Wednesday, May 13, 2009

The Cyber Maginot Line

On Tuesday May 12, 2009, Bill Gertz of the Washington Times reported on China's defensive cyber warfare capabilities. Gertz writes,
China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing's networks impenetrable to U.S. military and intelligence agencies. The secure operating system, known as Kylin, was disclosed to Congress during recent hearings that provided new details on how China's government is preparing to wage cyberwarfare with the United States.
Gertz continues,
The deployment of Kylin is significant, Mr. Coleman said, because the system has "hardened" key Chinese servers. U.S. offensive cyberwar capabilities have been focused on getting into Chinese government and military computers outfitted with less secure operating systems like those made by Microsoft Corp.
This reporting demonstrates a stunning ignorance of cyber warfare and cyber security strategies and tactics. First, there is no such thing as a "secure" operating system and any claims of such should be treated with skepticism. Security must be balanced with usability. For example, a truly secure operating system should not be connected to the public Internet but obviously this type of system would be of little use to the average user.

Second, an operating system is only as secure as the users who install, configure, and use it. If administrators do not configure the Kylin system properly and users do not follow good security practices, then security breaches are likely to follow. All it takes is one user willing to click on a link in a phishing email or download an infected attachment to compromise a system.

Third, just because an operating system is secure does not mean the entire system is secure. Vulnerabilities may still exist up the stack specifically in applications installed on the system.

In addition, a closer examination of the Kylin reveals it is based almost entirely on FreeBSD. This fact debunks Gertz's claim that China "has developed more secure operating software for its tens of millions of computers." Dancho Danchev at ZDNet reports that a Chinese security researcher operating under the handle of Dancefire first noted the similarities between Kylin and FreeBSD. Dancefire wrote, "the Kylin operating system - which is funded by the National 863 High-Tech Program - was found to have plagiarized from the FreeBSD5.3." The similarities between the two systems "reached 99.45 percent." FreeBSD "is derived from BSD, the version of UNIX developed at the University of California, Berkeley." It is currently maintained by the FreeBSD Foundation in Boulder, Colorado.

In conclusion, this Mr. Gertz's story is another in a long line of hype surrounding the important issue of cyber security.

No comments: