Currently he is CEO of Ziklag Systems, a unique mobile security company offering advanced security products for the enterprise. I had a chance to talk with him, tapping into his vast experience to sort out what the problems and approaches are in fixing cybersecurity.
You have a pretty amazing background in national security and are a pioneer in cybersecurity, including early encryption communications system called SECOM (Secure Communications) in 1988. What has changed in cybersecurity from those initial days of the Internet?
In 1988, we were just at the start of the modern Internet. No one yet had high-speed data connections; we all used modems, Bulletin Boards and simple email. In 1988, cell phones were just emerging and they were for phone calls. Likewise encryption was something used by the Pentagon and CIA for secret stuff and by banks for financial transactions. In our SECOM application, which was for secure live chat, we used Diffie Hellman public key encryption to create the session key and DES (data encryption standard, 64 bit, 56 effective) for symmetrical encryption. One important factor at that time, something that has not changed, is that the NSA did not like Americans using encryption. I think this is ultimately a self defeating approach, because our technology base, critical infrastructure, military know-how and financial services are all under severe cyber attack. Encryption would at least prevent the intruders from stealing much that was useful.
With your experience in national defense, did you expect cyber attacks to be used as nation state offensive weapons?
In the 1980s, the Pentagon began its shift to commercial off-the-shelf (COTS) systems and got away from proprietary operating systems and software, although it continued to promote some special programming languages such as Ada and tried to manufacture its own custom designed very high speed integrated circuits. Mostly those efforts failed: The economics of COTS and the need for trained software and network specialists assured the triumph of COTS. Since then we have been chasing our tails trying to fix the myriad security holes and vulnerabilities of commercial platforms.
Back then we were way ahead of the Soviet Union and China, as a cyber threat player was hardly in the picture at all. So the short answer is we were concerned about thefts of data, especially what we called “sensitive but not classified data.” (We made the assumption that classified data was encrypted, which turned out to be far from true). But we were not yet worried about cyber attacks as they have evolved, especially in the last 15 years.
You were warning to "prepare for cyber terror attacks" in the late 90s. The capability of cyber attacks on our power grid by nation states have now been confirmed at the highest levels of government. Can we stop them, and are we doing enough to defend ourselves from these attacks?
Not only that, but my Japanese colleagues were really concerned about attacks that would cripple their industry and kill their nuclear power plants. On that basis, [Japan's Ministry of International Trade and Industry, now METI, the country's Ministry of Economy, Trade and Industry] and its Cabinet Office sponsored a high level study and conference series in which I was a participant. Our conclusion was to try and protect SCADA [supervisory control and data acquisition] controllers, which we felt were the Achilles heel of Japan’s industrial base.
The Japanese government endorsed our findings, and then proceeded to do nothing to protect SCADA controlled systems. And right now we are experiencing attacks on our energy grid, manufacturing systems and financial networks. Because Siemens transferred its SCADA technology to Iran, the Iranians know exactly how to attack systems in the U.S. that use these popular controllers. So do the Russians, the Chinese and plenty of other rogue players.
We are faced with a double-edged sword when trying to protect our SCADA systems from outside threats. Our SCADA controllers are left vulnerable often with weak or even no encryption at all as our hardware and software applications run without audit. As technology has been transferred to our advisories, we also use their technologies, which can hide small bus or message actions in chip sets that can be activated on demand. Fixing these problems need to be a wake-up call for both the public and private sectors.
We have hardware and software all over the world with known vulnerabilities and new vulnerabilities found daily. How can we get beyond patching computer operating systems to actually securing our networks and information processes?
We need a U.S.-only system that we don’t sell to outsiders. It is impossible to patch existing systems with any hope of blocking cyber attacks. Today’s networks and computer operating systems are amalgams of thrown together open source programs and functions that smart kids can easily exploit. You don’t have to believe me on this -- look at the empirical evidence. Cyber threats keep growing and attacks are exponentially increasing. Worse yet, the “time to discovery” of attacks is getting longer and longer, meaning that covert operations against the critical infrastructure can be sustained for long periods, sometimes many years, without discovery. I am thinking we need to do for critical infrastructure cybersecurity technology as we did with nuclear technology back in the days of the Manhattan Project. If we are to save our economic and military cyber underbelly, we need to find the best cyber technologies and deploy them urgently. The problem today is, who do you trust to do that?
You have criticized some of the largest software and cloud providers in the world and warned of even putting their products in sensitive enterprise environments due to their security vulnerabilities. What responsibility does the private sector have in offering secured products and services?
There is a legal concept called “duty of care.” Duty of Care means that an enterprise must take certain steps to protect its customers, its shareholders and its employees. If I invest in Enterprise X and their secret sauce is stolen by a Chinese competitor forcing Enterprise X out of business, then my investment has gone down the drain. If Enterprise X did not have reasonable security protection for its vital information, I can file suit against them for failing to exercise Duty of Care. By the way, this is almost exactly what happened in the solar cell industry. One of the biggest investors was the U.S. government. The Chinese ate our lunch by grabbing away American technology possibly through cyber espionage and then selling products to the U.S. at cut throat prices.
Government organizations such as the National Institute of Standards and Technology (NIST) are collaborating with the private sector in establishing a cybersecurity framework. The technology standards take years to develop while hackers come up with new cyber security exploits almost daily. Is there another way?
Generally speaking I am distrustful of anything the government does, even NIST, because they have sticky hands and bugger things up in more ways than one. NIST, for example, put a back door in elliptical encryption, something inexcusable. So why should anyone trust them? The recent Snowden disclosures basically gave a road map to this type of behavior and, frankly, some of the largest U.S. information technology and cloud services providers are taking large financial hits due to their association with these government groups. We are additionally faced with a lack of trust in foreign hardware manufacturers because bugged devices such as memory sticks and smartphones have been showing up. There is no trust now, and we need a way to rebuild that trust.
I would prefer an independent group of experts that includes policy specialists who can be funded to develop a relatively independent American solution, which means a new U.S.-only operating system for computers, servers and networks, and encrypted SCADA controllers. One of the complicating factors is our reliance on China and other Asian countries for hardware, so any design has to be inherently capable of fending off back doors, malware, Trojans and anything else inserted into the hardware we use. Frankly, maybe it is time to restart domestic manufacturing of computers and computer hardware.
We lost our privacy years ago with RFID cell phones. Now we are adding IoT devices to our homes and even using them as wearables gathering information from where we are to what we ate today. Where do you see the privacy vs, security balance going in the future?
There is no more privacy as a matter of fact. So long as corporations benefit from monetizing personal information, there is no hope to reclaim what we traditionally thought of as private or personal. The sad fact is most people are complicit, using social media which exposes them, their families and friends to a variety of threats. But even Web-based emails are high risk. I don’t see any practical way to walk this back. Anyone promising you privacy on the Internet is a soothsayer.
Are there lessons learned from other countries that could help us be more proactive than reactive in securing important computer operating systems such as critical infrastructure?
Maybe from China because China is now starting to replace commercial operating systems for their networks with a home grown version. I have no idea whether it really is any good, and we will probably never know. And because China is both a dictatorship and a deeply corrupt country, maybe we don’t want to know. Perhaps the most innovative country on critical infrastructure protection is Israel and some Israeli companies, such as Waterfall Security Solutions, have had some success on protecting power plants and refineries.
The head of the National Security Agency (NSA) and U.S. Cyber Command recently told a congressional panel that China and “one or two” other countries have the ability to launch a cyber attack that could shut down the entire U.S. power grid and other critical infrastructure, and the director of the Defense Advanced Research Projects Agency (DARPA) is calling for change, stating that attacks are happening in microseconds, so today all we can do is patch and pray, and keep throwing human beings at the problem. We are looking for a fundamentally different way to get faster than the pace of the growth of the threat. How do we move beyond these warnings to true cybersecurity solutions?
My idea is a Manhattan Project Plan to invent new computer operating systems and hardware, U.S. only, to protect the critical infrastructure. Investing $4 billion or $5 billion in such an effort is a drop in the bucket when weighed against the destruction a critical infrastructure failure could cause. The Manhattan Project Plan for cyber should not be run by government agencies, rather government agencies should be offered oversight. Government bureaucracies are just windows of opportunity for hackers that can react daily.
We need an independent group of the best cyber experts, cryptographers, software designers, hardware engineers, communications specialists and policy experts to design and execute a solution, and do so in secret and under the highest priority. I would not hesitate to use the best corporate skills we can get, but experts drawn from industry need to be seconded to the program and the industry-drafted folks have to sign onto the security requirements. The plan should be managed by an independent research and development organization with an American Board of Directors. The plan will need strong White House and Congressional support, which must come on a non-partisan basis. I think that can be achieved.
Larry Karisny is the director of ProjectSafety, a cybersecurity and digital forensics expert, advisor, writer and industry speaker focusing on information processing security and intelligence.
