The security kernel architecture for highly secure systems engineering, set forth in the NIST publication noted above, responds to Ross’ proposition. It also reflects what was codified by the NSA center.
2. Criteria to mitigate software subversion. The executive order highlights the need to address “cyber- security risks facing the defense indus- trial base, including its supply chain.” Although hardware subversion can oc- cur in the supply chain, software sub- version is by far the most widespread and easily exploited risk in the supply chain and life cycle of a system.
The disclosures in the CIA Vault 7 breach illustrate common operating systems’ vulnerability to software sub- version. As Swati Khandelwal of “The Hacker News” put it, “The agency’s ability to hack into any OS to gain full control of any device — whether it’s a smartphone, a laptop or a TV with a mi- crophone — makes the CIA capable of bypassing any service \\\[to\\\] spy on every- thing that happens on that device.” An adversary could do the same.
At the NSA center, we developed cri- teria to build and evaluate systems to protect the most sensitive national in- terests, called the Orange Book Class A1. The document was designed to substantially mitigate the problem of software subversion.
3. Data classification for label- based mandatory access control policies. The National Association of State CIOs recommends that govern- ments classify their information into protection levels based on the value and sensitivity of the information. To classify information electronically, we must attach what are called “labels.”
Trump’s executive order directs agency heads to “show preference in their procurement for shared IT ser- vices...including email, cloud and cy- bersecurity services.” Not all users of a shared service are authorized to ac- cess all the information in that service.
Science shows that only a MAC policy can, with high assurance, enforce rules for information flows between classifi- cation levels. So the executive order’s “preference” implicitly requires label- based MAC policies.
All of these things have been done successfully. I recently co-authored a paper surveying the long history of suc- cessful security kernel implementations that grew out of the first cybersecurity initiative at the NSA center to mitigate software subversion and leverage MAC policies. This is demonstrated by con- trolled sharing in actual deployments
The opportunity exists where the executive order directs attention to the possibility of a “prolonged power outage associated with a significant cyber incident.”
of highly secure systems and products, ranging from enterprise cloud technol- ogy to general-purpose database man- agement systems to secure authenticat- ed internet communications.
So where should the Trump admin- istration go from here? We must admit that the past generation’s efforts to patch operating systems after penetra- tions reveal holes will never work.
As I write these words, people in over 150 countries are cleaning up from the WannaCry ransomware at- tack that took advantage of holes in a widely deployed OS to force it to run ransomware code. Why blame the victims again? We should blame a
generation of failed cybersecurity.
The attack could have been directly mitigated by a decision a couple of years ago to use Class A1 security ker- nel technology for the OS. Meanwhile, someone is already planning the next
OS attack.
Yet despite continuing imminent dan-
ger to our nation, the new executive or- der could be interpreted by bureaucrats as “business as usual.” It sets a 90-day period for each agency to submit a risk management report, followed by time to “assess each agency’s risk manage- ment report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cyberse- curity risk.”
How can the White House break out of this bureaucratic slow motion and get some meaningful cybersecurity started this summer? The opportunity exists where the executive order directs attention to the possibility of a “pro- longed power outage associated with a significant cyber incident.” My advice is that we should immediately move to aggressively engage industrial control system (ICS) manufacturers by spon- soring prototypes for the power grid and develop a government and criti- cal infrastructure market that relies on proven, commercially available security kernel technology.
Ron Ross and NIST have been pro- moting the concepts of trustworthy secure computing platforms and could provide valuable technical leadership with respect to both ICS and Class A1. This is a shovel-ready project that could begin this summer and deliver highly secure ICS in only a couple years. It could give America a win in cybersecu- rity. •
— Roger R. Schell is president of Ae- sec, a firm that supports the commercial GEMSOS security kernel, which NSA has evaluated as Class A1 for verified protec- tion, and offers it to original equipment manufacturers.
GCN JUNE/JULY 2017 • GCN.COM 45