Cyber Hammering Requires Cyber Defense

05/18/2017

2017-05-15 The President has recently signed a new executive order on cyber security.

According to an article by Brooke Singman published by Fox News on May 11, 2017:

President Trump took aim at the federal government’s vulnerability to computer hacking Thursday, signing an executive order that mandates a top-down review of cybersecurity and holds agencies accountable for safeguarding digital information.

The executive order states that it will “hold heads of executive departments and agencies accountable for managing cybersecurity risk to their enterprises.” White House Homeland Security Adviser Tom Bossert, speaking at the White House press briefing, said the White House took the action because online vulnerabilities at the agency level can put the nation at risk.

“The United States invented the Internet and we need to better use it,” Bossert said. “There will always be risk and we need to address that risk.”

The order seeks to improve the network securities of U.S. government agencies and protect critical infrastructure, like the energy grid and financial sector, from attacks that lawmakers and officials have warned could pose a major national security threat. It follows a turbulent election year in which Russia and other entities were accused of meddling in the U.S. election.

While an executive order is welcome, getting on with the solution is slow in coming.

And Secretary Wynne has hammered home the point that no amount of software fixes are going to solve the cyber security problem.

He pointed to recent extortion efforts as an illustration of the wild west future of the cyber war.

“This is just the beginning of extreme lawlessness, with the introduction of anonymous currency, and as smart as our Cyber industry is, they have not corrected or even definitively identified the root cause for cyber hacking.

“There is a wonderful Russian joke that starts with a Village Pastor offering advice to a chicken farmer to restore health to his flock.

“After several sessions, all the chickens are dead.

“When told, the advisor Pastor says, too bad, I had many more solutions to offer.”

What Wynne has in mind is the recent cyberxtortion attack in Europe.

A global cyberattack, unprecedented in scale, had technicians scrambling to restore Britain’s crippled hospital network Saturday and secure the computers that run factories, banks, government agencies and transport systems in many other nations.

The worldwide cyberextortion attack is so unprecedented, in fact, that Microsoft quickly changed its policy, announcing security fixes available for free for the older Windows systems still used by millions of individuals and smaller businesses.

 After an emergency government meeting Saturday in London, Britain’s home secretary said one in five of 248 National Health Service groups had been hit. The onslaught forced hospitals to cancel or delay treatments for thousands of patients, even some with serious aliments like cancer.

Home Secretary Amber Rudd said 48 NHS trusts were affected and all but six were now back to normal. The U.K.’s National Cyber Security Center said it is “working round the clock” to restore vital health services.

Security officials in Britain urged organizations to protect themselves by updating their security software fixes, running anti-virus software and backing up data elsewhere.

Who perpetrated this wave of attacks remains unknown. Two security firms — Kaspersky Lab and Avast — said they identified the malicious software in more than 70 countries. Both said Russia was hit hardest.

And all this may be just a taste of what’s coming, a cyber security expert warned.

No executive order is going to wave a magic wand and eliminate this particular problem.

Only a fundamental change will do that.

And we are republishing an earlier piece by Secretary Wynne that would suggest to President Trump that there is an alternative to simply writing another executive order.

2016-11-20 By Michael W. Wynne, 21st Secretary of the Air Force

Summary:

Academics have known since 1934 that Turing computers were and remain inherently vulnerable to hacking as Godel and Keene Mathematically proved, and confidently expressed that proof in the years following.

The times were different; and computers were just aborning, and abandoning a rule of circuit design to firmly comprehend the relationship of every input to every output seemed acceptable when operating in isolation.

As society wallows in the deceit that a software patch can save the Turing Computing Machines that underlay the present Internet, we find even senior security officials such as the Chair and Co-Chair of the Intelligence Committee espousing the thought that protection is simply unavailable.

This is not fact based, but has grown to be the popular myth.

Returning to complex circuit design to mimic the intended digital circuit can and should underpin the ‘Designed in Security’ our society seeks, a proper defense.

Background:

The Internet was developed many years after the underlying flaw of the Turing Computing Machine was both invented and reviled during the 1930’s.

Turing is celebrated for his major contribution of code breaking, and as well the breakthrough in speed, using the phraseology in his topology of ‘this sentence is false’ leading to an acceptance of intent over precision in his computational mathematics.

Later as other mathematicians examined his processes, the fact of the endless recursive nature of the process allowed others to implant errors in this process, which essentially derailed the machine output. This has leading partially to the phrase “Garbage in Garbage out” as students who followed Turing grappled with the flaw.

My first encounter with computational mathematics was in an analog laboratory in junior high school where we were asked by the instructor to construct a difficult equation using classic ‘AND’ and ‘NAND’ logic based systems.

Looking back on that equation, there is no way to alter the setup without invading the circuit design. As well a bad answer would lead immediately to first a low grade, and second to a re-examination of the circuit for correction.

Thus every output had a known input.

Later, as a part of the autopilot design for the AC-130 gunship, which I and fellow Air Force Academy Instructors had compiled into an on board computer, testing at the Air Force Flight Dynamics Laboratory revealed a terrible anomaly was occurring.

Reflecting that they were in the analog world, and tested analog flight control systems, they took many hours of data illustrating a random control output that flapped the flaps, misguided the rudder, and generally was a disaster waiting to happen. With this information, from the digital perspective we were able to immediately discern that a flaw had been introduced into the program, and found a pointer looking at a random number generator, instead of the control table that we had carefully constructed. Thus, the anomaly was discoverd.

Looking back, there was a lesson, and that was that we had non-maliciously introduced this flaw in the digital domain, and it was detected by the rigor from the analog domain.

Thorough testing using solid circuit design requirements was the key to dealing with the anaomaly.

A shift from software patches to analog circuit design provides a way ahead. Source: Getty Images
A shift from software patches to analog circuit design provides a way ahead. Source: Getty Images

Later still, my daughter was typing away in the college library, when an old fashioned image of a bomb appeared, counted down, and destroyed all of her unsaved work. This prank was a precursor to the current malicious code that can be introduced from distant locations, though it was local at the time.

As this was not the intent of the university Computer Center, it was an indicator that symptoms of our current problems were evident before the Internet was expanded to a universal norm.

Naturally, a software fix, searching for this particular ‘bug’, was introduced. This was also a precursor to our current fixation to software patches that even come to my home computer (windows based) many times a month.

Years later, as the then National Security Advisor, Condoleezza Rice, advised that the Internet was becoming the wild west; and images from the other side of our placid computer screen were shown to be violent, society began to realize we had a problem.

When I became Secretary of the Air Force, I introduced Cyber into the mission of the Air Force to mobilize for the defense of this new domain; where rested much of our Command and Control.

When the Air Force recruiting headlines for Cyber professionals began to emerge, the Air Force was excoriated by the legislature for being overzealous, and mis-judging the problem with the Internet.

All have since been validated; but the problem of defending the domain remains.

It is time for a serious conversation and shaping a new approach, notably because the President-elect has set a key goal as shaping new civilian infrastructure and strengthening the US military.

Current Situation:

It is often said that doing the same thing, but expecting a different answer to emerge is a sign of insanity, though we are all guilty of this flawed thinking.

Putting a software patch on top of a flawed hardware system to counter punch an invader may be fulfilling, but it is been proven over and over to be fruitless.

None-the-less, as an Eighteen billion dollar industry, not unfulfilling. Even now the National Institute of Standards has essentially declared out loud the futility of the many solutions it has encountered, citing the patience of the Advanced Persistent Threat in many papers. It as well stipulates that many penetrants never realize for many months or years that a penetration has occurred, until it becomes advantageous for the agent to disclose the information, or a separate patch unwittingly discovers the loss of data.

Many times the victim has no idea there was an issue. Corporate Boards are leery of liability, and thus in denial; or becoming part of the herd of software patch payers.

But society is slowly becoming aware that this is a scam, that they are riding an unending strife curve; and the alarms are beginning to sound as if the end of life as we know it is nigh again.

It is seeping into engineering and into design that those that have stayed with Analog are immune to this Internet, distant and malicious, threat. Whether aircraft safety systems, or in some of the most carefully protected areas; suddenly what is old is new again.

I would like to beat the drum for a ‘blast from the past’ and celebrate the re-emergence of computational analog circuit design.

As well; I would raise a ceremonial toast to a systems engineering rule for thoroughly understanding every input and output response before the system goes on line.

This is a marked departure than ‘crowd sourcing’ corrections to flawed software, which by its very nature invites malicious activity, while waving the flag of cooperation and collaboration.

When it comes to National Security; or to Public Infrastructure, this is flawed policy and needs to change dramatically.

Even the Internet of Things (IoT), now popular, requires re-evaluation when public safety in the form of vehicle control, or Grid, or Pipe, or Dam, is at risk.

Forward Look:

I recently gave a presentation in China at a University there, citing the Systems Engineering principles, and identifying the fatal flaw which has been like a virus that has never been extinguished, but instead tolerated for its good parts; but is now becoming a civil defense issue that should be addressed.

I would say for our National purposes, it is time that we followed some prescriptive advice and agree upon a path that will settle down the current rhetoric; and may create a level playing field, where Intellectual Property can easily be protected if desired; and our National Interests can be logically addressed.

For sure, the cited eighteen billion dollar industry is not going away; but can slowly morph into creating useful paths to a safer Internet.

Society is ready; and now the professionals have to decide on priorities, and action.

I would suggest that we should prioritize the goal that USG Web sites immediately be protected using frozen (e.g.; non reprogrammable) complex analog circuitry mimicking and replacing currently installed internet appliances.

Further; that Infrastructure Owners be tasked to put in place protected SCADA Systems, under the watchful eye of the Department of Homeland Security, which again are frozen analog complex circuitry, again mimicking and replacing the currently installed Internet appliance.

Internet Service Providers, router designers, and server designers can provide needed support to the agencies and public corporations to alter our present course, and they should be doing it.

I would further implore Financial Institutions and Corporations to recognize that this must be done to protect themselves, and their customers from the current economic losses.

Why Insurance Companies are not demanding change is a mystery?

Society is not stuck, but thought leaders are, time for a change.

It is Time for Analog as the solution set to deal with the vulnerability challenges associated with software.

This is not only possible, but has been available for a few years–the path is novel, but not unknown.

Vulnerability on the Internet is actually a choice, not a given outcome.

 Let’s get on with it!

Editor’s Note: In the following article, published earlier this year by David Sax in Bloomberg Business Week, the author suggested that in the Age of Cybercrime, The Best Insurance May be Analog.

http://www.bloomberg.com/news/articles/2016-03-10/cybersecurity-the-best-insurance-may-be-analog

The article is an interesting companion piece to Secretary Wynne’s very clear call for a new way ahead to deal with a strategic vulnerability affecting civil and military defense systems.

Last September, Darpa launched the $36 million Leveraging the Analog Domain for Security (LADS) program, which is attempting to create a set of electronic ears that can detect malicious activity by monitoring the unintentional analog emissions of digital hardware, such as heat, sound, and changed frequencies.

“The advantage of an analog approach is that there’s no way for the malware to directly reach through air and affect the monitoring device,” says Angelos Keromytis, who runs the program.

If you wish to comment on this article you can do so on the Second Line of Defense Forum.

http://www.sldforum.com/2016/11/new-approach-cyber-defense-analog-option/