EDITOR'S NOTE: Every day carries new stories of hackers and the damage they are doing to American businesses and government."Pentagon Moving to Stem Hacker Attacks," the Associated Press reports. Our country's defenses, power grid and business operations--and individuals--are at risk. It is not an over-statement to say that our country as a whole is at risk.
Yet there is no sign yet of effective defenses.
Two crucial ingredients are missing in news stories and articles on the subject: 1) Hardly anyone knows enough about the problem to explain it in technically correct terms that also are comprehensible to the average informed citizen. 2) Virtually no articles until now have explained what needs to be done to fix the problem(s). Domestically, a few very annoying crackpots in garages get arrested. But the serious problems come from overseas. Mostly the Government talks darkly of retaliations and remonstrations, whether the putative villain is in China or Iran. Businesses, perhaps fearing lawsuits and hoping to escape the hackers' attention, meanwhile, keep mum.
What the public has not had, therefore, is an explanation of what can be done on a large scale and why what we are doing now does not work.
George Gilder, Senior Fellow of Discovery Institute and author of several books on technology and public policy (Microcosm,Life After Television, Telecosm, The Israel Test, etc.), is an investor in one of a large group of companies that have collaborated in dealing with cyber-security. He joined Wave Systems' board of directors in the '90s and has tended to keep his analyses private since then. He thus saw the magnitude of security danger early on, but having a stake in one of the companies involved long caused him to demur from writing about the problem as a whole. -- Editor
The Scandal of Computer Security
By George Gilder
The U.S. has become a digital civilization--a complex and precious application on a planetary computer platform. Our industry, defense, medical care, entertainment, and communications, all largely rely on information technology.
In recent months, it has become increasingly evident that this digital civilization is under attack and that its protective strategies are failing.
Everywhere in the news are accounts of computer security hacks. Targets range from The New York Times hit with 45 pieces of undetected malware in three months and the Financial Times with a corrupted email system, to the Pentagon, which endures nearly constant invasions of its sensitive computer assets, from Alexandria to Afghanistan. Perhaps the most depressing development of last year was December's disclosure that a U.S. spy drone may well have been lost because Iranian hackers spoofed its software--the device believed it was returning to home base while it was actually crashing in Iran. Last week the Wall Street Journal reported that Iranian hackers have gained access to control system software of the national power grid and energy pipelines. Steven Sprague, CEO of computer security vendor Wave Systems, commented ascerbicly: "Experts have disagreed for years whether a cyber 'Pearl Harbor' is possible...We apparently got our answers: Yes, but next time, our planes--not our enemies'--may release the bombs" presumbably under the guidance of enemy software.
Both quantitative and qualitative measures gauge an ever-increasing threat. A nine-year study by Verizon, published last month, tallied 2500 major security breaches comprising 1.2 billion personal records, with 2012 the worst year yet. Lost every few days is a laptop computer containing credit card numbers, pin codes, passwords, medical data--or military secrets. Days after Verizon published its nine-year study, came the news that hackers had stolen 50 million customer accounts from the website Living Social. Gone last week in a whirlwind, world-wide coordinated coup, was $45 million from ATM machines, withdrawn using hacked debit-card accounts.
Not every hack comes to light right away. The sensational breach of TJMaxx, Target, and Barnes & Noble (along with at least eight other large stores) took years before it was exposed. When Secret Service finally caught the ringleader in 2008, they found a familiar face--one of their own long-time informants. A year later, some of the unincarcerated hackers gained entrance to Heartland corporation check-payment systems in charge of fulfillment for several major credit card issuers.
Last year's Stuxnet attack on Iran by U.S. and Israeli intelligence brought down much of Iran's nuclear program. But the U.S. is far more dependent on computer technology than is Iran, and more vulnerable. Analysis showed that Stuxnet had altered the Iranian computers' Basic Input/Output Systems--the computer instructions that boot up the computer when it is turned on. Because Stuxnet strikes the BIOS, below the level of the operating system software, the maneuver renders the attack invisible to all subsequent software queries. It also renders the software security techniques currently prevalent in the U.S. obsolete. Similar sub-operating-system-level hacks against the United States could bring down our power grid, boggle our networks, paralyze our factories, baffle our defenses and botch our financial system.
According to the Pentagon, Chinese and Russian hackers seeking trade secrets and military technology have gained access to the very industrial base on which U.S. diplomacy and defense rests. The National Security Agency's General Keith Alexander calls the loss of American intellectual property in cyber-attacks "the greatest transfer of wealth in history." Such hyperbole bespeaks a widespread feeling of futility and desperation among Americans responsible for protecting our increasingly fragile digital civilization. Most attacks do not come from China. The invasion of the Financial Times originated in Syria, of all places.
All this is happening while the nation spends close to $50 billion on "computer security," and computer users fumble daily for passwords, usernames, PINs, and reset buttons, while repeatingly proffering up their mothers' maiden names. The DoD alone commands 65 thousand IT professionals with a budget of $12.5 billion. Most of it is spent on the same feckless post-hack software security systems that have failed to halt the continuing inundation.
Meanwhile, battening rich is a panoply of computer security companies--from Intel subsidiary McAfee, bought for $7.8 billion, and PC security giant Symantec, with its $17 billion market cap, to the venerable RSA, bought by EMC for $2.1 billion. But even these experts are not exempt. The security giant Symantec, whose software identified just one of the 45 New York Times attacks, suffered a raid on its own Norton Utility source code assets. Its major rival McAfee, now part of chip giant Intel, inadvertently launched a devastating attack of its own, depriving millions of its customers of network access. Led by Checkpoint of Israel, many companies supply firewalls that supposedly protect corporate assets from outside assault.
But none of this really works. Most of the computers long ago left the corporate walls and the corporate network for the Internet and the "Cloud." Firewalls function to regulate access to company networks but they utterly fail to protect them from the actions of insiders or from the missteps of travelling employees who bear smartphones more powerful than the supercomputers of yore (1999).
As Symantec CEO Steve Bennet confessed in January, "Our system is just broken." The Internet publication Expert Reviews declared about McAfee's offerings: "An easy-to-use web interface fails to make up for shockingly poor defense against malware." CNET Magazine confirms: "The combined performance marks [for anti-virus software] are a horror show."
This pattern of ever-increasing expenditures with ever- deteriorating results bespeaks a failed technological paradigm and calls for a new approach to the problem. Fortunately such a new approach is readily available. It springs from a 10 year campaign by industry veterans who understand that post-boot software security patches are feckless when faced with the pre-boot "root-kit" malware that is becoming increasingly prominent in the arsenals of our adversaries.
Acting through the Trusted Computing Group, some 130 computer industry companies, led by Microsoft, Intel, IBM, HP, Dell, and security specialist Wave Systems, have adopted and demonstrated an ingenious and promising remedy for many of these vulnerabilities. Integrated into the innermost domains of the computer system and not removable by the user, it is called the Trusted Platform Module (TPM). It cannot be broken or reverse engineered without prolonged access to the most advanced microchip technology laboratories.
Moving crucial security operations into a hardware "vault" chip, unreachable by outside software, the TPM makes possible the establishment of a "root of trust" upon which security can be built (a root, that is, rather than the "attack trees" currently cataloguing every potential virus mutation). A secure cryptographic processor, it commands non-volatile memory that keeps its contents when the power goes out. Containing a true random number generator based in the physics of the chip rather than an algorithmic source, the TPM supplies the foundation for cryptographic "keys" that identify the computer to outsiders.
The TPM also commands a program counter that logs an indelible record of computer operations that cannot be overridden or saturated no matter how long it is bombarded. Crucially the TPM is architected so that no commands it is issued can ever induce it to relinquish its private cryptographic key that uniquely identifies and authenticates the machine.
Most crucially for the post-Stuxnet environment, the TPM can perform the vital function of pre-boot hardware platform attestation, enabling the machine to report reliably on its own condition and identity. This means that together with implementation software it can compare a mathematical "hash" of the existing hardware settings and hard drive contents with the previously stored "image," flagging changes or malware and prohibiting boot-up until they are scrutinized and addressed.
Closely linked to the computer's Basic Input-Output System, the TPM can be disabled at the cost of eliminating BIOS support and access to authorized services--including the Operating System.
Thus the TPM can assure the user or the network that nothing has been altered. It guarantees that the computer is a known device, booting into a trusted known state. Thus it is a machine that can be safely linked to other networks and tap into valuable or sensitive services.
The Trusted Platform Module observes seven principles of security that are defied in practice by the prevailing industry establishment. It offers an entirely new paradigm--and a path to an improved computer architecture.
1) People cannot be made secure. They are subject to trickery and seduction, impulse and inattention. Only devices can be secured.
2) No secure system can rely on passwords. Memorable and robust passwords are an oxymoron: passwords are either memorable and breakable or robust and unmemorizable.
3) No security system works if it is not used. Thus these systems must improve the user's experience and enhance the device's performance, driving their adoption.
4) To increase the complexity of a machine is to increase its vulnerability. The fewer interfaces a security system introduces, the better.
5) The canonical security sequence is to authenticate the device, then link the user to it through a biometric method (such as fingerprints, face, or iris scans).
6) Websites should admit only known devices--an approach known as "whitelisting."
7) Computer security is too important to be entrusted to computer security companies. It is an effect of computer architecture and is impaired by most patches and post-hack security programs.
A corollary to this seventh principle is that anti-trust laws should not prevent companies like Microsoft, IBM, and Google from assuming responsibility for the integrity of their systems, even though this will be at the expense of outside computer security firms.
National security, however, is not chiefly a corporate responsibility. Government should lead by protecting itself and its vital assets. Indeed, the leading governmental experts at the National Security Agency have repeatedly endorsed the TPM and its associated new cybersecurity strategy, holding annual conferences to spread the word. "TPM capabilities represent a shift against today's software-based security solutions," NSA authority Neil Kittleson declared to the industry journal SC. "We found TPM works very well for our high-assurance platforms." The U.S. National Institute of Standards and Testing (NIST) in 2011 issued new guidelines advocating a shift of the line of defense to a computer's physical hardware, which offers a deeper and incorruptible foundation for preserving the identity and health of a device.
Virtually all new business-class personal computers--some 600 million so far--now bear TPMs welded onto their motherboards. Samsung, Wave Systems, and others are now extending the technology to mobile devices such as tablets, network computers, and smartphones. Microsoft is spearheading the movement by mandating TPMs as a prerequisite for its new operating system, Windows 8. Using Windows 8 and enabling tools, tablet computers and smartphones will be able safely to access the legacy software of most enterprise information systems.
So what is the problem? Although Intel was a founder of the Trusted Computer Group, it blundered by acquiring McAfee, a dogged upholder of the obsolete anti-virus patchwork strategy. Thus Intel as the semiconductor industry leader is has become part of the problem, following an incoherent and conflicted path, offering ever more complex "security" solutions that create vulnerabilities for its customers.
Perhaps even more influential is Apple, a tenacious holdout in a proprietary tree. It now is increasing the complexity and vulnerability of its systems by multiplying username and password requirements and channeling all commerce through its iTunes infrastructure. Its supposed early immunity to attack, deriving from its previously small market share and relatively coherent OS, is now rapidly eroding as it complicates its systems in a way that must be torturing the ghost of Steve Jobs.
Most crippling of all, however, is government policy. Despite the increasing consensus of its computer experts, the government has totally failed to act to assure the security of its own assets. It prefers security by obscurity or secrecy, patchwork or sequestration, to the adoption of a fundamentally improved and safer architecture for its military and intelligence systems. Even in a war against relatively primitive forces in Afghanistan, the Pentagon has suffered several unpublicized computer hacks against its drones, helicopters, and other equipment that remain vulnerable in ways that resourceful use of TPMs could rectify.
As a result of these stultifying confusions, uncertain trumpets, and special interests, almost no one has turned on the TPMs. In nearly all of the some 600 million computers that have them, the TPMs merely occupy valuable space on the motherboards. Sleeping sentinels, their default mode is dormancy, since they are worthless without software to invoke their services and manage them.
Like any electronics technology, Trusted Platform Modules are subject to constant improvement on a path that advances functionality, reliability, and usability. By contrast, the current software patchworks of the established computer security companies burden the industry with new complexities and vulnerabilities without significantly improving security. Their advocates then blame the users for not including enough numbers, capital letters, and exotic symbols in their passwords. But security is an indispensable part of computer architecture and design that must be incorporated from the bottom up. It cannot be sloughed off onto the users or relegated to a post-coital condom strategy based on retroactive bandaids and placebos.
Continued failure to respond to America's cyber-security gap could pale all of Washington's other scandals put together. The US still commands the vast majority of all global computer industry assets and capabilities (though we needlessly jeopardize our future prospects and our defenses by excluding leading computer science immigrant scholars from the U.S. after they finish their educations here). Let us save ourselves from the need for a post-catastrophe investigation, among the ruins, by acting now when there is still time to prevent disaster.
George Gilder is a Founding fellow, Discovery Institute; author of Knowledge&Power: The Information Theory of Capitalism (Regnery, July 2013). Gilder is a board member of Wave Systems corporation.