The United States has been attempting to strengthen its cybersecurity since at least 1988, when it enacted the first Computer Security Act—replaced in 2002 by the Federal Security Management Act. It sounds great in concept: federal agencies are required to “develop, document, and implement” programs for security management “including those provided or managed by another agency, contractor, or other source.”
How’s it working out?
Solarwinds, a network management software company, was recently discovered to have had malware inserted into its products. Its clients’ systems have been compromised for as long as nine months. Someone—possibly the Russians, possibly the Chinese—has been inside the U.S. Department of Defense, the Department of Homeland Security, the Treasury Department and major American industries. The list gets longer every day.
The U.S. has a cybersecurity industry that costs the government and private companies billions of dollars. But all that is money down the toilet if the entire infrastructure is compromised—which it currently is. Virtually every computer and computer processor used in the United States is, in part or entirely, made in foreign countries, with China directly and indirectly providing 90 percent of the hardware. We haven’t been looking at hardware for possible infiltration, but we should have been.
You may not remember Supermicro, but Amazon does. In 2015, Amazon Web Services was providing a “secure cloud network” for the CIA and other government agencies. Supermicro in San Jose, CA, was a subcontractor that supplied motherboards to Amazon. From China. With extra microchips. After a lot of damage was done, American investigators found that the chips were implanted at the Chinese factory by operatives from a unit of the People’s Liberation Army. Ultimately, investigators found malicious hardware on Supermicro motherboards at more than 30 companies—including Apple. Oh, and did you know that 7 out of 10 smartphones sold in the U.S. are produced in China? The government uses them too.
You can’t build an effective U.S. security system on top of foreign-built computer hardware.
Our adversaries gain significant advantages through hardware and software infiltration alike. They learn how our networks work and how to break them. They capture key technologies they need for their own weapons and identify vulnerabilities in ours. The huge haul of intelligence data gives them information they can barter with their allies. The current wager is that the Solarwinds hack was done by the Russians, but if the Russians want the Chinese to buy more of their weapons, they can throw in a chunk of information about the U.S. Navy’s latest weapons or about how American vaccines work.
In fact, we simply don’t know whether the Chinese and Russians regularly collaborate to rip us off.
But we should.
And it is not just us. Every Western country has been hacked. Even Israel, which is really good at cybersecurity, has been hit multiple times by its enemies, including Iran, which was able to break into Israel Aerospace Elta’s computer system. Elta makes advanced radars that are vital to Israel’s security, powering the Iron Dome, David’s Sling and Arrow air defense systems. Iran targets the U.S. as well.
Congressman Mike Rogers noted in The Wall Street Journal recently that the National Defense Authorization Act contains a provision to appoint a national cyber director to eliminate duplicated security efforts and other cracks in the system. “This goes beyond contracts and purchasing agreements and must include recognition that the nation—private and public sectors—are under attack,” Rogers said.
A cyber director needs a commission with subpoena power, free of political interference, and an investigatory team that can assess technology compromises and be responsible for innovative solutions with the goal of protecting American security and assuring American competitiveness in future.
Its mandate should include assessing how cybersecurity breaches, including but not only Solarwinds, have impacted U.S. national security and competitiveness. It must also identify technology losses in industry as well as government, as well as potential losses in employment in the United States.
But most importantly, a cybersecurity commission should develop and field secure, American-designed and American-manufactured computers and network components, replacing all equipment used by the U.S. government and military, along with sensitive parts of the critical infrastructure. At a minimum, that includes the Departments of Defense, Homeland Security, Energy and Treasury. The overhaul should include hardware, firmware and software, and the new computers must be independent and isolated from the public internet. The new networks should be under security classification, encrypted and compartmentalized to minimize hacking attempts by intruders, foreign or domestic.
Big job? Yes. Can we do it? Yes, and we have to. If we continue as we have since 1988, it is only a matter of time before American defenses go under. It is that bad.