by Stephen Bryen
founder and former head of the Defense Technology Security Administration
I have been writing about cyber security for many years. I believe I have some credibility in this field. I headed and ran the Defense Department’s program for technology security as the Director of the Defense Technology Security Administration and as a Deputy Under Secretary of Defense. I also started and ran two cyber security companies, one in the 1990’s called SECOM which was the world’s first secure chat program, and currently Ziklag Systems which markets secure mobile smartphones. Over the years I have been increasingly concerned about the vulnerability of our critical infrastructure and the risk to America. My concern has escalated along with growing and successful cyber intrusions into our power, energy, transportation and government grids and networks. And I have found it shocking that no one seems to know what to do about the menace.
Somehow our leaders in the administration and Congress, even Admiral Mike Rogers who heads NSA and the US Cyber Command, all of whom clearly understand the threat and risk, seem clueless on how to fix the problem.
Meanwhile China, Russia, Iran, Syria and plenty of rogue operations are increasing the pressure on us by attacking our computer networks. Nothing is safe. Not our defense Command and Control systems, our missile defenses, our energy grid, our refineries, our nuclear power plants, not even our telecommunications, transportation, water supply or health care systems are secure.
The reason for that is easy to see. All our computer networks rely on computer operating systems hardware and software that has been distributed all over the world. Since almost everything about those systems is public, it is easy for attackers with sufficient resources to take them apart. It should surprise no one that virtually all of our hardware is made in China, introducing a massive vulnerability into our critical infrastructure.
Add to this tremendous weakness the problem of SCADA systems. SCADA is the supervisory control and data acquisition system used by nuclear and conventional power plants, heating and cooling systems, manufacturing centers, refineries and lots of other automated systems. There are only two or three SCADA systems in the market with wide acceptance, and they are used worldwide. Once again, both the hardware and software for SCADA is accessible to foreign regimes and terrorists as well as other rogue actors. It is the SCADA that was the center of the attack on Iran’s uranium enrichment centrifuges where the US and Israel hoped to slow Iran’s acquisition of an atomic bomb. What was done with the Stuxnet worm to damage Iran’s nuclear program likewise can happen to us.
Patching computer operating systems and fixing SCADA software won’t work. This is proven empirically by the growing frequency of successful attacks on critical infrastructure systems,. If patches worked, they would save us from attack. But the plain fact is that they may help a little but not enough to stop a determined and resourceful adversary.
China, one of the countries known to be tampering with our critical infrastructure and helping to finance its growth by stealing defense designs and technology from our leading companies is already taking steps to keep us out of their networks by producing their own computer operating systems they won’t share with us. We should take a clue from China. For critical infrastructure security we need secure operating systems and a new secure SCADA that replaces all the commercial equipment and software we have been using.
Changing over to a government proprietary secure system is a vital step in locking down our networks and management systems. It requires a bold and determined initiative by the US government, and it needs to be accompanied by security measures that are well drawn and deeply monitored to provide an additional layer of protection.
Above all we need a policy based on “win win” not on hopes and fictions we can make what we have work. It is foolish to wait for the worst to happen, as it surely will.
Bill Gertz, one of the leading national security reporters in the United States, broke the story that the Obamacare web software was developed in part in Belarus. Belarus became an independent country in 1991. While on paper the country is supposedly democratic, in fact it operates as a kind of dictatorship where the military, police, government and media are controlled. The OECD calls the country “un-free. The U.S. relationship to Belarus is somewhat strained, but Belarus has been a way-point for supplies to the ISAF in Afghanistan.
Gertz raised the issue of possible backdoors planted in the software for the Obamacare system. A backdoor would make it possible for personal information stored on an Obamacare site to be secretly collected by an intruder or hacker. No one has yet determined whether the software provided has been corrupted, but as Gertz reported, U.S. intelligence agencies warned DHS of the potential risk and news reports say that DHS is investigating the HealthCare.gov web software. In addition to the government web site, the same software is also being used by all American medical insurance companies and most medical facilities in the U.S.
There have been numerous reports and complaints that the Obamacare websites lacked security. The lack of security is a major design flaw. On top of the design problem, the system has been plagued with technical problems. Sloppily made software can account for many errors, but clumsy backdoors inserted into otherwise operable software can also cause multiple points of failure when the system operates.
Why would software development be outsourced to a foreign country? The reason is cost. Belarus is a low cost provider of software services, with prices that are far below costs in the United States.
The U.S. government when it writes a contract agrees in advance to how services are priced. Usually the standard is provided by the GSA.
Below you will find a comparison of costs for software programming in Belarus and U.S. GSA pricing:
Average software development rates for Belarus in 2010 were:
GSA Hourly Rates
|Applications Software Subject Matter Expert||$141.41|
|Business Systems Analyst||$65.66|
|Database Admin (DBA)||$80.81|
|Desktop Support Engineer||$50.51|
|ERP Software Subject Matter Expert||$237.37|
|Help Desk Support||$38.38|
|Junior SQA Engineer / Software Quality Assurance||$39.39|
|Principal Software Engineer||$116.16|
|Senior Business Systems Analyst||$110.10|
|Senior Database Admin (DBA)||$126.26|
|Senior Network Engineer||$101.01|
|Senior Project Manager||$116.16|
|Senior Software Engineer||$85.86|
|Senior SQA Engineer||$70.71|
Clearly there is a huge difference between U.S. prices and those in Belarus.
The Obamacare website, developed by the company CGI, cost $630 million. This is a staggering price, and could be one of the largest expenditures ever for any health insurance system.
The CGI contract was a sole source contract. After much controversy, CGI was fired and another contractor, Accenture, was hired for one year at $91 million. In all these contracts there was no competition and little or no visibility on the contract parameters. Thus, for example, we don’t know if the contract permitted subcontracting outside of the United States, and we don’t know if foreign contracting was allowed, whether the contractor was still able to charge DHS at GSA rate levels.
One would think that the Justice Department, as well the the DHS Inspector General, should be examining the CGI contract and considering how charges were made for contract performance.
Don’t hold your breath on any investigation, though. There is no sunshine in Obamacare.
Samsung is offering a special version of its Samsung IV Galaxy smartphone called Knox. Knox is targeted on the high end financial, business and government communities. Does Knox solve the problem of smartphone insecurity and significantly reduce risk for its users?
What is Knox: Knox is a partitioned mobile platform running two operating systems, one for personal use and one for enterprise use –the enterprise (private) side being within a “container.”
There are other Knox-like partitioned mobile platforms either in the market or entering the market coming from other vendors such as LG, Blackberry, etc. None of them have been around long enough to know how well they are engineered in relationship to multiple Android vulnerabilities and OS/Kernel weaknesses.
The Knox container has its own separate home screen, launcher, applications and widgets. All the data and applications stored in the container are said to be isolated. It is claimed that no application or process inside the container can interact or communicate with any process outside of it and vice-versa.
All files within the container are encrypted using the Advanced Encryption Standard (AES) cipher algorithm with a 256-bit key.
Knox features are (1) Customizable Secure Boot, (2) TrustZone-based Integrity Measurement Architecture (TIMA), and (3) Security Enhancements for Android. Secure boot, the company claims, is the Knox-enabled device’s first line of defense, ensuring that only verified and authorized software can run on the device bootup. TIMA monitors the kernel.
Knox depends on the user to carefully delineate use between partitions. Knox does not protect the public partition. Knox runs an APP store for the private side that provides safe APPS for Knox.
Problems with Knox
In the past two months there have been reports of vulnerabilities and flaws in the Knox system.
The latest report comes from the Ben Gurion University Cyber Security Laboratory in Israel. There two researchers Mordechai Guri and Dudu Mimran (the Security Laboratory Chief Technical Officer) claim that a hacker can easily intercept any data on the secure side of the Knox platform. The researchers also believe that professional hackers could actually modify the Knox platform, effectively compromising it by planting malware or spyware on the platform. In response a Samsung spokesperson said “Rest assured the core Knox architecture cannot be compromised or infiltrated by such malware.”
Until now, no one has explained how spyware, planted on the public side of the Knox platform, won’t seriously compromise the Knox user.
Researchers should look into two security problems that arise in a dual platform device.
The first problem is what happens if spyware is planted on the public side of the smartphone. This is the “open” platform that is generally unprotected. Spyware, or what is called a spy phone, can intercept literally any conversation and any transaction (email, text, video, photo) on the public side of the smartphone. Professional spy phones can activate a phone’s microphones and cameras without the knowledge of the user and even if the phone is switched off. Since among the data normally targeted by spy phones are calendars, the intruder knows when to activate the spy phone. When the intruder does this, either he can immediately stream the information secretly back to his web address, or alternatively he can store it in a hidden folder and stream it back later. In short, the user remains entirely vulnerable on the public side to spy phones and other malware.
The second problem revolves around the question of the use of hardware on Knox. A smartphone consists of numerous sensors and transmitting systems including cameras, microphones, Bluetooth, WIFI, voice and data radios, etc. When a Knox user is booted up on the private side of the phone, are the sensors and radios fully and securely controlled by the Knox platform? If not, then a spy phone or other malware on the public side can take information from these same sensors being used on the private side of the platform. This would facilitate spying on the private side as well as on the public side of the platform.
APPS for the private side of the Knox platform are controlled through a store run by Samsung. Experience with attempts to block malware on Android platforms by auditing APPS in places such as Google Store, have been less than successful. One anti-virus company reported this past summer that some 1,200 APPS on the Google store over a 7 month period were malware. And these are the easy ones to detect. Really sophisticated malware is often embedded in legitimate programs. Because of the plethora of APPS available today, and the diversity of sources (APP production is truly a global enterprise), finding the “bad” ones is a challenge. If we learned anything from anti-virus software, the “bad” stuff is usually found after many computers are already infected. When you think of the small universe of enterprise and government users of a product like Samsung, the risk is exponential if a “bad” APP or “bad” modified APP infects the smartphone.
No one really knows if Samsung will be any more successful than Google in protecting APPS, yet this protection is critical under the Knox scheme. If history shows us anything, one should not be optimistic or confident in the result.
The Knox system offers an effort at a serious security system for an Android platform. Other companies, such as LG and Blackberry, are working on the same thing. While the jury is still out on Knox, there is no doubt there are many problems. It is unlikely either the U.S. government or enterprise customers will, as Samsung says, “rest assured” that Knox is safe.
by Stephen Bryen
[The views are solely those of the author.]
No matter what President Obama and China’s President Xi Jinping agree this week, China will not stop cyber espionage.
China may decide, as a result of the upcoming summit meeting, to crack down on hackers who operate independently, or who moonlight for profit in the hours they are not working for either China’s government or China’s military. That will be a bone to try and lower the tension that has been building between China and the U.S. on the issue of cyber theft. But it won’t really make a big difference.
There are, roughly speaking, five kinds of cyber crime.
The first is based on vicarious hacking by groups of computer geeks who want to show off their prowess and gain bragging rights for successfully attacking important institutions and organizations. The “thrill” involved is to show how smart they are, how brilliantly they can defeat the CIA or the Pentagon.
The second group grows out of the first but it has become ideological. Ideological hacking is hacking for a political purpose. Many of the ideological hackers are really anarchists in modern dress. This kind of hacking has been growing and is illustrated by phenomena such as Wikileaks and its leader Julian Asange, currently holed up in the Ecuadorian Embassy in London while wanted by Sweden where he has been charged with rape.
The third type of hacking is “For Profit.” Information is stolen, bank accounts and money machines are pilfered, sometimes blackmail is used. For Profit hacking is not always separable from ideological hacking or from vicarious hacking.
Fourth is cyber crime against individuals and political groups carried out by governments. Sometimes this is pursuant to law and follows a legal process, but not always (even in the U.S. where phones can be tapped and computers can be invaded without a warrant or clearance by a court).
Fifth is cyber crime for national security reasons. This is a specialty of China. Recent information says that China is annually stealing $300 billion worth of national security information, much of which is weapons designs.
Why? There are essentially three reasons why China is doing this.
The first is that stealing the information is easy to do. There are hardly any credible barriers to scooping up defense information, government data, and the proprietary information of private companies.
The second reason is that there are not any consequences. This is crime without punishment. And because China owns a large part of the U.S. Treasury, the enthusiasm by U.S. government leaders to crack down is tempered by concern that our own economy would unravel if we push too hard. On top of that, a lot of our top industry people are making money on China.
And the third reason is that China cannot be a superpower without U.S. technology. There is very little innovation in China, despite large investments, the presence of foreign companies, a strong electronics industry, and a huge number of Chinese nationals educated abroad (subsidizing plenty of American graduate schools of engineering, science and cyber studies).
Taken together this put the U.S. in a bind. Lacking a credible strategy to confront the losses, the U.S. defense posture is at risk thanks to the China thieves. And more and more companies will also feel the heat as China’s clones of their products swamp the U.S. market.
Meanwhile, one thing Xi Jinping will not do is allow China to be anything less than a superpower, so he must continue robbing the U.S. blind. And he will.