The one fix needed to keep Trump's cyber executive order from failing

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Roger R. Schell
 

Connecting state and local government leaders

By Roger R. Schell

|

Without a trustworthy operating system -- especially for critical infrastructure -- real cybersecurity is scientifically impossible.

President Donald Trump recently issued the Executive Order for Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Our nation’s first real cybersecurity initiative, however, began in 1981.  

As a young Air Force colonel, I was assigned to the National Security Agency as founding deputy director to provide technical leadership for what came to be known as the National Computer Security Center. That initiative led to considerable successes in the area of protecting our government’s most sensitive national interests. Our results required, as Trump’s executive order puts it, “measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”

Unfortunately, the three most recent administrations terminated support for those successes, and continuing cyberattacks have indeed compromised our government’s most sensitive information. For example, the CIA Vault 7 breach resulted from a failure of its IT infrastructure to enforce compartmentation that the CIA previously enforced administratively and by physical isolation. The cybersecurity solutions defined at the NSA Center could reliably enforce compartmentation, so perhaps I can offer my unsolicited advice to the Trump administration as to how to make this new executive order succeed where the efforts of previous administrations have failed.

Secure critical operating systems in our IT architectures

The past three administrations procured defense in depth, secure development processes, information sharing, pattern recognition, artificial intelligence, other buzzword technology  and research, all to try to block intruders and patch holes in operating systems. Yet the root cause of failures remains that without a trustworthy OS, real cybersecurity is scientifically impossible. We must find and patch every (or almost every) hole in an OS, but an attacker needs find and attack only one hole. The recent National Institute of Standards and Technology Special Publication 800-160 on “Systems Security Engineering” recognizes this, and our NSA Center did too. If this administration does not quickly procure and create a viable government market for secure operating systems, then the executive order will fail on its own terms.

All trustworthy operating systems have three properties:

1. Security kernel architectures. A security kernel sits underneath an OS and is integrated with a suitable hardware platform. Together with that hardware, it controls the information flow in a system. NIST Fellow Ron Ross said, “You have to go back to a leaner and meaner architectural construct” [for] “systems that are more trustworthy, secure and resilient.” The security kernel architecture for highly secure system engineering, set forth in the NIST publication on Systems Security Engineering noted above, responds to Ross’s proposition. This reflects what was codified by the NSA Center.

2. Criteria to mitigate software subversion. The executive order highlights the need to address “cybersecurity risks facing the defense industrial base, including its supply chain.” Although hardware subversion can occur in the supply chain, it is software subversion that is by far the most widespread and easily exploited risk in the supply chain and lifecycle of a system.

The disclosures in the CIA Vault 7 breach illustrate the vulnerability of common operating systems to software subversion. As one reporter put it, an adversary’s “ability to hack into any OS to gain full control of any device -- whether it’s a smartphone, a laptop, or a TV with a microphone -- makes the [adversary] capable of bypassing any service [to] spy on everything that happens on that device.” At the NSA Center we developed criteria to build and evaluate systems to protect the most sensitive national interests, called the Orange Book Class A1. This was designed to substantially mitigate the problems of software subversion.

3. Data classification for label-based mandatory access control policies. The National Association of State CIOs recommends governments classify their information into protection levels by the value and sensitivity of the information. To classify information electronically, we must attach what are called “labels.” Importantly, the executive order directs agency heads to “show preference in their procurement for shared IT services … including email, cloud, and cybersecurity services.” Not all the users of a shared IT services are authorized to access all the information in that service. Science shows that only a MAC policy can, with high assurance, enforce rules for information flows among classification levels. So, the executive order’s “preference” implicitly requires label-based MAC policies.

All this has been done successfully.

I recently co-authored a paper surveying the long history of successful security kernel implementations that grew out of the first cybersecurity initiative at the NSA Center to mitigate software subversion and leverage MAC policies. This is demonstrated by controlled sharing in actual deployments of highly secure systems and products, ranging from enterprise cloud technology to general purpose data base management systems to secure authenticated internet communications.

So where should the administration go from here?

We must admit that the past generation’s reliance on solutions to patch operating systems after penetrations reveal holes will never work. As I write these words, people in over 150 countries are cleaning up from the WannaCry ransomware attack that leveraged holes in a widely deployed OS to force the OS to run ransomware code. Why blame the victims again? We should blame a generation of failed cybersecurity. This attack could have been directly mitigated by a decision a couple of years ago to use Class A1 security kernel technology for the OS. Meanwhile, someone is already planning the next OS attack.

Yet despite continuing imminent danger to our nation, the new executive order could be interpreted by bureaucrats as “business as usual.” It sets a 90-day period for each agency to submit a risk management report, followed by time to “assess each agency's risk management report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk.”

How can the White House break out of this bureaucratic slow motion and get some meaningful cybersecurity started this summer?

The opportunity exists where the executive order directs attention to the possibility of “prolonged power outage associated with a significant cyber incident.” My advice is that we should immediately move to aggressively engage industrial control system (ICS) manufacturers by sponsoring prototypes for the power grid and develop a government and critical infrastructure market, using proven commercially available security kernel technology.

Ron Ross and NIST have been promoting the concepts of trustworthy secure computing platforms and could provide valuable technical leadership with respect to both ICS and Class A1. This is a shovel-ready project that can begin this summer and deliver highly secure ICS in only a couple years. It can give America a win in cybersecurity.

NEXT STORY: An ethical hacker can help you beat a malicious one

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.