2022/08/27

IT security for real

.

Imagine your country's economy can be switched off by another country. Further imagine that also much of private life can be switched off by another country. Let's say that other country has half the voters flirting with fascism. Would you feel that this is an existential threat to your country and its sovereignty?

Well, we're de facto living this nightmare already.

- - - - -

Every autoupdater for software is technically a backdoor through which the software company can change software on your computer.

Every operating system with an autoupdater function (hidden or overt) can take over the entire computer with ease, unstoppable by all security features. The same applies to server software.

Example: Microsoft could - compelled by the U.S. government or on its own - switch off the economy of Europe with malicious non-optional updates for the Windows operating system and the Windows server operating system. The latter could even erase most backup data. Operating systems can also permanently damage the computer hardware, turning a data loss into a catastrophic nationwide loss of computers.

I consider this an unacceptable vulnerability for government and economy, and very undesirable for the private sector.


To increase the robustness of a nation against such an attack is simple; move from trusted software to trustworthy software.

It would be easy to mandate that no federal government institution is permitted to purchase or install software that's not on a whitelist without a temporary waiver by a properly staffed and competent agency. The whitelisted software would all be certain open source software. Open source (source code visible to the public) alone is not good enough. You also need proper audits of the open source code, timely audits for patches, a regime how to handle extremely urgent hotfix patches and the audited and later not manipulated source code either has to be compiled directly or the installation-ready version has to be available from a secure and trustworthy source. For-profit software providers (this is feasible with open source software in some ways) would have to pay for the thorough security audits. This would incentivise them to create lean code (for cheaper audits), and lean code can more easily be kept safe than bloated code anyway.

This would effectively lead to offices running Linux and OpenOffice rather than MS Windows and MS Office. Both are available for free and would even save the government much money.

This IT security regime could diffuse to state governments and be extended (with enforcement) to selected businesses such as hospitals, infrastructure providers and arms industry. Further incentives to harden the economy against catastrophic IT sabotage could be non-mandatory and still effective, such as making companies liable in court for damages caused to others by their non-secure IT. This also includes liability for damages when you use outdated software commercially.

The multinational level (EU) can go even further, and force suppliers of software that runs on non-secure operating systems to offer a no higher-priced and no worse version of their software for a whitelisted operating system. This would help private users to migrate to secure operating systems and secure applications.


Likewise, hardware may be extremely insecure. It's very difficult (=expensive) to look into the logic of chips. Yet chips and other electronics components (which may include chips without seeming to do so) are a severe security hazard themselves. They may have non-removable functions that compromise security.

To increase the robustness of a nation against such an attack is simple; move from trusted hardware to trustworthy hardware.

This is less practical than with software, but at least critical government departments (including the military) and critical businesses (especially infrastructure providers) could move to whitelisted hardware, for which design plans are known and which has been produced in a trusted place (for Germany this would be Germany, for Luxembourg this would be most EU countries) based on those design plans. It's acceptable to lag behind in performance by a few years, most government computers do so anyway. The trusted production facility would thus not require the newest chip manufacturing technology. Again, a 100% implementation of such a security regime would be impossible. There would again be a need for an authority that can and does give temporary waivers, but not too liberally so.

- - - - -

Next, encryption should be mandated for many activities, and this encryption should be based on a preferably quantum-proof encryption developed without interference by government spy agencies and their helpers. I mean encryption without intentional weaknesses. Furthermore, certain particularly sensitive communication (and archives) should feature one-time-pad encryption, which simply cannot be broken if done right. To establish such encryption standards and to enforce them through outlawing products that are in violation (with sellers forced to reimburse buyers fully), through inspections and fines and through legal liabilities would be feasible on the nation-state level.

- - - - -

The EU's talk about digital sovereignty is largely bollocks. They do so very little about security issues (and in fact multiple governments in the EU keep weakening security in order to be able to spy more easily themselves) that I have but one conclusion; their real motivation is not "digital sovereignty" or IT security, it's to deny the rent-seeking American software companies dozens of billions of turnover and profits. It's more of a transatlantic economic policy wrestling than an IT security initiative.

The EU might achieve all it wants to achieve with its "digital sovereignty" stuff and in the end MS could still switch the European economy off, and not just for a few days or weeks.

 

No invisible hand of markets establishes satisfactory IT security. We would require decisive action by politicians, and this is very largely (the software & encryption facets) feasible on the national level.

 

S O

defence_and_freedom@gmx.de

.

13 comments:

  1. idk about the rest but there is 1 big issue i see:

    A lot of critical software only runs on old versions of windows. It would be incredibly expensive & disruptive to rewrite it all. To the point that windows XP is still paid for by governments to be maintained in order to keep them from having to go through the pain of updating the software.

    ReplyDelete
    Replies
    1. I wrote "(...)no federal government institution is permitted to purchase or install(...)" for a reason.

      Delete
  2. @SO What is your view on using public cloud providers like AWS and Azure in this IT Security Context?

    Is Microsoft Azure Germany isolated enough in your eyes from US political pressure?
    https://docs.microsoft.com/en-us/previous-versions/azure/germany/germany-welcome

    Much of modern business IT is migrating to the Cloud, to be able to provide a higher quality service for less maintenance effort. Being able to focus more on the business logic instead of also maintaining infrastructure which is then outsourced to those public cloud providers.
    Migrating back to running their own servers and possibly having to write new software to replace the use of some complex cloud services would be a huge challenge. If that was necessary.

    A lot of government software bloat, is also the result of complex features due to complex laws that regularly change. Just think of tax laws that might change every year.
    If tax laws could be drastically simplified and be more predictably changes, this could allow much easier modernization. This is probably not realistic, the process for making tax laws don't take into account software implementation and architecture as a priority.

    Having better and cleaner data on the other hand, could result in opportunities for commercial profitable products. Using data actually as "the new oil". This could even overcompensate for the modernization costs if managed correctly. Instead of treating government IT just as a money sink. This does necessitate prioritizing data first, instead of "IT/applications first".

    Profitability would really help in making IT Security more practical and realistic.

    A too efficient system might on the other hand also encourage the implementation of some social credit system, so that is undesirable as well.

    ReplyDelete
    Replies
    1. Cloud computers are by definition not trustworthy. You could send properly encrypted data to or through cloud services (with the key unknown to the cloud service provider), that's all.

      Proper business economics knows implicit costs, which includes risk -related implicit costs. Insecure is usually not cheaper, it's just looking cheaper.

      Delete
    2. Given the fact that encryption (and decryption) technology and standards evolve with time I find that approach lacking because secure encryption today could be vulnerable in some years even discarding cutting edge technologies like quantum computing.
      Even a secure encryption technology could have some hidden backdoor or unkown vulnerability.

      JM

      Delete
    3. One time pad encryption is safe if done properly.
      Other encryption has to go with the times, so software-based encryption should be possible.

      The absence of perfection is never a good reason to reject an improvement.

      Delete
  3. You described basically the running policy of the Chinese government as what should be done. BTW> They have an implementation deadline until 2023.

    ReplyDelete
  4. The city of Munich started using Linux in 2009 but then problems with the application of the software arose, which led to the cancellation of the project in 2017 and switching to Microsoft again.

    What is your take on that? Was it just a good idea badly implemented or are there inherent issues with using open source software for public administration?

    ReplyDelete
    Replies
    1. I read something about the issue some time ago.
      I can remember that apart from the fact that this approach to IT requires a great deal of work both in training and development there wasn't many more true problematics.
      From what I recall the cancellation of the project was related to political changes (maybe with help of known software providers) instead of technical issues.

      JM

      Delete
  5. The Fujitsu computer factory in Augsburg suppied the hardware for much of our administration, but was closed a few years ago, because they weren't profitable. How would that change for a restart?

    ReplyDelete
  6. This EU IT laws are against human rights and liberties

    ReplyDelete
  7. YESSSss.

    Btw, we don't need to change overnight.
    All those schools teaching tablets and computers in windows environment? Swap to Linux. 12 years later, kids leave school with linux as their obvious choice of OS.
    Could make an EU-Linux distribution, because otherwise I fear linux may be vulnerable too.

    ReplyDelete
    Replies
    1. I had Linux on a work computer for a while. Normal user-level stuff can be done by someone used to Windows without any introduction.
      Troubleshooting and changing settings requires acquiring new knowledge and takes a couple hours.

      A more obvious choice for preparing the next generation would be to mandate that all PC and console games sold on the EU markets need to be equally compatible to Linux + IBM compatible. ;-)

      Delete