As Yogi Berra once remarked, “Déjà vu all over again.”

This week Microsoft announced that hackers have found a serious security flaw in its Internet Explorer browsers. The security gap allows a hacker to take control of someone’s computer and steal the victim’s passwords—presumably they could take any other sorts of data if they wanted to by just changing what the trojan was designed to go after. Already some 10,000-plus websites have been compromised by the trojan. Of course, Microsoft went to work to quickly find a patch to the gap.

However, as the Institute has repeatedly said this game of “hatch and patch” is a losing proposition.

First, in the same moment that Microsoft was hard at work looking for a patch, the hackers were off looking for a new vulnerability. Microsoft has a lot of very smart employees, but there are vastly more equally smart, highly creative hackers, criminals and spies out there bombarding these systems. When the Russians launched coordinated cyber war against Georgia in 2007, the Georgian systems were hit with attacks from over a million computers, the largest in the 20GB to 40GB range. Given present systems, no nation can defend against an attack of the magnitude—and certainly no company can.

Second, we can only fix that which we know is broken. For every hack we find there are untold numbers of penetrations that are so skillfully done that they remain unseen, unknown. Some botnet hacks today are so sophisticated that, after they get in, they quietly close the door behind themselves—at once reducing the chance of detection and ensuring no other hacker can wrestle control away.

The Microsoft attack is especially disturbing because of the size of the flaw, the magnitude of the penetration, and the sweep of the global IT infrastructure that was compromised—and even more so the still larger reach of systems that were put at risk.

Microsoft’s technologies are so ubiquitous that any major vulnerability in its systems raises the potential for a catastrophic attack. A great percentage of our government’s critical systems are Microsoft based. The overwhelming majority of IT systems within critical infrastructure companies are Microsoft based. The list goes on and on.

The media reports are that this time the hackers were just out to steal gaming passwords. Lucky us. What if their purpose was more nefarious. What if they took banking and finance passwords and used them pilfer billions upon billions of dollars from millions of people. Our economy is already on shaky ground, imagine how the markets would respond to a cyber crisis. Or, what if they stole SCADA system data and then that they used that information to take down our nation’s powergrids. Or what if they took down the entire air traffic control system. Or what if they wiped out the medical records of millions of patients—data doctors need to make life and death decisions.

Love or hate Microsoft, the almost total ubiquity of a single set of interconnected and interdependent IT systems—with serious security issues—is a serious threat to each of us as individuals and families and to our nation’s security.

For this reason, the Institute will continue to push for the deployment of inherently secure technologies.

Last week LynuxWorks came out with this release about LynxSecure, which got some attention in the tech press:

http://www.marketwatch.com/news/story/LynuxWorks-Announces-Immediate-Availability-LynxSecure/
story.aspx?guid=%7BCBEB8EC2-A572-41F8-AC68-D44B53116EBD%7D

LynuxWorks’s release said that its LynxSecure “Technology Supports EAL-7 Evaluation, Integrates Multiple Applications at Different Security Levels on a Single Piece of Silicon and Consolidates Hardware for Security and Separation…”. The company also said, “LynxSecure supports a lightweight Application Run-Time environment that can be used for creating secure applications without an intervening OS which can be evaluated to the required assurance level up to EAL-7.”

This release—and other claims like it—are a major reason why the Cyber Secure Institute was founded. Like so many other security claims—new and improved, better, faster—this is just marketing speak.

Read the release carefully. LynuxWorks isn’t saying that its technology has been certified to a high level of security. Nor is LynuxWorks saying that its technology is secure enough to entertain membership in the Cyber Secure Institute.

This is the National Information Assurance Partnership’s list of certified products. http://www.niap-ccevs.org/cc-scheme/vpl

You won’t find an EAL 7 certification for LynxSecure on that list.

This is the National Information Assurance Partnership’s web listing of products in evaluation. http://www.niap-ccevs.org/cc-scheme/in_evaluation

You won’t even find LynxSecure listed as being under evaluation for EAL 7.

Given that LynxSecure isn’t certified and isn’t even under evaluation for EAL7, it is important to pay close attention to precisely what LynuxWorks said. LynuxWorks said its system supports EAL 7 evaluation or could be evaluated at that level—or so they say. Allow me to paraphrase. “We haven’t been certified to a high level of security, but we say we could be evaluated to that level—take our word for it. And, saying one could be evaluated at that level is not saying one could be certified to that level. I could be evaluated for the US Olympic track team, I wouldn’t qualify, but I could be evaluated.

In fact, there is no way that LynxSecure could receive an EAL 7. For example, EAL 7 requires certain physical security assurances that no software can meet.

The Cyber Secure Institute thinks that claims about cybersecurity ought to be subject to intense and objective scrutiny. And, LynuxWorks claims in this release just don’t stand up.

We would encourage LynuxWorks, and any other technology provider who thinks that their systems can stand up to high level security certifications to go and actually try to get certified. If you get certified we look forward to working with you. Until then, let’s skip the marketing speak.

Our name says a lot about us and what makes us different. There are scores of entities—ranging from government agencies to industry trade associations—that are focused on cybersecurity. However, in our view cyber security is all about process.

In contrast, we are focused on a single, clearly defined end state goal: to make our critical IT systems “Cyber Secure”™.

In our view too much cyber security attention has been focused on patching systems that are inherently insecure. The federal government, namely the National Security Agency and the National Information Assurance Partnership (a joint program of the NSA and the National Institute for Standards) issue security certifications for the IT technologies used across our economy and digital-lives. The systems in use today have only been certified to protect against inadvertent and non-hostile attacks. Unfortunately, the cyber-adversaries we face today are anything but inadvertent or non-hostile. Our nation is under constant cyber-attack by foreign enemies, ranging from elite hacking units of the Chinese Army to al Qaeda and other terrorists. Each of us faces cyber threats from sophisticated criminals, like the Russian mafia, every single day. Companies are under siege by cyber-extortionists, organized criminals, and corporate spies.

As if that isn’t troubling enough, we have only modest confidence that these technologies can withstand even inadvertent and non-hostile attacks. The certifications issued by the federal government come with an associated confidence level, which is measured on scale of 1 (low) to 7 (high). The systems we rely on today have been certified only up to levels 4 and 5—meaning that our confidence in these systems to protect against even the most basic attacks is modest at best.

As a result, the cyber systems that we rely on to protect our nation are vulnerable. So are the systems we rely on to run our nation—from power grids to financial services. And, each of us is vulnerable individually. Your identity can be stolen. Charges can be run up on your credit cards. Your health care and other personal records can be hacked.

This places us in a constant game of whack-a-mole with the terrorists, criminals and other sophisticated adversaries—struggling to knock down the next threat that pops up, only to then face yet another threat, followed by yet more threats.

We need a new paradigm for digital security. We have to stop patching holes and start deploying fully secure systems.

The Cyber Secure Institute was formed to help drive that change.

To achieve this we will start by raising awareness of the cyber threats faced by the nation, companies, and individuals. If we are to drive change there needs to be awareness and pressure.

Second we will serve as a de facto, independent “industry” standard-setting body with the goal of raising cybersecurity standards. In order to be a full member of the Cyber Secure Institute and display our badge companies must be able to document to us that their technology has been certified by an independent entity as fully secure against hostile and sophisticated attacks, or document that they are deploying certified technologies for their IT systems. Over time, when you see our badge you can have confidence that the system you are relying on is Cyber Secure ™.

Finally, we will advocate for the deployment of best available cybersecurity technologies to protect governments, critical infrastructure and individual citizens. The systems that we are dependent upon need to use only Cyber Secure ™ technologies.

To drive technological change we will advocate for a host of different mechanisms to compel critical systems to use best available, Cyber Secure ™ technologies. In some cases we will base our efforts on existing standards. For example, section 404 of Sarbannes Oxley requires publicly traded companies to have internal control measures, including over their data and IT systems. Similarly, the 1999 Gramm-Leach-Bliley Act requires financial institutions to institute safeguards to protect customer information, including in digital or cyber formats. Where these standards exist we will use them as drivers for Cyber Secure technologies. In addition, we will also advocate for new mechanisms–disclosure regimes, insurance schemes, market-based measures, and, where appropriate, regulatory requirements—to achieve these goals.

Through these efforts we will make Cyber Secure ™ the benchmark for both industry and government IT systems.

Critics will say that the goal of real cyber security as we define it is unattainable. They will argue that “There will always be hackers out there finding ways to break our safeguards.” There is an element of truth in their perspective. If cyber security continues to be viewed as an after thought—the fence you put up after things start to go missing—then there will always be hackers looking to find ways over, under, through or around that fence. Patch one hole in your fence, they will cut a new one. Build a taller fence they will buy a longer ladder.

In fact, the only way to fix this problem is through the sort of a paradigm shift we advocate. All the better cyber fences aren’t going to eliminate the threats we face. The next generation of technology needs to be inherently secure, not as an after thought, but as a core element. If we can put a man on the Moon, harness the power of the atom and build a global information web, we can build inherently secure digital systems.