pdf), Congressman Trent Franks did a beautiful job of explaining why he was so concerned about risks of Electromagnetic Pulse (EMP) events hitting the US power grid. If half the big transformers in the US were taken down, the damage could be a lot greater than the mere $1-2 trillion predicted in the official report from the National Academy of Sciences; it would be more like a return to the Stone Age, as depicted in a novel by Gingrich on that subject. Yet in 2009, folks at the National Defense University showed how a cyberattack could accomplish the same thing, if it could get all the way to the software which controls generators.

As a technical person, I am tempted to talk at great length about the growing threats in this area, and about how all the good, worthwhile things now in the pipeline are not yet enough to prevent disaster. Even as we cope every day with a deluge of small, gradual attacks, our vulnerability to one vast unexpected cyberbltizkreig from people like hostile state actors is growing and growing. I do hope your contacts would be willing to discuss adding a new program, intended to be a FIRST STEP towards a more comprehensive solution.

The key idea:

Move all critical infrastructure ASAP to control by a new generation of operating systems, which meet the NSA "rainbow book" standards for absolute unbreakability, with open-source machine verification of unbreakability and privacy, EXCEPT for a standard "wiretap observer" subroutine which would be black but whose inputs and outputs and potential actions are visible in open source.  

This would be a huge change in today's practice. Because this is a complex issue, I would be grateful for a chance to be available to answer questions, after I give you just a few highlights of the long discussions behind the new proposal. One of the last things I did at NSF before my retirement was a review of larger issues with the INternet of Things (see attached paper), and we have had many follow-on discussions. Here below is my crude attempt to summarize the first wave of tradeoffs. 

Electric power utilities are already a lot more secure than financial institutions, for example, in control of critical infrastructure like what NDU has alerted us to. They generally use some dialect of SE-Linux for critical operations. SE Linux, guided by NSA, is informed by the best knowledge in the "rainbow books" (like the Multics "orange book" I learned about when developing software for Multics in 1973-1975) about theorem-based unbreakability. But utilities are totally dependent on vendors like AB&B who "take their time to update compliance," and backdoors have become a growing problem in all dialects of Linux and unix. For many years, standard practice was for the US to use a few known backdoors to enable its crucial "wiretap" kinds of functions, hoping that adversaries would never find the backdoors -- but a couple of years ago we narrowly avoided a really huge crisis when  a backdoor in linux embedded control chips became known, and the time for adversaries to discover backdoors has become shorter and shorter. It may be that China has already long had the ability to shut the US down, and is gently holding it in reserve for a good time, but more and more other high-capability actors are showing up. GIven how much is at stake, and where things are going, it is time to bite the bullet and change the way we do business as soon as we can.

Unfortunately, "as soon as we can" is not overnight. Open source machine-verified compliance before deployment is essential to eliminating "taking time to get to compliance"; the technology is known (at least to NSA and a few specialists in places like Berkeley and relevant contractors) but the wiretap subroutine is essential in practice, and an open public demo of the technology is needed first. Someone should fund the project to do that demo, and make it 100% global open source. And then would come the phase in of a new requirement that a growing circle of critical infrastructures must meet the new standards, as OS's are developed in full, open transparent compliance. Also, of course, design of an acceptable wiretap subroutine and policy needs to go forward, in parallel with the development of the initial demo.

There are some futurists who argue that there should be total transparency in the future, such that all operating systems and computer databases should have read-only access to the entire world. At best, that is not a near-term option. But it is true that law enforcement does have a right to investigate criminals with a warrant, and that a new security system must not overturn that right. Policies on warrants and wiretaps are complicated, but we cannot afford to waste time reinventing the wheel; the job for us tech people now is to build a clean READ-ONLY interface and make sure it goes to the right level of respectable constitutional and international lawyers to handle what they do with their side of it. We do need to asking for operating systems which would not be shut down de facto in a mission-critical way by denial of service attacks based on the wiretap subroutine; thus compliance should include verification that the outputs of that subroutine could not have that effect.
("Quiet times" or "quiet cores" useful in reporting may be crucial parts of design... something like that.)

In a way, the “warrant subroutine” suggestion preserves the kind of backdoor access which folks like the intelligence gathering parts of NSA and FBI rely on very heavily; however, since it is READ-ONLY, the threat of someone taking down the US power grid would go away. The tradeoffs are similar to those of mutual nuclear disarmament, without the worries about cheating (because each nation has an incentive to protect itself, and its own protection depends on its deploying better software).

Attached: www.werbos.com/IOT.htm , an earlier vision (2014) with citation to the rainbow book story.

Thanks for your consideration! There is a lot at stake in really getting this right, ASAP.

==========================================
===========================================

A week or two later:

There have been interesting follow-on discussions here, though I am worried that the lag between White House level initiatives on critical infrastructure protection and NSA21 may reduce the probability of "stopping the bleeding" in time and increase the probability of other types of quick action on other fronts which make it harder to get out of the hole.

On the positive side, I look forward to receiving a link from the IEEE Computational Intelligence Society to a talk I gave last week in Missourri putting the big picture together in a clear way. 
 https://www.youtube.com/watch?v=6q1HqRd9MnA
The security of operating systems is just one level of what we need to do, for sustainable IT and IOT. There is a communications level, and, trickiest of all, there is a need for new apps for examples like better management of power grids, financial networks and employment networks.

So -- LIKE three levels, OS, comm and apps. 

Even the OS level has important complications beyond the urgent need for machine-verified "rainbow book" compliance as I propose above. The theorems which underlie the rainbow books guarantee that an OS cannot be broken UNDER certain conditions. The open source programs which validate source code as compliant are essential and urgent... but what if the actual physical hardware does not actually implement the source code? What about "hardware hacks"?

It is fortunate that hardware hacking is not so widely available yet as the software hacks which make us vulnerable right now to cyberblitzkrieg! But it is coming. There are two types I know about now.

This week, information came out about a program which can stress a chip in a way which causes a breakdown which software attacks can exploit, able to destroy even a compliant unbreakable OS!!
I am happy to hear that error correcting codes in the software, and/or new memory management  
procedures, can handle that. This is a serious problem, but it seems solvable enough. Folks like electric power systems could upgrade urgently to things LIKE hard drives with ECC (though I sure hope folks like Information Assurance will be prepared to help them and guarantee quality control!),
and a "phase two" of the software compliance program could make sure that standards are upgraded to include the new memory management, as soon as possible, but not to delay the urgent phase one changes I proposed above. 

That's the easy part.

But what about HARDWARE backdoors, which some of us have discussed for years? 
When lots of money was being funnelled into software things, including cybersecurity, at NSF, 
several of us in Engineering proposed that there also be some effort to try to cope with hardware backdoors, such as what some folks in China could do when making a chip. I am not sure how far all that got. But in fact, testing chips to find hardware backdoors may be a kind of "NP hard problem," a kind of problem which could be solved much better using Analog Quantum Computing, a line of technology discussed in our paper this year in Quantum Information Processing. (I posted a link at www.webos.com/physics.htm.) Bottom line: this is one of several technology capabilities which 
will become available only AFTER some initial experiments are performed and followed up on;
only China and Austria have the ability to do those experiments today, in part because of what folks like Lamar Smith have done to reorganize all the government agencies in their jurisdiction. 
(I just hope the new NSA reorganization will not be similar in impact!) But perhaps it is just as well that
this security capability will take longer to implement, since hardware backdoors installed by the chip maker are not quite as urgent as protecting us from malicious hackers anywhere on earth. 


No comments:

Post a Comment