Losing the cyber war: How to get out of the box and win

This post is also available in: עברית (Hebrew)

The United States is losing the cyber war. Despite hugely increased expenditures on cyber security, every day the situation worsens and we continue to fall behind. As I write there is no government or military website that has not been hacked and vital information stolen. It is not just the government –banks, health care systems, financial transactions, credit card data, identity theft, social security numbers, legal briefs, strategy documents, corporate secrets, intellectual property –the list is nearly endless.

Throwing more money at “the problem” is not a panacea. Our government, military, and critical infrastructure cannot continue running around like chickens with their heads cut off. That is the sum of what is happening today.

The entire infrastructure of information technology is based on mostly an open architecture approach to computer systems and network infrastructure. That is conducive to a fairly rapid spiral development of new commercial technology. Unfortunately, the commercial approach downside is that security plays second or third fiddle to the push for bagging commercial dollars from investors and customers alike.

It is very well known that spending money on security does not “produce” anything, so putting money and resources into security systems is resented by investors and corporations, even by individual users who often chafe under security restrictions and operational limitations.

It is time to break free from the open source globalized approach when it comes to government, military and critical infrastructure mobile and fixed computers and networks. Instead of wasting billions on hopeless security “solutions” while we continue to fall behind in the cyber war battle, is senseless, wasteful, frustrating and demonstrates bad leadership and hopeless management. Let’s stop.

What we need a an American secure operating system and an American secure network environment built in a trusted environment by reliable people in safe manufacturing locations. Not in China. Not offshore. Here.

The talent to do this surely exists, it is just being wasted today on “other” projects.

A Strategic Plan would look like this:

1. Replace all critical infrastructure operating systems and networks with a US developed secure operating system in three to five years.

2. Assure that connectivity outside of the secure environment is carried out separately from vital secure computing.

3. Impose the massive use of encryption and truly protected authentication on the new secure operating system.

4. Make sure all OS and Secure Network users are properly cleared and vetted.

5. Put in place a compartmentalization system based on need to know and create a series of decentralized and regulated security centers to make sure the thresholds on need to know and a permission based environment are carefully maintained.

6. Do not use any equipment made outside the United States in the critical infrastructure.

7. Create a T&E center to check all hardware, firmware, software with independent auditors and engineers.

8. Create a Red Team to constantly try and break the system, point out vulnerabilities, and fix them immediately. The Red Team should be large and heavily incentivized to find problems.

9. Never, ever, share the US system with anyone outside the US. Make sure that the technology is controlled fully by the US government. And design the system so that if a piece is lost, it can be deactivated remotely and never be useful to an adversary or enemy.

10. Make sure the intellectual property, the technology developers, the Red Teams, and the system of compartmentalization are secret.

Dr. Stephen Bryen is a senior member of the US Senate Foreign Relations Committee, and former Deputy Under-Secretary of Defense.