Clear and present danger to your life as of now from cyberblitzkrieg
August 18, 2016
By Paul Werbos, PhD
This week (starting August 15), the immediate risk to our lives through cyberblitzkrieg has suddenly risen dramatically, due to new events in cyberspace. If a cyberblitzkrieg on electric power and other critical infrastructure does occur, the level of damage would be comparable in general to the kind of damage we feared at the height of the Cold War, when something like half the world could be lost suddenly and the rest in a cascade of events.
“Cyberblitzkrieg” is simply a coordinated cyberattack on multiple physical plants, like power generators or large transformers, hard to replace in less than, say, six months (best-case). Newt Gingrich wrote the foreword to a novel, One Second After, vividly describing what a big electromagnetic pulse (EMP) event could mean to the U.S. The possible damage here is similar, and I really hope something can be done to close the doors in time. We really need to get serious about this, because your life and mine are both at risk, really, here and now, starting this very week.
For me, the week began after I thought through two international meetings led by the Millennium Project in the DC area, one on the future of work and one on new ways to cope with terrorism. These two challenges, taken together, require new, more conscious strategies for developing the future of IT, and new directions in technology.
With any new directions, we naturally ask: “What is the first discrete step we could and should do?” The first step in this case would be to close the loopholes that make our critical infrastructure vulnerable, here and now, and limit what we could do in the future with the Internet of Things. I sent an email on what we need to do to a friend well-placed in cybersecurity (I post that email below*; it gives the technical idea).
First known cyber-attack on a power grid
I did not send this out more widely, because the folks who actually might want to pull a cyberblitzkrieg here and now tend to be more responsive and agile than our own people, and I did not want to generate the wrong kind of excitement in the wrong place.
BUT: this past week, “all hell broke loose,” and the risk has become much more visible and much larger. CNN ran a visible story on vulnerability of our power system, with pictures of what a cyberattack has done to Ukraine in the first known cyber-attack of a power grid. (Also see Cyber-Attack Against Ukrainian Critical Infrastructure from the Dept. of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, ICS-CERT.)
More important: the widespread nature of backdoors and holes in firewalls and in servers, and tools to exploit them, has been widely publicized.
Finally, news came out about NSA21, a major restructuring of the NSA that many fear would reduce the capabilities of the Information Assurance part of NSA to actually implement the kind of patch we need most urgently. One guy hinted to me: “The problem now is that we are too busy with political kinds of reorganization even to consider these kinds of changes.”
So maybe we are fried. Really.
NSA21 and China’s secure-communication quantum satellite
I do not know whether NSA21 will make our prospects much better, much worse, or whether it will be a mixed bag or of limited impact. I do not know, of course, because many details are not yet final, and many are not open to us publics. Nevertheless, since NSA is the only U.S. institution with leadership in the area of “Rainbow Book” technology, it will certainly be important here.
There are excellent reasons to believe that NSA21 may be very important, one way or another. In a Washington Post interview, NSA Director Mike Rogers stressed “fundamentals,” which is what we need. (We really need to understand what we are doing.)
But will information assurance be strengthened? Will we be enabling a greater fulfillment of the intent of the U.S. Constitution, enhancing the freedom of a free people, or will we be enabling a vision I have seen of IOT as a top-down control system that could suffocate us all to death in the end? The stakes are high.
The news of the week reminds us that router servers and communication systems are just as important, in the long-term, as operating systems. My plan would have a phase two extending the new approach to these technologies as well, and even tacitly accounting for the huge implications of new quantum technology.
This week, the Chinese launched a secure-communication quantum satellite, and our paper in the journal Quantum Information Processing describes how China is a full generation ahead of the U.S. now in critical quantum areas, thanks to the “reforms” of Lamar Smith (see http://www.werbos.com/physics.htm for a link to a copy of the paper, in case you do not have journal access).
* Background from an email I sent out a week ago
A few years ago, when I handled electric power grid research at the National Science Foundation, Congressman Trent Franks did a beautiful job of explaining why he was so concerned about risks of electromagnetic pulse (EMP) events hitting the U.S. power grid.
But if half the big transformers in the U.S. were taken down, the damage could be a lot greater than the mere $1–2 trillion predicted in the 2012 official report from the National Academy of Sciences. It would be more like a return to the Stone Age, as depicted in the novel One Second Beyond. Yet in 2009, folks at the National Defense University showed how a cyberattack could accomplish the same thing, if it could get all the way to the software that controls generators.
As a technical person, I am tempted to talk at great length about the growing threats in this area, and about how all the good, worthwhile things now in the pipeline are not yet enough to prevent disaster. Even as we cope every day with a deluge of small, gradual attacks, our vulnerability to one vast unexpected cyberbltizkreig from people like hostile state actors is growing and growing. I do hope your contacts would be willing to discuss adding a new program, intended to be a FIRST STEP towards a more comprehensive solution.
The key idea
Move all critical infrastructure ASAP to control by a new generation of operating systems that meet the NSA “Rainbow Book” standards for absolute unbreakability, with open-source machine verification of unbreakability and privacy, EXCEPT for a standard “wiretap observer” subroutine which would be black but whose inputs and outputs and potential actions are visible in open source.
This would be a huge change in today’s practice. Because this is a complex issue, I would be grateful for a chance to be available to answer questions, after I give you just a few highlights of the long discussions behind the new proposal. One of the last things I did at NSF before my retirement was a review of larger issues with the Internet of Things, and we have had many follow-on discussions.
Here below is my crude attempt to summarize the first wave of tradeoffs.
Electric power utilities are already a lot more secure than financial institutions, for example, in control of critical infrastructure, like what NDU has alerted us to. They generally use some dialect of SE-Linux for critical operations. SE Linux, guided by NSA, is informed by the best knowledge in the “Rainbow Books” (like the Multics “orange book” I learned about when developing software for Multics in 1973-1975) about theorem-based unbreakability.
But utilities are totally dependent on vendors like ABB who “take their time to update compliance,” and backdoors have become a growing problem in all dialects of Linux and Unix. For many years, standard practice was for the U.S. to use a few known backdoors to enable its crucial “wiretap” kinds of functions, hoping that adversaries would never find the backdoors. But a couple of years ago we narrowly avoided a really huge crisis when a backdoor in Linux embedded control chips became known, and the time for adversaries to discover backdoors has become shorter and shorter.
It may be that China has already long had the ability to shut the U.S. down, and is gently holding it in reserve for a good time, but more and more other high-capability actors are showing up. Given how much is at stake, and where things are going, it is time to bite the bullet and change the way we do business as soon as we can.
Unfortunately, “as soon as we can” is not overnight. Open-source machine-verified compliance before deployment is essential to eliminating “taking time to get to compliance.” The technology is known (at least to NSA and a few specialists in places like Berkeley and relevant contractors), but the wiretap subroutine is essential in practice, and an open public demo of the technology is needed first.
Someone should fund the project to do that demo, and make it 100% global open source. And then would come the phase in of a new requirement that a growing circle of critical infrastructures must meet the new standards, as OS’s are developed in full, open transparent compliance. Also, of course, design of an acceptable wiretap subroutine and policy needs to go forward, in parallel with the development of the initial demo.
Total transparency
There are some futurists who argue that there should be total transparency in the future, such that all operating systems and computer databases should have read-only access to the entire world. At best, that is not a near-term option. But it is true that law enforcement does have a right to investigate criminals with a warrant, and that a new security system must not overturn that right.
Policies on warrants and wiretaps are complicated, but we cannot afford to waste time reinventing the wheel. The job for us tech people now is to build a clean READ-ONLY interface and make sure it goes to the right level of respectable constitutional and international lawyers to handle what they do with their side of it.
We do need to be asking for operating systems that would not be shut down de facto in a mission-critical way by denial of service attacks based on the wiretap subroutine; thus compliance should include verification that the outputs of that subroutine could not have that effect.
(“Quiet times” or “quiet cores” useful in reporting may be crucial parts of design… something like that.)
In a way, the “warrant subroutine” suggestion preserves the kind of backdoor access that folks like the intelligence gathering parts of NSA and FBI rely on very heavily; however, since it is READ-ONLY, the threat of someone taking down the U.S. power grid would go away. The tradeoffs are similar to those of mutual nuclear disarmament, without the worries about cheating (because each nation has an incentive to protect itself, and its own protection depends on its deploying better software).
See www.werbos.com/IOT.htm for an earlier vision (2014) of this, with citation to the Rainbow Book story.
Thanks for your consideration! There is a lot at stake in really getting this right, ASAP.
Paul J. Werbos, PhD, is a scientist best known for his 1974 Harvard University Ph.D. thesis, which first described the process of training artificial neural networks through backpropagation of errors. The thesis, and some supplementary information, can be found in his book, The Roots of Backpropagation. He also was a pioneer of recurrent neural networks. He was formerly a program director at the National Science Foundation, with responsibility for Adaptive and Intelligent Systems (AIS), Quantum systems and device modeling (QMHP), and systems-level power grids (GRID). He also handled Cognitive Optimization and Prediction (engineering-neuroscience collaboration to reverse-engineer intelligence) and since he started at NSF in 1988, he has led a variety of other areas, such as fuel cell and electric vehicles, emerging technologies, cyber systems and the sustainability part of interdisciplinary research. He is a Fellow of IEEE and INNS and a winner of the IEEE Neural Networks Pioneer Award and winner of the Hebb Award for 2011 from the International Neural Network Society (INNS).
This article was originally posted on Paul Werbos’ Saving the world blog