The Pentagon’s COTS Disease and its Cure

In the mid-1980s the Pentagon began shifting away from special built secure computers to commercial off the shelf systems which DOD baptized as COTS.  Today, the Pentagon is awash in insecure computers, networks, servers and other equipment.

But even before the shift to COTS, the Defense Department, like other Federal agencies, was buying mainframe and mini computers such as the IBM 360/370 and the CDC series of VAX 11 (PDP-11) computers.  These computers enabled command and control systems to work effectively and were the backbone for the design of modern weapons, including strategic missiles and combat aircraft.

It is no surprise that the Soviet Union and its Warsaw Pact allies made it a priority to copy these mainframes and mini computers.  They succeed in copying the IBM-360/370 in a series of computers called Ryad ( Ряд 1, Ряд 2, Ряд 3, and Ряд 4.). The machines worked, with a lot of handholding, but the operating systems were bootleg copies of the operating system IBM was supplying to its legitimate users.  The Soviets were less successful with DEC VAX computers.  The one they really wanted, the VAX 11/780 proved too elusive for copying; a lesser model, the VAX 11/32 was produced in Eastern Europe. Even today the Russians are only producing black box computers for their military.  While there is a small software and application development industry, there is no hardware domestically produced. Like the US, the Russians get their hardware from China.

But by the mid-1980s computing was shifting heavily to networks and the interface changed from so-called “dumb” terminals to small desktop computers.  At the same time the networks were evolving into something new with the appearance of electronic mail and electronic bulletin boards that could be accessed by desktop computers.  Soon the beginnings of email and bulletin boards shifted to the world wide web, that turned into the Internet.

There were a number of motivations for the Pentagon.  If it was to stick with strict security for its equipment, it could not be connected to the internet and it would be limited in the software it could use.

The early DOD computers were Tempest machines.  Tempest was an NSA program for shielding electronic equipment so that signals coming from them could not be intercepted by an adversary.  Most of the Tempest machines used by the Defense Department used custom operating systems and ran custom software.  Even the printers were mounted inside electronically shielded boxes.

In 1988 I remember a visit to Moscow on behalf of the US government.  We were working on an agreement on space cooperation.  As we walked around one of the Soviet science buildings I noticed a computer in a box, and I asked my host what it was.  He said, “you know, it is a computer like your Tempest program.”

Tempest equipment was very expensive and Tempest machines typically were stand alone.  If you wanted to access a mainframe computer (most of them run by the Air Force), you got an IBM “dumb” terminal that was hard wired to the mainframe.  The Pentagon soon realized that there were lots of advantages to “smart” terminals, because you could host your own programs and also save information downloaded from the mainframe.

In that period a Tempest desktop (with printer, sometimes physically integrated) could cost between $20,000 to $30,000 each, sometimes more.  New PCs, by comparison, were in the $8,000 price range and falling.  But even more significantly, while the price of the PC was falling, the performance of the PC was rising, nearly on an exponential basis. Part of the reason for that was the PC, once IBM introduced its first desktop and grabbed 25% of the market, was selling like pancakes –and competition and mass production ran the performance up higher and brought the price down.  Within five years the cost of a desktop was around $2,000 (in then-dollars), but each year the speed and memory on computers got better.  Increasingly, the market was developing applications for the PC that would not run on a Tempest box.  For example, the first really popular word processing system, called Wordstar could not be used by the Pentagon, including the military.  It also meant that sharing files was complicated, since there were five or six different Tempest operating systems and many lacked an ability to save or download anything.

Based on its desire to take maximum advantage of commercial off the shelf computers and equipment, the Pentagon significantly downgraded the need for Tempest.  After all, they reasoned, the Soviets were not going to intercept thousands of computers.  Or were they?

Computers are extremely important to the Defense Department not only for information processing, as it is called, but for weapons systems.  For the most part the military was very anxious to convert from analog processing to digital processing for weapon’s platforms.

Consider for example on board computers on fighter aircraft.  An analog computer can pick up one threat and track it, but not much more.  Moreover, filtering analog radar information is hard to do.  However, if you have a digital computer you can track many bogies at one time and you can remove ground clutter and other anomalies from the radar scene.  The use of digital computers meant you could do real Fast Fourier Transforms (FFT) in near real time on board an aircraft.  For the first time this meant that radar images could “look down” as well as outward, since the FFT function could screen out ground clutter and pick up fast moving targets.  Israel, which got the first US F-15s equipped with “look down-shoot down” radars proved the efficacy of these systems in their June, 1982 Operation Mole Cricket 19 over the Bekaa Valley, where Israeli fighters decimated the Syrian Air Force.

The look down-shoot down radars were obviously custom-built boxes, but they used commercial off the shelf mid-scale* semiconductors (in the early example cited above, mostly from Texas Instruments).

But overall, the Pentagon started integrated commercial computer plug in boards into many weapons systems, many of them running commercial software.  For example, US nuclear submarines currently in operation have PC plug in boards running Windows XT.

The Pentagon wanted faster and faster and more available computers it could use and program as it desired.  In one effort to come up with something different, the Pentagon commissioned a project called the Very High Speed Integrated Circuit (VHSIC –pronounced Viz-hick) project.  DOD invested around $1.5 billion or more in a program aimed at making faster integrated circuits, especially microprocessors and RISC (reduced Instruction Set) circuits.  But despite the investment, the commercial sector zoomed ahead and the VHSIC program never got to where it wanted to go.  For $1.5 billion (around $3 billion today) the Pentagon did underwrite some better equipment for US silicon foundries, but the chip industry would have made that investment anyway.  VHSIC turned out to be a subsidy.

Having failed at VHSIC (although DOD always said it was a success and no one asked them more about it), the Pentagon went whole hog buying commercial off the shelf hardware and software.  Most of the hardware came from China; some of the software was domestic, but increasingly as China started making more and more gadgets that the Pentagon bought, the firmware for devices was produced in China.

Consider, as an example, surveillance cameras.  Almost all surveillance cameras the Pentagon uses are COTS.  And even if the cameras have an American name on them, the chances are that the hardware and firmware are Chinese.  Nearly all this equipment is a security nightmare, but the Pentagon has done very little to address the subject.

Why do cameras matter?  At a US military base, or in front of a Pentagon high security conference room, an adversary can register the tempo of events, record the faces of the participants, and using face recognition technology instantly know what persons are in meetings.  This means that an adversary can get an idea of what subjects may be on the table and whether the meetings take place on other than a regular basis.  Today most cameras are connected to the internet, so events on a military base, such as a call up of troops or the movement of equipment, may be known to an adversary before it is even widely known in the Pentagon itself.  In many ways the cameras are far better than surveillance satellites because they are always turned on at the target all the time; satellites have orbits and can cover a subject only when the satellite passes over the site.

Since the introduction of COTS there have been rising security incidents involving US computer systems.  Even though the DOD (and other government agencies) have invested billions in trying to make computers and networks more secure, actually they have achieved precisely the reverse.

This raises a very important question –can Defense Department and military computers that use commercial hardware and software, be secured?  The answer to the question is simple –the evidence says it can’t be done.

Today most computers and electronics are made outside the United States, primarily China.  But for desktop computers the operating systems and software are by and large American (or sort of American).  Big software development today is a multinational operation, with pieces of the final project developed outside the United States or imported from freeware and community-sourced projects.  It is simply a matter of economics.  In addition, there is almost no proper vetting of the people who work for big companies such as Microsoft or Apples. On top of these issues one can add that the object of big companies is maximum global product sales.  As such, operating systems and applications are developed to have mass appeal and significant entertainment value.

None of this means that big and small companies want to sell bad products.  Most of them try to provide reasonably reliable end-products.  Getting patches and updates is one way problems that are discovered in the cyber-universe are mitigated.  But patching of computers often is a hit or miss proposition, as the Pentagon very well knows because it has thousands of computers with out of date operating systems and with erratic and poor maintenance.

Unfortunately the Pentagon lacks its own computer security agency with a responsibility for all systems throughout the civilian and military sides of US defense.  Such an agency would have to vet and certify operating systems, software and firmware before it could be used.  In this DOD has fallen flat on its face. NSA does have a program for securing hardware and software at different security levels, but on the whole the NSA project only touches a very small number of specialized products. In any case these certified products are not COTS.

What Should Be Done

Staying with COTS and the security solutions we have today is a guaranteed loser.  No one can deny the appalling security record.  Moreover, the public has a right to be outraged that DOD has had huge parts of its programs compromised by hacks.  Take for example the F-35 and ask yourself why China has two stealth fighters (the Chengdu J-20 and the Shenyang FC-31)?

Chinese hacking of the F-35 is well known –there were multiple points of entry of DOD, the Prime Contractor (Lockheed) and many subcontractors in the US and elsewhere.  This not only saved the Chinese billions of dollars, but it gave them an aircraft that is, at least as far as we know, competitive with US stealth fighters.  China’s hacking also dramatically lowered the timeline for producing a stealth fighter aircraft. The result is that should the US get into a firefight with China, we could have problems detecting Chinese stealth aircraft, thus losing our advantage.

It is not entirely clear how much of China’s big push in military hardware is owed to thefts from the US and our friends and allies. China depends on a unique mixture of indigenous and imported technology –the direct import is from Russia, the clandestine import is primarily from the United States.  It would not be unfair to say that in high end sophisticated military equipment the US component for China is in the area of 40 to 45%, perhaps more.  If nearly half your R&D comes to you at little or no cost, that is quite something.

For the past decade I have advocated trashing COTS-based systems and software for DOD and contractors and replacing them with secure and specially encrypted hardware and software using special operating systems developed for purpose.  In short the idea is to have custom made equipment and software that is not distributed to the public and can’t be sold to the public other than to approved defense contractors.  The proposed equipment would be tagged and location specific so that it can’t work if removed from its location, and if it is stolen or goes missing, the authorization for the equipment and software would immediately be cancelled. For equipment used in aircraft, at forward bases, and by the Navy, Coast Guard and Marines would have a separate validation system taking into account that it will move from place to place.

My proposal would change hardware, firmware, operating systems and software –in short, everything.  Replacing these components would be hardware made in the United States which would be NSA certified for security, a unique operating system or cluster of operating systems, all encrypted, that would be certified by NSA, and application software that would be vetted and approved by NSA.  Insofar as possible, no foreign components of any kind would be used but, where they are absolutely needed the foreign components would have to be vetted and approved by NSA.

Because most hacking exploits some weakness in hardware, operating systems or applications, hackers would have no access to government-only systems.  This would make it nearly impossible for them to devise any hack unless they understood and could crack the encryption overlay and the specific encryption used for each component and provided they had access to the components.  Since the components would be coded with approved user identifications and layered and organized on a need to know basis, gaining access even if it was accomplished would yield small returns at most.

Building such a system takes the best brains available all of whom must be willing to accept a high level security clearance and work in approved, secure laboratories. To avoid intruders, the work would be, insofar as practicable, compartmented, meaning that one researcher would not have any insight into what another was doing unless that was required for the assigned work.

While it would take time to build an entirely new computing environment (keeping in mind the system we have is an accretion of 50 years), the actual costs would figure in the low tens of billions of dollars, “chump change” for DOD’s humongously expensive platform programs like the Ford-class nuclear Aircraft Carrier or the new B-21 Raider  stealth bomber.’

There is a risk, as the cancelled VHSIC project illustrates, that such a new DOD system will quickly become obsolete.  This possibility can’t be dismissed up front: provision has to be made to keep it fresh and one step ahead of commercial technology.  It also must be able to do things DOD absolutely has to have for the future –beyond interoperability to aware and alert systems that can self-optimize their tasks and share the updates with other systems.  This is the idea, in part, in what has been stuffed into the F-35, but it is also the future augmented by artificial intelligence, sensor integration and acquisition of sensors and information on the fly.

It is quite true that these days relying on encryption for protection may not be entirely safe, with the rise in quantum computing.  By the same token, given the coming availability of quantum computers, it ought to be possible to build an encryption shield that supercomputers, even the quantum class, can’t break.

Some think all of this can be fixed by going to cloud computing.  A secure cloud is supposed to take away the security issue and obsolete all the old computers now running. Anyone who accepts this argument should give it a little more thought, because a secure cloud is only secure if access to it is secure.  The idea that DOD would rely entirely on a secure cloud and abandon its thousands of servers and other equipment makes no sense.  At minimum the existing hardware is the only backup should the cloud fail. But beyond that, all the eggs in one basket (though it is a tendency these days in Defense Department procurement) makes no sense as a strategy because of the unbelievably high risk it presumes.  The cloud is, at best as potential convenience and ought to make maintenance more focused and easier.  But contracting out security is always dangerous, even more so when everything is stuck together. Consequently cloud computers are neither a panacea for security nor a solution to cleaning up the COTS mess.  Indeed it brings the danger of giving the Pentagon an excuse to stop doing routine security.  In this sense, the cloud is a false idol.

This project would involve many thousands of people to execute.  It would also have to be constantly upgraded to keep pace with the rapid arrival of new technologies that offer significant advantages.  It is well known we are on the brink of broad applications for new, faster computers based on gallium nitride and other advanced semiconductor substrates.  The good news is that some of these products are already becoming available, are unique but are far too expensive so far for commercial use (nor is there any immediate demand for them in the commercial space).  It would seem, therefore, that there are considerable advantages for DOD to get ahead of the technology power curve instead of depending on already obsolete commercial off the shelf systems.

____________________________________

*Semiconductors used to be categorized by how many transistors were on a single dye, or chip.  A single scale integrated circuit has tens of transistors; a medium scale circuit has hundreds of transistors; a large scale thousands, and a very large scale tens of thousands of transistors.  These days with very small feature sizes measured in nanometers, the best integrated circuits are around 5 nanometers and very fast and have millions of transistors.