Electronic Weapons: Vulnerabilities Without End

Archives

July 4, 2021: Several years ago, in response to staff complaints, the CIA decided to replace its custom-made encrypted Fax machines with an encrypted email system called Gray Magic. The encrypted fax machines were mainly used for the CIA to communicate with its many contractors who developed and produced new equipment. While these special FAX machines were secure (difficult to intercept and/or decode) they were clumsy to use, especially as consumer and commercial email systems began to appear that enabled users to easily share information and speed up and improve the development process. As CIA and contractor personnel became familiar with these “collaborative email systems” they began to demand a new secure communications system to replace the secure but clumsy fax terminals.

The CIA has always been more careful and successful at using the Internet and wireless communications that are vulnerable to hacking. For a long time, CIA headquarters had no outside Internet communications and internally transferred data via “sneaker net” that involved walking a disk, tape or USB stick full of data to another department. The CIA, unlike most other government agencies, paid more attention to commercial firms (like financial institutions) that were notably successful in maintaining secure communications. These firms were not about to share with the CIA or any other government agency because commercial firms were more effective at developing and maintaining secure systems. Commercial firms were willing to share basic concepts and opinions on who the reliable vendors of secure communications were. The CIA did not have the budget to develop financial industry grade secure systems but they could periodically get the money for key systems. That was now the secure fax came to be, as well as its replacement Gray Magic.

Secure electronic communications have been a major problem for over a century and became a major problem during World War II. Another period of major vulnerability occurred once the Internet was widely adopted at the end of the 20th century. During World War II the need for rapid upgrades to secure (encrypted) communications systems became vital. The Germans and Japanese did not keep all their encrypted communications up-to-date and suffered major losses as the allies quietly and secretly decrypted their secure wireless messages. This was kept secret for several decades after World War II because the decryption race continued after the war when the Cold War (1947-91) with Russia and other communist states began. After the Cold War ended the Internet and a new Cold War with China showed up. The competition for secure communications continues.

Some old problems lingered. Despite the fact that the U.S. Department of Defense is the biggest customer for major software publishers (like Microsoft) some parts of the military refused to heed advice to upgrade their key software and the resulting problems eventually became news. For example, in 2015 the U.S. Navy revealed that it was paying as much as $30 million a year to get security patches for 100,000 older PCs still running Windows XP. At the time XP was a fifteen-year-old operating system, along with supporting software like Office, Exchange and Windows Server, still used by the navy despite the fact that Microsoft gave years of warnings that because of the age and vulnerability issues, it was going to stop supplying critical security patches unless users paid for it. Even then the security would not be as good as it is for more recent versions of all those programs. The navy had several reasons for not upgrading these older PCs. This involves the difficulty of getting software upgraded and some equipment redesigned to allow for installation of new hardware needed to handle the more powerful operating systems. There were also problems with political and bureaucratic interference with upgrades. It should be no surprise that this happens. Note that many commercial firms were still using XP, often for similar reasons.

Meanwhile the major software publishers offer special deals for continued tech support to major customers and the Department of Defense often takes advantage of them. For example, in 2012 the Department of Defense made a deal with Microsoft to obtain Microsoft products (operating systems and apps) for some two million military users, mostly in the army and air force for about $100 a year (for three years) per user. This is a typical software licensing deal for large organizations like major corporations. The Department of Defense can also get special modifications to software they buy in large quantities.

The military realized they will have to spend more attention, and cash, on smaller computers, but in 2015 the military was using more of both the larger and handheld computers. Currently the most widely used computers are smartphones and “ruggedized” tablets.

While users (including military) were already shifting to smart phones for most of their computer needs, the desktop and laptop PCs are still doing most of the work in the military. At the beginning of the 21st century the operating system of choice was Microsoft Windows, which then had a 90 percent market share. By 2015 you had to include smartphones and tablets, and Windows was used on fewer and fewer small computers (desktop, laptop, tablet, smart phone) compared to over 80 percent for Android and most of the rest for Apple IOS devices and a few percent for others. This is a trend that really got going after 2005 as the tablet and smartphone became available. Hacker and Internet based crime is also shifting from Windows to Android and IOS devices. The military is working hard on providing better security for these handheld computers but still faces its greatest vulnerability on Windows systems.

In the past the U.S. Department of Defense often created custom versions of Windows and installed their own automated security features and automatic software updating systems. The reason for all this is that the Department of Defense cannot attract a sufficient number of qualified security experts. The military has to compete with the commercial sector for these scarce security personnel and, with the general shortage of such people, government pay and benefits cannot compete. But the government does have other resources, which make it possible to develop custom automated security systems.

For example, the NSA (National Security Agency) worked with Microsoft on security aspects of Windows 7, 8, 10 and 11. This was nothing new. Earlier, NSA worked with the U.S. Air Force and Microsoft to develop a special version of Windows XP, one that had over 600 operating system settings shut down or modified so that hackers had a harder time penetrating air force network security. Some of it was simple stuff, like ensuring that the highest-level password (the admin password, which gives you access to everything) can never be the same as a lower level (user) password. The system was also modified to have passwords expire every sixty days, forcing users to create new ones.

The military has another advantage in that they can impose more discipline on how their personnel use their PCs and networks. This makes it easier to build in additional security features and regularly update those items. The big weakness the Department of Defense networks have is their exposure to the Internet, which is awash in hackers and malware (software that will infiltrate PCs and steal or destroy your data). One solution to that has been the establishment of two large networks that use Internet software but are closed to civilian users. NIPRNET (Non-classified Internet Protocol Router Network) is the military network connected to the internet and has over three million servers. Although unclassified, NIPRNET contains a lot of logistic (supplies, including requests for stuff) and personnel matters (addresses, phone numbers, and even credit card numbers). Separate from NIPRNET is SIPRNET (Secure Internet Protocol Router Network). This net is not connected to the Internet and encrypts its data. This network is rarely attacked and penetrations are few, if any. Even public discussion of SIPRNET attacks are classified.

The Department of Defense imposed similar controls and security features on their new smartphone operating system, initially a NSA tweaked version of Android. But the major security vulnerability remains the leadership and the need for many commanders and civilian executives in the Department of Defense to order those upgrades be performed. The Department of Defense was urged to adopt a system where security and other upgrades are automatically “pushed”; installed without intervention by local users or commanders. There is a lot of resistance to this as many commanders and civilian managers don’t want to surrender any control.

It has been difficult to get network users to accept, and act on, the fact that any secure communications system has a short shelf-life and must be regularly and often upgraded to remain secure.