Information Warfare: The Lockdown


May 7, 2009: The U.S. Air Force, long a leader of an effort to use standardized, more secure, versions of the Windows operating system, has persuaded the publisher, Microsoft, to provide a customized version that has over 600 operating system settings shut down or modified so that hackers have a harder time penetrating air force network security. Some of it was simple stuff, like ensuring that the highest level password (the admin password, which gives you access to everything) can never be the same as a lower level (user) password. The system is also modified to have passwords expire every sixty days, forcing users to create new ones.

Standardized settings for so many features prevents combinations of settings that often let hackers gain access. Until now, the air force had its personnel manually configure Windows for security, but this was expensive (costing $20-30 million a year) and used up the scarce time of skilled network specialists. The air force spent four years of planning, analysis, testing and experimentation to determine what features should be disabled, or, if used, how they should be set up. This is the configuration that Microsoft implemented in the special air force version of Windows. In addition, the air force had Microsoft add automatic patching (which is already an option in Windows) and a system that set off an alarm if someone tried to install a patch manually (something that hackers do). All this means that the air force copies of Windows will be updated with 72 hours, instead of 57 days now (and that's for emergency patches.)

In addition to the savings of time for air force network administrators, the air force expects 40 percent fewer calls to help desk personnel. From now on, anyone selling computers to the air force, will have to preload the machines with the air force version of Windows XP. When the new configuration was tested, it blocked 85 percent of attacks.

The other 15 percent of attacks that succeeded were often the result of unpatched software bugs that enable a hacker to gain access to a computer they are not supposed be in. Not all vulnerabilities are equal. Some are much more valuable than others. Commercial Internet security firms offer rewards to people (usually software engineers who spend too much time on the Internet) who first discover a "zero day vulnerability" (this is a bug that has not yet been put to use by a hacker to create a "zero day exploit.") The rewards can sometimes exceed $100,000. The commercial security firms, which provide services for corporate and government clients, offer the rewards openly. There is a more lucrative underground market, financed by criminals and some governments, that offer even larger rewards.

The commercial firms get after the software publishers to fix the bugs, but they have noted that this often takes months, or years. The publishers know that every time they open their source code to repair something, there is high risk of creating more bugs. Moreover, it's expensive to fix the bug, test the patched software, and then distribute it to their customers. Thus, unless the bug is highly likely to be exploited, it is not attended to right away. The problem with this approach is that the software publisher may not be aware of how exploitable the bug is. Criminals and Cyber Warriors have an interest in finding ways to exploit bugs that appear relatively harmless. That turns the bug into ammunition, for the Cyber War, and a way to make money, for the criminals.

In preparation for a Cyber War, ammo supply is critical. Put simply, whoever has the largest number of vulnerabilities (unpatched, of course), and has turned them into exploits, will win. There's a lot of evidence that the United States and China have both compiled large arsenals, and tested a lot of their stuff. Other countries are players as well, but the U.S. and China appear to be the superpowers of Cyber War. The new air force configuration renders many exploits unworkable, or much less likely to work.

The air force will eventually switch to Windows 7 (to be released this year), and will have a locked down configuration of that as well. The other services, and probably all U.S. government users, are likely to switch to the air force configuration, as all military users have a need for this kind of security. As has happened so often in the past, the air force has taken the lead in this aspect of computer and network security. The  U.S. government is the largest single computer user on the planet (over 10 million users and nearly 20,000 networks), and is not nearly as secure (in terms of Internet vulnerability) as most large corporations. Currently, the government is spending several hundred million dollars a year just responding to computer security problems. The air force operating system configuration could save over $100 million of that cost, while also greatly reducing the number of hacker penetrations.

An additional savings is more subtle. Currently the government has an acute shortage of computer specialists (network engineers and programmers who can find and patch problems). Commercial firms pay better than the government can. Even when the government trains its own specialists, these are often hired away by commercial firms. To cope with this, the government hires thousands of civilian contract programmers and engineers at very high rates. This is not a perfect solution, and the government computer systems are still much more vulnerable than politicians will admit (or, in many cases, are even aware of.)




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close