The one fix needed to keep Trump's cyber executive order from failing
- By Roger R. Schell
- May 22, 2017
President Donald Trump recently issued the Executive Order for Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Our nation’s first real cybersecurity initiative, however, began in 1981.
As a young Air Force colonel, I was assigned to the National Security Agency as founding deputy director to provide technical leadership for what came to be known as the National Computer Security Center. That initiative led to considerable successes in the area of protecting our government’s most sensitive national interests. Our results required, as Trump’s executive order puts it, “measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”
Unfortunately, the three most recent administrations terminated support for those successes, and continuing cyberattacks have indeed compromised our government’s most sensitive information. For example, the CIA Vault 7 breach resulted from a failure of its IT infrastructure to enforce compartmentation that the CIA previously enforced administratively and by physical isolation. The cybersecurity solutions defined at the NSA Center could reliably enforce compartmentation, so perhaps I can offer my unsolicited advice to the Trump administration as to how to make this new executive order succeed where the efforts of previous administrations have failed.
Secure critical operating systems in our IT architectures
The past three administrations procured defense in depth, secure development processes, information sharing, pattern recognition, artificial intelligence, other buzzword technology and research, all to try to block intruders and patch holes in operating systems. Yet the root cause of failures remains that without a trustworthy OS, real cybersecurity is scientifically impossible. We must find and patch every (or almost every) hole in an OS, but an attacker needs find and attack only one hole. The recent National Institute of Standards and Technology Special Publication 800-160 on “Systems Security Engineering” recognizes this, and our NSA Center did too. If this administration does not quickly procure and create a viable government market for secure operating systems, then the executive order will fail on its own terms.
All trustworthy operating systems have three properties:
1. Security kernel architectures. A security kernel sits underneath an OS and is integrated with a suitable hardware platform. Together with that hardware, it controls the information flow in a system. NIST Fellow Ron Ross said, “You have to go back to a leaner and meaner architectural construct” [for] “systems that are more trustworthy, secure and resilient.” The security kernel architecture for highly secure system engineering, set forth in the NIST publication on Systems Security Engineering noted above, responds to Ross’s proposition. This reflects what was codified by the NSA Center.
2. Criteria to mitigate software subversion. The executive order highlights the need to address “cybersecurity risks facing the defense industrial base, including its supply chain.” Although hardware subversion can occur in the supply chain, it is software subversion that is by far the most widespread and easily exploited risk in the supply chain and lifecycle of a system.
The disclosures in the CIA Vault 7 breach illustrate the vulnerability of common operating systems to software subversion. As one reporter put it, an adversary’s “ability to hack into any OS to gain full control of any device -- whether it’s a smartphone, a laptop, or a TV with a microphone -- makes the [adversary] capable of bypassing any service [to] spy on everything that happens on that device.” At the NSA Center we developed criteria to build and evaluate systems to protect the most sensitive national interests, called the Orange Book Class A1. This was designed to substantially mitigate the problems of software subversion.
3. Data classification for label-based mandatory access control policies. The National Association of State CIOs recommends governments classify their information into protection levels by the value and sensitivity of the information. To classify information electronically, we must attach what are called “labels.” Importantly, the executive order directs agency heads to “show preference in their procurement for shared IT services … including email, cloud, and cybersecurity services.” Not all the users of a shared IT services are authorized to access all the information in that service. Science shows that only a MAC policy can, with high assurance, enforce rules for information flows among classification levels. So, the executive order’s “preference” implicitly requires label-based MAC policies.
All this has been done successfully.
I recently co-authored a paper surveying the long history of successful security kernel implementations that grew out of the first cybersecurity initiative at the NSA Center to mitigate software subversion and leverage MAC policies. This is demonstrated by controlled sharing in actual deployments of highly secure systems and products, ranging from enterprise cloud technology to general purpose data base management systems to secure authenticated internet communications.
So where should the administration go from here?
We must admit that the past generation’s reliance on solutions to patch operating systems after penetrations reveal holes will never work. As I write these words, people in over 150 countries are cleaning up from the WannaCry ransomware attack that leveraged holes in a widely deployed OS to force the OS to run ransomware code. Why blame the victims again? We should blame a generation of failed cybersecurity. This attack could have been directly mitigated by a decision a couple of years ago to use Class A1 security kernel technology for the OS. Meanwhile, someone is already planning the next OS attack.
Yet despite continuing imminent danger to our nation, the new executive order could be interpreted by bureaucrats as “business as usual.” It sets a 90-day period for each agency to submit a risk management report, followed by time to “assess each agency's risk management report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk.”
How can the White House break out of this bureaucratic slow motion and get some meaningful cybersecurity started this summer?
The opportunity exists where the executive order directs attention to the possibility of “prolonged power outage associated with a significant cyber incident.” My advice is that we should immediately move to aggressively engage industrial control system (ICS) manufacturers by sponsoring prototypes for the power grid and develop a government and critical infrastructure market, using proven commercially available security kernel technology.
Ron Ross and NIST have been promoting the concepts of trustworthy secure computing platforms and could provide valuable technical leadership with respect to both ICS and Class A1. This is a shovel-ready project that can begin this summer and deliver highly secure ICS in only a couple years. It can give America a win in cybersecurity.