Saturday, January 07, 2017

Cyber Security



Given the current brouhaha over the possibility of Russia trying to influence our recent presidential  election using computer hacking, it seems appropriate to shine a light on this subject. Please note that, although I have no deep expertise in this subject, I am not a complete neophyte either. I was involved in a Data General Corporation development project were computer security was a key element. And so, I have concluded that there is no such thing as complete cyber security. It all depends upon the amount of push back against possible breaches. If we need any example of same, point to Edward Snowden who, in order to teach the world about how we are being spied upon by our government, naively gave troves of invaluable information to those who would harm us. This breach was accomplished not over a communication connection but by using tiny portable flash drives that can store multiple gigabytes of data.

Many years ago when time-sharing computing was in its infancy, I concluded that, if a computer had a connection to the outside world, it was by definition compromised. Then came the personal computer whose operating systems developers, mostly Microsoft, left data security out of their designs for expediency (and profit) sake ... and because connecting these "personal" computers was thought anathema. Personal computers didn't take long to kill the economic advantage of time-sharing and thus kill this technology. And then came the Internet with almost universal connectivity ... an opening a mile wide for cyber security breaches. Now, the advent of the "cloud" makes the protection of remote data storage and processing even more vulnerable, albeit convenient.

So what steps can be taken to start to protect today's electronic devices from these data piracy threats? Here are just a few:

- Develop the ability to isolate various levels of network interconnectivity. China already has the ability to cut off its entire national network from the rest of the world. Clearly this capability should be available to the U.S. as well as other sub-sectors of the Internet. It would seem to me that those providing networking hardware and software such as Cisco Systems could find a ready market for such a rigorous and scalable capability which might be automatically triggered by 'denial of service' attacks.

- In particularly sensitive applications, install computers that have no ports through which data can be offloaded onto any external storage device.

- Move all critical operating system components to microcode or even hardware which cannot be accessed anyway but through physical access to the computer ... and physically secure such access as one would a vault. Other O.S., interface and even some application code should be located in memory which generates a default if any changes are attempted to the bit structure. Action taken on such a default would be under the the control of the system administrator.

- Encrypt all sensitive data and applications with software whose keys vary in length with the degree of sensitivity of what is to be encoded. But don't assume any encrypted information cannot be decoded unless a truly randomized one-time pad is used.

And I'm sure other more sophisticated steps are possible. However such cyber security is expensive in both money and computer performance terms. But we are rapidly reaching the point were such costs can and need to be borne.

No comments: