Monday, November 03, 2008

Response to "Air Force Aims to 'Rewrite Laws of Cyberspace'"

Given my recent posts like Whither Air Force Cyber? I felt the need to comment on Noah Shachtman's story Air Force Aims to 'Rewrite Laws of Cyberspace':

The Air Force is fed up with a seemingly endless barrage of attacks on its computer networks from stealthy adversaries whose motives and even locations are unclear. So now the service is looking to restore its advantage on the virtual battlefield by doing nothing less than the rewriting the "laws of cyberspace."

Four years ago I wrote Thoughts on the United States Air Force Computing Plans:

I was asked my thoughts on the US Air Force's new computing deal with Microsoft. In short, Microsoft will provide core server software, maintenance and upgrade support, and Dell will supply more than 525,000 Microsoft desktop Windows and Office software licenses to the Air Force...

So instead of taking a serious look at the root cause of its patching and exploitation costs (both financial and in mission impact), the Air Force sought a better deal from the vendor producing flawed software. This is sad. TechWorld's Ellen Messmer wrote "The US Air Force has had enough of Microsoft's security problems. But rather than switch to an alternative, it has struck a deal with CEO Steve Ballmer for a specially configured version of Windows..."

Had the Air Force decided to break away from Microsoft, the other services would have definitely taken notice. In fact, corporate America would have taken notice.


I followed a few months later with As Always, .gov and .mil Fight the Last War:

The US Office of Management and Budget's Karen Evans reportedly likes the US Air Force's plans to "deliver standardized and securely configured Microsoft software throughout the service..."

This approach is fighting the last war, since it relies on running hundreds of thousands of personal computers with general purpose operating systems. All of these systems will still need applications installed, and those apps and the OS will have to be patched, updated, etc.


Here we are staring at 2009 and the Air Force is still being 0wned. So much for the bold Microsoft strategy! Apparently the Air Force has taken a note from my blog post Change the Plane by seeking to "rewrite laws of cyberspace."

Unfortunately, the Air Force and anyone else who seeks a vulnerability-centric security program needs to realize that the only way to win purely by playing defense is to be different. Being different means you force the adversary to expend time and resources on attacking you. Right now it's cheap for an adversary to develop a single Word 0-day and sell it to someone attacking .mil, or .edu, or .com, or anyone else running Office. However, if you really want to attack the Air Force, and they use AFOffice on AFOS (maybe on AF CPU), you have to develop new ways to steal their data. That's probably not cheap.

Unfortunately for the Air Force and others adopting a defense-by-diversity strategy, being different costs money. The whole reason the defense and intel communities adopted COTS (Commercial Off The Shelf) platforms was to save money. The Air Force and anyone else who pursues a vulnerability-centric security posture should weigh the total costs of COTS vs GOTS (Government Off The Shelf). I bet when you factor in security costs, COTS doesn't look so attractive anymore.

5 comments:

Adam said...

While I agree with your point about security through diversity, the thought of a GOTS OS or CPU is terrifying. Major software projects are *hard*, and putting them in the hands of government contractors almost guarantees their failure.

Beyond that, the platform would have to be 'open', in order to provide a base for other government applications. In theory, this could end up dragging the defense market onto the system as well (have to maintain compatibility with your customer!), which would destroy the whole benefit of a unique platform to begin with.

I don't understand why the USAF (and other DoD services) don't 'rewrite the rules' and simply disconnect everything but PAOs from the public Internet. It seems to work OK for the classified DoD networks.

Anonymous said...

adam,

think of "AFOffice" as a re-branded OpenOffice.org and "AFOS" as a customized Linux (or *BSD!) distro. The costs involved in that process is likely orders of magnitude cheaper than building them from scratch. Such a platform would fulfill the requirement that Richard expresses: the enemy would need to spend additional resources customizing attacks for "AFOS" or "AFOffice" that would not (necessarily) be portable to educational or commercial institutions.

Rob Lewis said...

I could, tell you about a COTS drop-in security sub-system that makes those COTS networks trustworthy, but, you probably wouldn't believe me, LOL.

Dan Geer said...

Few would argue that reducing the diversity of the natural world should be a national goal, but that is precisely what we do with corporate desktops. Despite what some might think, I am sympathetic to the actual reason we do it -- making everything almost entirely alike is, and remains, the only hope for being able to manage it in a consistent manner. Therefore, when you deploy a computing monoculture you are making a risk management decision: That the downside risk of a black swan event is more tolerable than the downside risk of perpetual inconsistency. Which path you choose is doubtless correlated with how short- vs. long-term your planning horizon is.

dghnfgj said...
This comment has been removed by a blog administrator.