By Dan O’Dowd, CEO of Green Hills Software
Many people have called me an alarmist for saying that the spread of Linux through defense systems is an urgent threat to national security. They ask: “What is the big problem? Sure there are plenty of malicious hackers releasing worms and viruses on the Internet bringing down Linux systems, inserting keystroke loggers on computers to steal passwords and credit card numbers, and lots of other mischief, but what does that have to do with national security?”
Many major defense programs are planning to rely on Linux for their security, including the Army’s Future Combat System (FCS), the Land Warrior, and the Global Information Grid, which will connect all future military systems into a single network. If the security of these systems is compromised, there will be dire consequences.
Foreign Intelligence Services Will Compromise Any Defense System that uses Linux
If it is easy for a bunch of juvenile delinquents to find and exploit Linux security vulnerabilities in their spare time, imagine how easy it is for foreign intelligence agencies and military services with huge budgets, buildings full of computers, and armies of dedicated full-time Ph.D.s to exploit security vulnerabilities. The difference between the cyberattack capabilities of foreign governments and the capabilities of the “script kiddies,” who so frequently disrupt computer networks, is the difference between an armored division and a gang of juvenile delinquents. According to Vince Cannistraro, former director of counterintelligence at the CIA, "China is developing a cyberattack capability… to be used in case of war." Many other countries have similar programs to exploit our critical dependence on computer systems and networks.
The movement to the Global Information Grid will make our entire defense system dependent on computer networks. National security will be completely dependent on the security of the operating systems that run the computers that constitute the Global Information Grid. If we use the same operating systems for the Global Information Grid that high school students can hack into in their spare time, we must expect that the Global Information Grid will be easily hacked, spied on, disabled, and commandeered by those who are determined to harm us.
When juvenile delinquents find a vulnerability in Linux they create viruses and worms to exploit the vulnerability. They measure their success by the scope of the disruption they cause. The disruption causes the Linux community to develop a patch for the vulnerability. But foreign intelligence and military services do not announce their success when they compromise one of our systems. They secretly collect data, passwords, encryption keys, military plans, intelligence assessments, force deployments, security arrangements, and the latest weapons technology. The Linux community won’t develop a patch for a security problem until some juvenile delinquent discovers it and exploits it to cause widespread disruption. When a foreign intelligence agency or military service finds a previously unreported vulnerability with their superior resources, they silently compromise Linux systems all over the world for months or years without anyone noticing until some amateur finds and exploits the vulnerability. After a foreign intelligence agency or military service compromises one of our systems, they install a back door so that when the vulnerability that they have exploited is eventually patched, the system will remain compromised. Every infected system is used to silently infect the systems to which it is connected by exploiting the trust that those systems place in the infected system. Once an attacker is inside the network, silently compromising the rest of the installation is usually easy.
Security Patches Guarantee Insecurity
Many people argue that having source code for the operating system that they use makes it easy to install patches when security vulnerabilities are found. But this argument implicitly acknowledges that so many Linux security vulnerabilities occur so often that the efficiency of installing patches is an important issue!
The issuance of a security patch for a vulnerability means that for months or years the system has been vulnerable to an easy attack. At every moment in time, every Linux system in the world can be spied on, disabled, or commandeered by an attack that exploits any of the vulnerabilities that will be fixed by future security patches. The need for frequent security patches proves that a system is always vulnerable to easy attack and subversion.
It is frightening to think that our national defense might become dependent on Linux systems that are always vulnerable to easy attack and subversion. When war breaks out, the enemy will immediately deploy cyber attacks and activate back doors that they have spread throughout our systems when they were vulnerable. All of the vulnerable systems and all of the systems that were compromised while they were temporarily vulnerable will go out of service or be commandeered by the enemy. We will be defenseless.
What we need for critical defense systems is software that is secure all of the time: systems that never need to be patched. We need operating systems that are proven secure by mathematically sound methods such as the Common Criteria Evaluation Assurance Level 7 (See Part I of this series of white papers). Our systems must never be vulnerable. Just one moment of vulnerability, before a patch can be applied, is enough time for a patient attacker, waiting for the moment to strike, to get inside a system and install a permanent back door that will survive the patch that removes the vulnerability. Our defense systems need an operating system like Green Hills Software’s INTEGRITY real-time operating system whose security can be mathematically ensured at all times without any need for patches.
The 9/11 terrorist organizers had creativity, patience, and a desire to kill as many people as possible. The terrorists’ success and their continued ability to evade capture provides an example and encouragement to others. We must not turn our national defense over to Linux or any other operating system that is vulnerable to easy attack and subversion at all times. The 9/11 terrorist organizers, and all those whom they have inspired, are still out there, and they are still creative and patient. And if we make our national defense easy to attack, they will kill a lot more people. If Linux is deployed in critical defense systems, the result will be catastrophic.
Our Enemies Will Compromise our Defense Systems if We Use Linux
Some people say my concerns are unfounded. They say no one is intentionally inserting malicious code into software that they know is going to be used in military systems or critical infrastructure. Who would do such a thing? Who would even think of doing such a thing? We would. And we did it. And we are proud of it according to a CIA website. In the early 1980’s, thanks to French intelligence, the CIA penetrated a massive Soviet intelligence operation to obtain technology from the West. The CIA intentionally fed phony technology to the Soviet Union through this channel to disrupt Soviet attempts to modernize their military and civilian infrastructure.
The CIA had a program to insert Trojan horses and back doors into software that the Soviets got from the West. One exploit was recently recounted by Thomas Reed, former Secretary of the Air Force and a member of President Reagan’s National Security Council, in his book, “At the Abyss: An Insider's History of the Cold War.” In the early 1980’s, the CIA inserted a Trojan horse into a Canadian company’s pipeline control software that the CIA knew the Soviets were planning to use to control the trans-Siberian gas pipeline. The software worked fine for a while – just long enough for it to pass its tests. But after the software was running the pipeline, the CIA Trojan horse took over, raising pressures to unsafe levels. The stress on the pipeline eventually resulted in a massive three kiloton explosion. By the late 1980’s, the Soviets came to realize that much of the software that they had gotten from the West had been sabotaged by U.S. intelligence agencies.
It is incredibly naive to believe that no other country would take an easy opportunity to sabotage our military systems or critical infrastructure when we have been doing the same thing to them for over twenty years!
The Threat to National Security Posed by Using Linux in Defense Systems is Urgent
Many people believe that the threat to national security posed by using Linux in defense systems is not urgent because Linux security is better than any alternative. But Part III of this series of white papers shows that Linux is even less secure than Microsoft Windows, which most open source advocates would probably agree is not secure enough for defense applications. For example, the U.S. National Institute of Standards and Technology (NIST) security vulnerabilities database lists more vulnerabilities for Linux than Windows in every one of the last ten years.
The alternative to Linux for defense systems is not Windows. Part I of this series of white papers shows that the only safe operating system for defense systems is an absolutely-secure totally-reliable real-time operating system, such as INTEGRITY-178B, which has been approved for the highest levels of safety by the Federal Aviation Administration and which meets the requirements of the NSA’s most stringent security standards.
Many people believe that the open source process will detect any attempt by intelligence agents to insert back doors, Trojan horses, or other malicious code into Linux. But Part II of this series of white papers shows that it is ridiculous to believe that the many eyes looking at Linux source code will find all of the malicious code cleverly hidden in the Linux source code by foreign intelligence agents, when they can’t even find the thousands of bugs accidentally left lying around in the code by honest contributors every year.
People are choosing Linux for use in defense systems because they have heard that Linux is more secure and less expensive than any alternative operating system. Nothing could be farther from the truth. Part III of this series of white papers shows that the severe security and reliability problems of Linux are systemic and cannot be fixed, while Part IV of this series of white papers shows that the total cost of using Linux in a defense system far exceeds the cost of using an absolutely-secure totally-reliable operating system, such as INTEGRITY.
The urgent threat to national security is that defense systems may soon be using a hopelessly insecure operating system with thousands of bugs that will inevitably lead to a national disaster, when absolutely-secure totally-reliable operating systems are available that will ensure national security.
Linux is Spreading Rapidly through our Defense Systems
One reason that Linux is spreading so rapidly through our defense systems is that it is much easier to acquire than proprietary software. The bureaucratic hassle involved in acquiring proprietary software can be substantial. In order to use proprietary software, the purchase must be budgeted and a purchase requisition must be approved. Then the legal department must negotiate the license agreement with the vendor. This can extend the process even more. On the other hand, Linux bypasses all of the purchasing, legal, and security procedures because it can be freely downloaded from the Internet without the need for a budgetary adjustment, a purchase requisition, or legal review.
A recent two week survey by MITRE found 251 deployments of Linux and other free and open source software in the Department of Defense. Linux is being considered for many more defense systems. For instance, the Linux community has widely disseminated an article in National Defense Magazine, November 2003, that quotes Army Lt. Col. Dave Gallop, program manager for the Army’s Land Warrior as saying, “We are moving in general to where the Army is going, to Linux-based OS.” The Linux community has also often referred to a Boeing website for Future Combat. The question “What Operating System will FCS use? Windows? VX Works? Lynxos? Linux? Other?” is answered with “FCS C4ISR has selected the Linux OS.”
We Must Act Now to Stop the Spread of Linux through our Defense Systems
It is not yet too late to prevent Linux from compromising national security. So far, Linux has only been deployed in a few defense systems, but its use in the development of new defense systems is spreading rapidly.
We must act quickly to move the development of new defense systems off of Linux. Early in the development phase, it is not difficult to port software from Linux to an absolutely-secure totally-reliable POSIX compliant operating system, such as INTEGRITY. But as development proceeds, it becomes increasingly difficult to switch operating systems without impacting schedules. There will come a day when the bureaucrats will decide that keeping to the schedule is more important than building a secure system. That is when we are all in real trouble. That is why we must act now. If that makes me an alarmist, we need more alarmists.
The only thing necessary for the triumph of evil is for good people to do nothing.
