Clear and Present Danger
to Your Life As Of Now From Cyberblitzkrieg
PLEASE DON’T SHOOT THE
MESSENGER!
Overview
This week, the immediate risk to our lives through
cyberblitzkrieg has suddenly risen dramatically, due to new events in
cyberspace. If there does occur a cyberblitzkrieg on electric power and other
critical infrastructure, the level of damage would comparable in general to the
kind of damage we feared at the height of the Cold War, when something like
half the world could be lost suddenly and the rest in a cascade of events. “Cyberblitzkrieg”
is simply a coordinated cyberattack on multiple physical plants, like power
generators or large transformers, hard to replace in less than, say, six months.
Gingrich wrote the foreword to a novel, “One Second After” (see Amazon),
vividly describing what a big EMP event could mean to the US; the possible
damage here is similar, and I really hope something can be done to close the
doors in time. We really need to get serious about this, because your life and
mine are both at risk, really, here and now, starting this very week.
For me, the week began after I thought through two international
meetings led by the Millennium Project (www.themp.org)
in the DC area, one on the future of work and one on new ways to cope with
terrorism.(http://www.millennium- project.org/millennium/NATO-Pr edetectionWorkshop.html ). These two
challenges, taken together, require new, more conscious strategies for
developing the future of IT, and new directions in technology. With any new
directions, we naturally ask: “What is the first discrete step we could and
should do?” The first step in this case would be to close the loopholes which
make our critical infrastructure vulnerable, here and now, and limit what we
could do in the future with the Internet of Things. I sent an email on what we
need to do to a friend well-placed in cybersecurity. (I post that email below; it gives the technical idea.) I did not send this out more widely, because the
folks who actually might want to pull a cyberblitzkrieg here and now tend to be
more responsive and agile than our own people, and I did not want to generate the wrong kind of excitement in the worng place.
BUT: this past week, “all hell came
loose,” and the risk has become much more visible and much larger. CNN ran a
visible story on vulnerability of our power system, with pictures of what
cyberattack has done to Ukraine. (Of course, there are other sources which I
mentioned below). More important, the widespread nature of backdoors and holes
in firewalls and in servers, and tools to exploit them, have been widely
publicized; see http://www.wsj.com/articles/group-claim-to-have-u-s-government-hacking-tools-for-sale-1471309022
. Finally, news came out about NSA21, a major restructuring of the NSA which
many fear would reduce the capabilities of the Information Assurance part of
NSA to actually implement the kind of patch we need most urgently. (Just search
for NSA21 on google news!) One guy hinted to me: “The problem now is that we
are too busy with political kinds of reorganization even to consider these
kinds of changes.” So maybe we are fried. Really.
A Few Details
I do not know whether NSA21 will make
our prospects much better, much worse, or whether it will be a mixed bag or of
limited impact. I do not know, of course, because many details are not yet
final, and many are not open to us publics. Nevertheless, since NSA is the only
US institution with leadership in the area of “rainbow book” technology, it
will certainly be important here. There are excellent reasons to believe that
NSA21 may be very important, one way or another. In an interview, Rogers
stressed “fundamentals,” which is what we need. (We really need to understand
what we are doing.) But will Information Assurance be strengthened? Will we be
enabling a greater fulfillment of the intent of the US Constitution, enhancing the freedom of a free people, or will we be enabling a top-down vision I have seen of IOT as a
top-down control system which could suffocate us all to death in the end? The
stakes are high.
The news of the week reminds us that router
servers and communication systems are just as important, in the long-term, as
operating systems. My plan would have a phase two extending the new approach to
them as well, and even tacitly accounting for the huge implications of new quantum
technology. (This week, the Chinese launched a secure-communication quantum
satellite, and our paper in Quantum Information Processing describes how China
is a full generation ahead of the US now in critical quantum areas, thanks to the
‘reforms’ of Lamar Smith; see www.werbos.com/physics.htm
for a link to a copy of the paper, in case you do not have journal access.)
========================
The Email I sent a week ago with overview
proposal for immediate action:
A few years
ago, when I handled electric power grid research at the National Science Foundation (see http://www.werbos.com/PJW _NSF_bio_Feb2015.pdf),
Congressman Trent Franks did a beautiful job of explaining why he was so
concerned about risks of Electromagnetic Pulse (EMP) events hitting the US
power grid. If half the big transformers in the US were taken down, the damage
could be a lot greater than the mere $1-2 trillion predicted in the official
report from the National Academy of Sciences; it would be more like a return to
the Stone Age, as depicted in a novel by Gingrich on that subject. Yet in 2009,
folks at the National Defense University showed how a cyberattack could
accomplish the same thing, if it could get all the way to the software which
controls generators.
As a technical person, I am
tempted to talk at great length about the growing threats in this area, and
about how all the good, worthwhile things now in the pipeline are not yet
enough to prevent disaster. Even as we cope every day with a deluge of small,
gradual attacks, our vulnerability to one vast unexpected cyberbltizkreig from
people like hostile state actors is growing and growing. I do hope your
contacts would be willing to discuss adding a new program, intended to be a
FIRST STEP towards a more comprehensive solution.
The key idea:
Move all critical
infrastructure ASAP to control by a new generation of operating systems, which
meet the NSA "rainbow book" standards for absolute unbreakability,
with open-source machine verification of unbreakability and privacy, EXCEPT for
a standard "wiretap observer" subroutine which would be black but
whose inputs and outputs and potential actions are visible in open source.
This would be a huge change in
today's practice. Because this is a complex issue, I would be grateful for a
chance to be available to answer questions, after I give you just a few
highlights of the long discussions behind the new proposal. One of the last things
I did at NSF before my retirement was a review of larger issues with the
INternet of Things (see attached paper), and we have had many follow-on
discussions. Here below is my crude attempt to summarize the first wave of
tradeoffs.
Electric power utilities are
already a lot more secure than financial institutions, for example, in control
of critical infrastructure like what NDU has alerted us to. They generally use
some dialect of SE-Linux for critical operations. SE Linux, guided by NSA, is
informed by the best knowledge in the "rainbow books" (like the
Multics "orange book" I learned about when developing software for
Multics in 1973-1975) about theorem-based unbreakability. But utilities are
totally dependent on vendors like AB&B who "take their time to update
compliance," and backdoors have become a growing problem in all dialects
of Linux and unix. For many years, standard practice was for the US to use a
few known backdoors to enable its crucial "wiretap" kinds of
functions, hoping that adversaries would never find the backdoors -- but a
couple of years ago we narrowly avoided a really huge crisis when a
backdoor in linux embedded control chips became known, and the time for
adversaries to discover backdoors has become shorter and shorter. It may be
that China has already long had the ability to shut the US down, and is gently
holding it in reserve for a good time, but more and more other high-capability
actors are showing up. GIven how much is at stake, and where things are going,
it is time to bite the bullet and change the way we do business as soon as we
can.
Unfortunately, "as soon as
we can" is not overnight. Open source machine-verified compliance before
deployment is essential to eliminating "taking time to get to
compliance"; the technology is known (at least to NSA and a few
specialists in places like Berkeley and relevant contractors) but the wiretap
subroutine is essential in practice, and an open public demo of the technology
is needed first. Someone should fund the project to do that demo, and make it
100% global open source. And then would come the phase in of a new requirement
that a growing circle of critical infrastructures must meet the new standards,
as OS's are developed in full, open transparent compliance. Also, of course, design
of an acceptable wiretap subroutine and policy needs to go forward, in parallel
with the development of the initial demo.
There are some futurists who
argue that there should be total transparency in the future, such that all
operating systems and computer databases should have read-only access to the
entire world. At best, that is not a near-term option. But it is true that law
enforcement does have a right to investigate criminals with a warrant, and that
a new security system must not overturn that right. Policies on warrants and
wiretaps are complicated, but we cannot afford to waste time reinventing the
wheel; the job for us tech people now is to build a clean READ-ONLY interface
and make sure it goes to the right level of respectable constitutional and
international lawyers to handle what they do with their side of it. We do need
to asking for operating systems which would not be shut down de facto in a
mission-critical way by denial of service attacks based on the wiretap
subroutine; thus compliance should include verification that the outputs of
that subroutine could not have that effect.
("Quiet times" or
"quiet cores" useful in reporting may be crucial parts of design...
something like that.)
In a way, the “warrant
subroutine” suggestion preserves the kind of backdoor access which folks like
the intelligence gathering parts of NSA and FBI rely on very heavily; however,
since it is READ-ONLY, the threat of someone taking down the US power grid
would go away. The tradeoffs are similar to those of mutual nuclear
disarmament, without the worries about cheating (because each nation has an
incentive to protect itself, and its own protection depends on its deploying
better software).
Attached: www.werbos.com/IOT.htm , an earlier
vision (2014) with citation to the rainbow book story.
Thanks for your consideration!
There is a lot at stake in really getting this right, ASAP.
==========================================
===========================================
A week or two later:
There have been interesting follow-on discussions here, though I am worried that the lag between White House level initiatives on critical infrastructure protection and NSA21 may reduce the probability of "stopping the bleeding" in time and increase the probability of other types of quick action on other fronts which make it harder to get out of the hole.
On the positive side, I look forward to receiving a link from the IEEE Computational Intelligence Society to a talk I gave last week in Missourri putting the big picture together in a clear way.
https://www.youtube.com/watch?v=6q1HqRd9MnA
The security of operating systems is just one level of what we need to do, for sustainable IT and IOT. There is a communications level, and, trickiest of all, there is a need for new apps for examples like better management of power grids, financial networks and employment networks.
So -- LIKE three levels, OS, comm and apps.
Even the OS level has important complications beyond the urgent need for machine-verified "rainbow book" compliance as I propose above. The theorems which underlie the rainbow books guarantee that an OS cannot be broken UNDER certain conditions. The open source programs which validate source code as compliant are essential and urgent... but what if the actual physical hardware does not actually implement the source code? What about "hardware hacks"?
It is fortunate that hardware hacking is not so widely available yet as the software hacks which make us vulnerable right now to cyberblitzkrieg! But it is coming. There are two types I know about now.
This week, information came out about a program which can stress a chip in a way which causes a breakdown which software attacks can exploit, able to destroy even a compliant unbreakable OS!!
I am happy to hear that error correcting codes in the software, and/or new memory management
procedures, can handle that. This is a serious problem, but it seems solvable enough. Folks like electric power systems could upgrade urgently to things LIKE hard drives with ECC (though I sure hope folks like Information Assurance will be prepared to help them and guarantee quality control!),
and a "phase two" of the software compliance program could make sure that standards are upgraded to include the new memory management, as soon as possible, but not to delay the urgent phase one changes I proposed above.
That's the easy part.
But what about HARDWARE backdoors, which some of us have discussed for years?
When lots of money was being funnelled into software things, including cybersecurity, at NSF,
several of us in Engineering proposed that there also be some effort to try to cope with hardware backdoors, such as what some folks in China could do when making a chip. I am not sure how far all that got. But in fact, testing chips to find hardware backdoors may be a kind of "NP hard problem," a kind of problem which could be solved much better using Analog Quantum Computing, a line of technology discussed in our paper this year in Quantum Information Processing. (I posted a link at www.webos.com/physics.htm.) Bottom line: this is one of several technology capabilities which
will become available only AFTER some initial experiments are performed and followed up on;
only China and Austria have the ability to do those experiments today, in part because of what folks like Lamar Smith have done to reorganize all the government agencies in their jurisdiction.
(I just hope the new NSA reorganization will not be similar in impact!) But perhaps it is just as well that
this security capability will take longer to implement, since hardware backdoors installed by the chip maker are not quite as urgent as protecting us from malicious hackers anywhere on earth.
==========================================
===========================================
A week or two later:
There have been interesting follow-on discussions here, though I am worried that the lag between White House level initiatives on critical infrastructure protection and NSA21 may reduce the probability of "stopping the bleeding" in time and increase the probability of other types of quick action on other fronts which make it harder to get out of the hole.
On the positive side, I look forward to receiving a link from the IEEE Computational Intelligence Society to a talk I gave last week in Missourri putting the big picture together in a clear way.
https://www.youtube.com/watch?v=6q1HqRd9MnA
The security of operating systems is just one level of what we need to do, for sustainable IT and IOT. There is a communications level, and, trickiest of all, there is a need for new apps for examples like better management of power grids, financial networks and employment networks.
So -- LIKE three levels, OS, comm and apps.
Even the OS level has important complications beyond the urgent need for machine-verified "rainbow book" compliance as I propose above. The theorems which underlie the rainbow books guarantee that an OS cannot be broken UNDER certain conditions. The open source programs which validate source code as compliant are essential and urgent... but what if the actual physical hardware does not actually implement the source code? What about "hardware hacks"?
It is fortunate that hardware hacking is not so widely available yet as the software hacks which make us vulnerable right now to cyberblitzkrieg! But it is coming. There are two types I know about now.
This week, information came out about a program which can stress a chip in a way which causes a breakdown which software attacks can exploit, able to destroy even a compliant unbreakable OS!!
I am happy to hear that error correcting codes in the software, and/or new memory management
procedures, can handle that. This is a serious problem, but it seems solvable enough. Folks like electric power systems could upgrade urgently to things LIKE hard drives with ECC (though I sure hope folks like Information Assurance will be prepared to help them and guarantee quality control!),
and a "phase two" of the software compliance program could make sure that standards are upgraded to include the new memory management, as soon as possible, but not to delay the urgent phase one changes I proposed above.
That's the easy part.
But what about HARDWARE backdoors, which some of us have discussed for years?
When lots of money was being funnelled into software things, including cybersecurity, at NSF,
several of us in Engineering proposed that there also be some effort to try to cope with hardware backdoors, such as what some folks in China could do when making a chip. I am not sure how far all that got. But in fact, testing chips to find hardware backdoors may be a kind of "NP hard problem," a kind of problem which could be solved much better using Analog Quantum Computing, a line of technology discussed in our paper this year in Quantum Information Processing. (I posted a link at www.webos.com/physics.htm.) Bottom line: this is one of several technology capabilities which
will become available only AFTER some initial experiments are performed and followed up on;
only China and Austria have the ability to do those experiments today, in part because of what folks like Lamar Smith have done to reorganize all the government agencies in their jurisdiction.
(I just hope the new NSA reorganization will not be similar in impact!) But perhaps it is just as well that
this security capability will take longer to implement, since hardware backdoors installed by the chip maker are not quite as urgent as protecting us from malicious hackers anywhere on earth.
The greatest threat to human life is not an external attack, but a steadily-growing stream of internal attacks on individuals. The U.S. government is a vastly greater threat to 330,000,000 Americans than the Chinese government, Russia, or ISIS will ever be. (The USA currently has 2.1 million people in its extensive federal gulag, with perhaps another 10 million on parole or probation living as "second class citizens.")
ReplyDeleteEvery single U.S. citizen is spied upon, tracked, and monitored by the U.S. government. Thus far, only a few daring voices such as Robert Freitas and Max More have spoken out against this, from an extropian or "libertarian" (radical classical liberal) perspective. See: www.kurzweilai.net/what-price-freedom-2
Democide is the greatest risk to all countries on the planet, and, short of democide, "general tyranny" or "stagnation" imposed by increasing corruption of totalitarian "law"(pseudo-law) is already our greatest cost. The USA's illegitimate and unconstitutional control apparatus is a far greater threat than China, Russia, and ISIS combined. It is already the primary cause of death in the USA.
To imagine what life would be like without the unconstitutional control apparatus, one must have a proper conception of reality that includes a legitimate comprehension of economic theory. However, no matter how intelligent most scientists are in any narrow area, I've noticed that they tend to fail to apply that intelligence to "the big picture." They happily quote politicians like Newt Gingrich as if they were anything other than the dangerous, malevolent parasites that they are. (Gingrich recently suggested that nonviolent victimless drug offenders be "put to death." There is no valid "corpus delicti" in possessing, using, or selling drugs. Drugs, according to a legitimate interpretation of the common law are simply "private property." This makes Gingrich a "totalitarian" in his stated theory of the law. That he is taken seriously by anyone is demented corruption of the worst kind. Democrats like Charles Schumer and Republicans like Gingrich, Graham, and Sessions are identical in the totalitarian goal structures they advocate.)
The FDA claims the right to deny all property rights pre-emptively. The DEA, ATF, and ONDCP do the same things. To not take a stand against these murderous thugs is moral treason of the worst kind. Such moral treason implies that a democide *can* happen here.
Ross Ulbricht is a trained chemist. He's a good man. He's a "brother in science." Aaron Swartz was a good man. Schaeffer Cox and Aaron Patterson are good men. How many more good men must be sacrified on the altar of the rising American police state, before the intellectuals of today decide they've seen enough ruin, waste, and "boots stomping on human faces"?
This comment has been removed by the author.
ReplyDelete