Danzig: Analog has value in countering cyber threats
The former Navy secretary recommends some unconventional approaches to help meet the cybersecurity challenge. Quantum encryption? Not so much.
Richard Danzig was President Clinton’s Navy secretary from 1998 to 2001. Today, he is a member of the Defense Policy Board and The President’s Intelligence Advisory Board, advising the Defense and Homeland Security departments on cyber threats, terrorism and bioagent detection. He also is a director of the Center for a New American Security and a RAND Corp. executive.
Speaking with Defense Systems contributor David Walsh, Danzig proposed ways for the United States to better engage and overcome obstacles in the increasingly complex cybersecurity domain.
DS: China and its “citizen hackers,” Russia and other actors are increasingly aggressive in computer penetration efforts, electronic warfare and espionage. PLA generals speak openly of unrestricted “technological violence.” How serious are these threats? And what’s the impact of, say, latency of pre-installed bugs in what we buy: routers, modems, monitors, wiring?
Danzig: Well, it’s pretty striking in terms of penetrations, and none of us really knows ... about the extent to which there may be latent hardware embeds. Embeds can be of many kinds, and systems are so complex, so numerous, so big that ... the number of hiding places is very, very great.
The cyber world [overall] is inherently insecure both in the exceptional difficulty ... in keeping other entities or people out, but also in ... claiming that a very complex system is clean or fully secured.
DS: Operating systems, for example?
Danzig: Microsoft’s OS has at least 50 million lines of code, and big corporate financial institutions manage over a trillion lines. [Obviously], your ability to see what’s inside those systems is very limited.
DS: Outsourcing complicates matters. You’ve noted the F-35 Joint Strike Fighter alone may contain countless vulnerability gateways and the supply chain overall is reportedly at serious risk.
Danzig: That’s right. [Hardware is] an additional compounding point. We haven’t seen many examples of hardware corruption, and we see many, many examples of software problems.... But that may be just a matter of the present. If somehow we could clean up the software problem, we’d still have the hardware problem.
DS: Lately you’ve stressed that analog computer systems can complement and help safeguard digital systems. Would it have prevented or minimized recent attacks on, say, the U.S. Central Command, the Office of Personnel Management, or the Joint Chiefs’ YouTube and Twitter accounts?
Danzig: I don’t think the analog will prevent penetrations, and it’s not, generally speaking, something that I would prescribe for protection of intellectual property or confidential communications. My interest in analog arises because, beyond simply traditional cyber threats, there are cyber physical threats, which are efforts to corrupt the operation of physical systems, like a power grid or steel mill.... A ship-launched missile, for instance, could corrupt cyber components, then cause that physical system to self-destruct or operate in damaging ways.
And there, if you have an analog system, you gain a significant measure of protection if it at least informs you about what’s happening, so the attacker can’t control both your system and your ability to perceive your system.
DS: How do we acquire or incorporate analog systems?
Danzig: In a number of systems, they already exist. And I’m trying to sound the alarm about systems in, for example, the power grid world [that are] moving to digital systems and abandoning the analog. It’s the wave of modernization; digital systems are more efficient.
[Nevertheless], I’m saying regulators ought to move to a digital system in your operations, but keep at least some of your safety system in analog mode. So that’s a first, kind of easy case.
In other cases, for example, you can introduce an analog component, even a human, into what could otherwise be a purely cyber system. For example, my system automatically can generate new passwords when requests come in. I might approve requests ... up to a certain number, but when I’m suddenly seeing a request for 10 times the normal number, the system might have inserted something that requires a human being to review those requests or any other kinds of aberrations that occur.
DS: Has the Navy or other DOD enterprise tried out your dual “back to the future” approach?
Danzig: Military services are becoming aware ... of its potential utility. How far they’ve gone in different systems in actually adopting that, I can’t say.
DS: Infrastructure and power grids are vital largely because the military, homeland security components and others greatly rely on the civilian world for bandwidth, spectrum and other types of modalities. Here again, might creating separate entities prove useful should one system or network go down – with or without analog stand-alones?
Danzig: Yeah. Well, you’re making several points, all of which I think are right. Firstly, the military system is reliant on the civilian system. Military bases will have generators and another kind of capacity for the very short term. But if the civilian power grid went down ... the Pentagon recognizes that their systems logistically would have lots of problems.
Secondly, if we create some degree of diversity within the power grid—a separation—so that not all of it goes down too readily, that’s a big help, and we have a limited degree of that now. But in all cyber physical systems, creating some degree of separation enclaves is very useful for restoring resiliency.
Lastly, introducing complementary analog components or preserving analog components in a civilian power system is a useful safeguard versus making it all digital.
DS: Some champion quantum cryptography—supposedly unbreakable but with limited range for now—as a key near-term safeguard. Does this ameliorate cyber-intrusion prospects?
Danzig: No. I think it’s the other way around. The problem with quantum computing is that it threatens to undo the protections associated with encryption, which depends on the inability to do huge computation to crack codes. And if we had quantum computers, the reason NSA and others are mostly concerned about it is because quantum computers couldn’t render what is now protected encryption, vulnerable. [It may be that] quantum computing is less a boon than it is a threat. One of the good steps to take at present, though limited, is to use more encryption.
DS: Still, is such a tool, in concert with analog and other steps, useful in the mid-term against fast modernizing nemeses like China?
Danzig: Yes. I think there are a suite of things that one ought to do. Moving to use more analog in a complementary way, creating separated enclaves, avoiding a computer digital monoculture where everything runs in the same system and therefore has common vulnerability, and more and better encryption are all examples of things that make it notably harder for the attacker.
Ultimately, a committed attacker with a lot of resources can get around these problems, but you protect yourself better against uncommitted attackers without lots of resources, and you make it noticeably harder and perhaps more visible when a committed attacker with huge resources wants to invest against you. So I don’t think there’s a nirvana via that route, but I do think there’s a better world.
DS: You contend that normal screening and antivirus apps are inadequate leak-stoppers, since they depend on preexisting security signatures. Explain, please.
Danzig: Sure. [Computer vulnerability studies have found] antiviral software rife with vulnerabilities because it’s software and, therefore, has the same problems as other software. But it’s particularly, potentially a potent problem because in order to operate, antiviral software has privileges for entering and manipulating your computer system. So it can be a source of problems as well.
The main problem, though, with antivirals is they lag [behind] the appearance of new vulnerabilities. It takes some, not inconsiderable, time to recognize that they’re there, and when patches are provided, they frequently are not immediately installed. And they immediately advertise to attackers that there is a route in if the patch hasn’t been installed. There are good reasons why some people don’t immediately install patches: because they have to interact with a lot of their very complicated hardware.
So a big department store that has a thousand different sites or a hundred different sites may first only install a patch on two or three sites to see how it works and whether it’s causing problems, during which time attackers can enter the other 97 sites. Also, there are a lot of people out there who don’t install patches or they’re using counterfeit software or that don’t get news of the patches, et cetera, et cetera.