Source codes are the instructions written by a computer programmer that powers its software. It contains all the secret instructions in a program that, if discovered, would enable the software source to be stolen. Any software, from your games to America’s military systems. For decades, therefore, the U.S. government export control system refused to allow software source code to be shared.
Those days are over. Some of America’s top tech companies – including McAfee, Symantec and Hewlett Packard – anxious to make money in foreign markets, have been sharing source code with rival powers including Russia and China. McAfee and Symantec shared anti-virus software, making our armed forces, our strategic systems, our critical infrastructure, and our government even more vulnerable to foreign hacking and penetration. The Pentagon said in a letter to Capitol Hill that source code reviews by Russia and China “may aid such countries in discovering vulnerabilities in those products.”
Some of this is the fault of our own security planners.
American security has become dependent on what is known in the trade as “commercial off the shelf” (COTS) software and hardware. Most of the software comes from American companies, but that doesn’t mean it is foolproof or that it was made entirely in America or by Americans. A lot of software is built elsewhere and assembled in places like Silicon Valley, and many of the Silicon Valley workers are imported, not necessarily because they are better than Americans, but because they are cheaper. It gets worse: parts of critical software, such as the Windows operating system that is pervasive in the Pentagon and military, is built out of so-called “community-sourced” code, meaning that no one knows who wrote these segments or whether they are safe.
Hardware is a different, and bigger, headache. Most cellphones and computers are entirely manufactured abroad, mainly in China, or their vital components and systems are produced outside the United States. Sometimes the parts are produced by American-owned companies, but not always. Consider Apple (now in the process of moving investment and jobs back to the United States): it produces the iPhone in China in a large complex owned by Hon Hai Precision, a Taiwanese conglomerate also called the Foxconn Technology Group. Foxconn sources components from other Chinese companies, and of course all the workers are Chinese.
Many world leaders use iPhones. (Former Secretary of State John Kerry was an aficionado.) In a discussion with the Department’s technical gurus about a phone with a secure operating system, they were sympathetic, but said there was no hope of getting Mr. Kerry to give up his iPhone. Angela Merkel, Nicolas Sarkozy, Silvio Berlusconi and other foreign leaders use Chinese-origin cellphones and their staff does too. Despite the known security issues, it wasn’t until a few weeks ago that the White House finally banned personal cellphones from the complex. The president himself was only reluctantly separated from his Samsung 3 — his tweeting device.
Modern weapons systems also depend on equipment and software made in China or are vulnerable because source codes have been shared or developed abroad. A lot of it is really old software. Obsolete and vulnerable operating systems often are planted inside embedded computers buried inside weapons and command and control systems. There is no way to fix them and half the time no one even knows what is actually there. Instead of a label that says “Intel Inside,” maybe a better one would be “Spy Inside.”
The government approach to all this is to try to fix the commercial off the shelf systems and software it originally bought on the cheap. Billions are being spent, but attacks on computer networks and cellphones by foreign and domestic sources continue to rise exponentially and are all but out of control.
In 2015 nearly one million new malware threats occurred every day, both in the government and outside. It’s bad enough if they attack your games or even your e-mail, but when the government uses publicly available, unmodified products for national security purposes the result can be catastrophic. Our national security systems have been deluged by cyber attacks, many of them highly successful.
China is flying a stealth aircraft, the J-20, which almost certainly is a copy of the US F-22. China’s emerging J-31 stealth fighter is a copy of the F-35. How did it happen? China stole gigabytes of F-35 plans from Lockheed Martin’s computer data banks. To be clear, Lockheed has one of the most sophisticated cyber defense programs in the business, but it still suffered massive losses. The $1.5 trillion we will invest in the F-35 program is being shared for free with China, diminishing the value of the plane and exposing its secrets, and giving the Chinese a potent military tool to use against their enemies.
Plowing money into so-called cyber defense is a wasted and failed effort. The IT infrastructure that underpins national security needs to be replaced. The government urgently needs a replacement plan – a secret Manhattan Project for Cyber Security. Just as we developed the atomic bomb in a secret program using brilliant scientists and engineers, a cyber security program to replace all the commercial hardware and software with secure, secret systems is absolutely a requirement for us to avoid a disaster well along in the making.