Losing the Cyber War: How to Get Out of the Box and Win

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://smallbusiness.yahoo.com/advisor/losing-cyber-war-box-win-230004401.html

The United States is losing the cyber war. Despite hugely increased
expenditures on cyber security, every day the situation worsens and we
continue to fall behind. As I write there is no government or military
website that has not been hacked and vital information stolen. It is not
just the government –banks, health care systems, financial transactions,
credit card data, identity theft, social security numbers, legal briefs,
strategy documents, corporate secrets, intellectual property –the list is
nearly endless.

When you are in a war you look for metrics to understand just how well you
are doing and what the conflict outcome will be. An Army general surveys
the battlefield, estimates his resources, evaluates his technology, and
decides on his strategy. If the general believes he will lose the war, he
tells his political leaders and waits for guidance.

There are four possible outcomes in a war: fight to win; fight to a
stalemate of some kind; negotiate with the enemy; surrender.

Looking at the current state of affairs in the ongoing cyber war, we can
reach some conclusions.

Firstly, right now we cannot fight to win because we do not have either the
troops or the technology to win. No one has figured out a satisfactory
offensive strategy other than to convert cyber war into a traditional war.
This is impractical and no one is really willing to go down this path
(other than to threaten some sort of offensive cyber warfare).

Secondly, there is no stalemate in cyber warfare available to the United
States. One of the most serious potential threats, China, is too important
economically and politically to be seriously challenged. Beyond China there
are plenty of other cyber war makers, as in Russia, Iran, Syria and even
hackers embedded in countries around the world. While the US and some of
our friends have tried to prosecute some hackers, the triumphs are few and
far between. None of the threats are under sufficient pressure to stop
hacking; in fact they are more emboldened than ever.

Thirdly, there is no one to negotiate with today. Attempts have been made
to talk to the Chinese; they deny everything and blame the US for spying on
them.

This leaves the surrender option, but unlike territorial war, there is no
one to surrender to so we face the prospect of going on losing. Our
critical infrastructure is exposed, our government is losing control of its
systems, and our military is watching as its command and control and its
vital technology spills out through the back end of its networked systems
or through its industrial partners.

Throwing more money at “the problem” is not a panacea. Our government,
military, and critical infrastructure cannot continue running around like
chickens with their heads cut off. That is the sum of what is happening
today.

The entire infrastructure of information technology is based on mostly an
open architecture approach to computer systems and network infrastructure.
That is conducive to a fairly rapid spiral development of new commercial
technology. Unfortunately, the commercial approach downside is that
security plays second or third fiddle to the push for bagging commercial
dollars from investors and customers alike.

It is very well known that spending money on security does not “produce”
anything, so putting money and resources into security systems is resented
by investors and corporations, even by individual users who often chafe
under security restrictions and operational limitations.

The commercial computer space is heavily tilted toward entertainment and
not to business or industry, No where has the entertainment element enjoyed
more success than in mobile devices such as smartphones and tablets; for
the most part there is not even a pretense of security in these systems.

We have to recognize that the entertainment function of computer systems
and networks, mobile and fixed, is a fact of life. Where we go wrong is to
use the same operating systems and network support for entertainment as we
do for government, business, and the military. Adding to that, the same
underbelly developmental system, a global collection of non-vetted persons
and risky manufacturing locations, adds to the conundrum.

A great indicator of the collective mindset today is shifting everything
over to so-called cloud systems, even where we don’t have the slightest
idea of how these clouds are managed or how easily they can be compromised.
The Pentagon, which obviously knows better, is today endorsing cloud
systems that are big risk, just as they are supporting mobile platforms
that have been hacked to death.

It is time to break free from the open source globalized approach when it
comes to government, military and critical infrastructure mobile and fixed
computers and networks. Instead of wasting billions on hopeless security
“solutions” while we continue to fall behind in the cyber war battle, is
senseless, wasteful, frustrating and demonstrates bad leadership and
hopeless management. Let’s stop.

What we need a an American secure operating system and an American secure
network environment built in a trusted environment by reliable people in
safe manufacturing locations. Not in China. Not offshore. Here.

The talent to do this surely exists, it is just being wasted today on
“other” projects.

A Strategic Plan would look like this:

1. Replace all critical infrastructure operating systems and networks with
a US developed secure operating system in three to five years.

2. Assure that connectivity outside of the secure environment is carried
out separately from vital secure computing.

3. Impose the massive use of encryption and truly protected authentication
on the new secure operating system.

4. Make sure all OS and Secure Network users are properly cleared and
vetted.

5. Put in place a compartmentalization system based on need to know and
create a series of decentralized and regulated security centers to make
sure the thresholds on need to know and a permission based environment are
carefully maintained.

6. Do not use any equipment made outside the United States in the critical
infrastructure.

7. Create a T&E center to check all hardware, firmware, software with
independent auditors and engineers.

8. Create a Red Team to constantly try and break the system, point out
vulnerabilities, and fix them immediately. The Red Team should be large and
heavily incentivized to find problems.

9. Never, ever, share the US system with anyone outside the US. Make sure
that the technology is controlled fully by the US government. And design
the system so that if a piece is lost, it can be deactivated remotely and
never be useful to an adversary or enemy.

10. Make sure the intellectual property, the technology developers, the Red
Teams, and the system of compartmentalization are secret.

Clearly we cannot continue to run our country when there is global
knowledge parity of computer systems, hardware and software we use and
where most of our critical products are produced outside the US, especially
in China. Nor can we sit around and wait for the inevitable collapse of our
military command and control, electrical grid, transportation network,
banking services or our health care system.

The above proposal sets a direction for a solution. We can win the cyber
war.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!