Danzig: Analog has value in countering cyber threats

The former Navy secretary recommends some unconventional approaches to help meet the cybersecurity challenge. Quantum encryption? Not so much.

Richard Danzig was President Clinton’s Navy secretary from 1998 to 2001. Today, he is a member of the Defense Policy Board and The President’s Intelligence Advisory Board, advising the Defense and Homeland Security departments on cyber threats, terrorism and bioagent detection. He also is a director of the Center for a New American Security and a RAND Corp. executive.

Former Navy secretary Richard Danzig

Speaking with Defense Systems contributor David Walsh, Danzig proposed ways for the United States to better engage and overcome obstacles in the increasingly complex cybersecurity domain.

DS: China and its “citizen hackers,” Russia and other actors are increasingly aggressive in computer penetration efforts, electronic warfare and espionage. PLA generals speak openly of unrestricted “technological violence.” How serious are these threats? And what’s the impact of, say, latency of pre-installed bugs in what we buy: routers, modems, monitors, wiring? 

Danzig: Well, it’s pretty striking in terms of penetrations, and none of us really knows ... about the extent to which there may be latent hardware embeds. Embeds can be of many kinds, and systems are so complex, so numerous, so big that ... the number of hiding places is very, very great.

The cyber world [overall] is inherently insecure both in the exceptional difficulty ... in keeping other entities or people out, but also in ... claiming that a very complex system is clean or fully secured. 

DS: Operating systems, for example?

Danzig: Microsoft’s OS has at least 50 million lines of code, and big corporate financial institutions manage over a trillion lines. [Obviously], your ability to see what’s inside those systems is very limited.

DS:  Outsourcing complicates matters. You’ve noted the F-35 Joint Strike Fighter alone may contain countless vulnerability gateways and the supply chain overall is reportedly at serious risk.

Danzig:  That’s right. [Hardware is] an additional compounding point. We haven’t seen many examples of hardware corruption, and we see many, many examples of software problems.... But that may be just a matter of the present. If somehow we could clean up the software problem, we’d still have the hardware problem.

DS:  Lately you’ve stressed that analog computer systems can complement and help safeguard digital systems. Would it have prevented or minimized recent attacks on, say, the U.S. Central Command, the Office of Personnel Management, or the Joint Chiefs’ YouTube and Twitter accounts?  

Danzig: I don’t think the analog will prevent penetrations, and it’s not, generally speaking, something that I would prescribe for protection of intellectual property or confidential communications. My interest in analog arises because, beyond simply traditional cyber threats, there are cyber physical threats, which are efforts to corrupt the operation of physical systems, like a power grid or steel mill.... A ship-launched missile, for instance, could corrupt cyber components, then cause that physical system to self-destruct or operate in damaging ways.

And there, if you have an analog system, you gain a significant measure of protection if it at least informs you about what’s happening, so the attacker can’t control both your system and your ability to perceive your system.

DS:  How do we acquire or incorporate analog systems?

Danzig: In a number of systems, they already exist. And I’m trying to sound the alarm about systems in, for example, the power grid world [that are] moving to digital systems and abandoning the analog. It’s the wave of modernization; digital systems are more efficient. 

[Nevertheless], I’m saying regulators ought to move to a digital system in your operations, but keep at least some of your safety system in analog mode. So that’s a first, kind of easy case.

In other cases, for example, you can introduce an analog component, even a human, into what could otherwise be a purely cyber system. For example, my system automatically can generate new passwords when requests come in. I might approve requests ... up to a certain number, but when I’m suddenly seeing a request for 10 times the normal number, the system might have inserted something that requires a human being to review those requests or any other kinds of aberrations that occur. 

DS:  Has the Navy or other DOD enterprise tried out your dual “back to the future” approach?

Danzig:  Military services are becoming aware ... of its potential utility. How far they’ve gone in different systems in actually adopting that, I can’t say.

DS: Infrastructure and power grids are vital largely because the military, homeland security components and others greatly rely on the civilian world for bandwidth, spectrum and other types of modalities. Here again, might creating separate entities prove useful should one system or network go down – with or without analog stand-alones? 

Danzig:  Yeah. Well, you’re making several points, all of which I think are right. Firstly, the military system is reliant on the civilian system. Military bases will have generators and another kind of capacity for the very short term. But if the civilian power grid went down ... the Pentagon recognizes that their systems logistically would have lots of problems.

Secondly, if we create some degree of diversity within the power grid—a separation—so that not all of it goes down too readily, that’s a big help, and we have a limited degree of that now.  But in all cyber physical systems, creating some degree of separation enclaves is very useful for restoring resiliency.

Lastly, introducing complementary analog components or preserving analog components in a civilian power system is a useful safeguard versus making it all digital.

DS:  Some champion quantum cryptographysupposedly unbreakable but with limited range for nowas a key near-term safeguard. Does this ameliorate cyber-intrusion prospects?

Danzig:  No. I think it’s the other way around. The problem with quantum computing is that it threatens to undo the protections associated with encryption, which depends on the inability to do huge computation to crack codes. And if we had quantum computers, the reason NSA and others are mostly concerned about it is because quantum computers couldn’t render what is now protected encryption, vulnerable. [It may be that] quantum computing is less a boon than it is a threat. One of the good steps to take at present, though limited, is to use more encryption.

DS:  Still, is such a tool, in concert with analog and other steps, useful in the mid-term against fast modernizing nemeses like China?

Danzig:  Yes. I think there are a suite of things that one ought to do. Moving to use more analog in a complementary way, creating separated enclaves, avoiding a computer digital monoculture where everything runs in the same system and therefore has common vulnerability, and more and better encryption are all examples of things that make it notably harder for the attacker. 

Ultimately, a committed attacker with a lot of resources can get around these problems, but you protect yourself better against uncommitted attackers without lots of resources, and you make it noticeably harder and perhaps more visible when a committed attacker with huge resources wants to invest against you. So I don’t think there’s a nirvana via that route, but I do think there’s a better world.

DS: You contend that normal screening and antivirus apps are inadequate leak-stoppers, since they depend on preexisting security signatures. Explain, please.

Danzig:  Sure. [Computer vulnerability studies have found] antiviral software rife with vulnerabilities because it’s software and, therefore, has the same problems as other software. But it’s particularly, potentially a potent problem because in order to operate, antiviral software has privileges for entering and manipulating your computer system. So it can be a source of problems as well.

The main problem, though, with antivirals is they lag [behind] the appearance of new vulnerabilities. It takes some, not inconsiderable, time to recognize that they’re there, and when patches are provided, they frequently are not immediately installed. And they immediately advertise to attackers that there is a route in if the patch hasn’t been installed.  There are good reasons why some people don’t immediately install patches: because they have to interact with a lot of their very complicated hardware. 

So a big department store that has a thousand different sites or a hundred different sites may first only install a patch on two or three sites to see how it works and whether it’s causing problems, during which time attackers can enter the other 97 sites. Also, there are a lot of people out there who don’t install patches or they’re using counterfeit software or that don’t get news of the patches, et cetera, et cetera.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.