Should Microsoft’s Windows operating system be considered critical infrastructure?
The answer seems so obvious as to beg the question of why we even ask. But, in the wake of President Obama’s recent Executive Order for Cybersecurity, telecommunications firms and others affected by the Order are wondering why Microsoft and other software makers were exempted from new Administration mandates.
Writing for Bloomberg on Monday, Eric Engleman wrote about growing dissent over what he termed the “Google Exception” within the Executive Order. Telecommunications companies, Bloomberg reported, are encouraging the Administration to rethink a decision to exempt software like Microsoft’s Windows, Apple’s iOS mobile operating system and Google’s various products from being considered “critical infrastructure.”
Specifically, Section 9 of the Order stipulates that, within 150 days of the order being signed, the Secretary of Defense needs to identify any “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The Secretary is instructed to use a “consultative process” and “draw upon the expertise of Sector-Specific Agencies” in compiling that list - with one big caveat: “he shall not identify any commercial information technology products or consumer information technology services under this section.”
In other words: commercial software can’t be counted as critical infrastructure. The contradictions here are almost too many to number. Speaking to Bloomberg, Marcus Sachs, the Vice President of National Security Policy at Verizon Communications Inc., notes that e-mail is a mission critical application at many organizations. “If e-mail went away this afternoon, we would all come to a stop,” he said.
In response, White House spokeswoman Catilin Hayden is quoted saying that the goal of the Order is to “protect systems and assets whose incapacitation from a cyber incident would have catastrophic consequences” for national security and the U.S. economy. “It’s not about Netflix, Twitter, Facebook and Snapchat.” For real?
I think Sachs’s calling out e-mail is valid, but a bit dated, and probably not the most forceful argument that can be made. First of all, it’s not clear that our world would grind to a halt if e-mail suddenly disappeared. In all likelihood, folks would just shift to one of the many other communications alternatives out there - like Twitter, Facebook and Snapchat. ;-)
A better argument might be to talk about underlying operating systems like Windows and ask how its possible to consider, say, Human Machine Interface (HMI) terminals that are used to manage critical private and public infrastructure across our country but exempt the operating system that’s powering those HMI systems? It’s not even clear to me how you consider the security posture of an HMI without considering the security of the underlying OS, seeing as that’s the majority of the attack surface. What about Oracle databases that power much of the government and military’s data centers? Talking about Twitter, Facebook and Snapchat is cute - but it betrays a lack of understanding about the critical interplay of software with what the Order calls “systems and assets” that’s, frankly, a bit scary.
The reasons for the giant loophole in the Executive Order are easy enough to guess: software makers like Google, Microsoft and Apple pushed hard - through their D.C. based lobbyists - to make sure that the Order, whatever it said, didn’t impose any new requirements on them to start being able to attest to the security of their products. Speaking to Bloomberg, David LeDuc, a senior director of public policy for the Software & Information Industry Association (SIIA), a D.C. lobbying group said the Order wasn’t meant to “dictate how...products and services behave.” But that’s a canard. As we’ve noted in this blog before, there’s a role for government oversight of issues like software security (maybe we should start calling it “software safety”) that doesn’t extend to having the government tell Microsoft how to build its operating system - or even how to secure it. The Federal Aviation Administration doesn’t tell Boeing how to build jetliners. It does set stringent standards for how those jet liners have to perform in both typical and adverse circumstances. The result: incidents of equipment malfunction stemming from poor design or deployment are extremely rare. Serious accidents stemming from such failures are even more rare.
To extend the analogy a bit further, ask yourself: how forceful would the FAA’s mandate to ensure the safety of civil aviation be if wealthy engine manufacturers like GE lobbied successfully to have their products exempted from the safety checks necessary to qualify a plane for commercial service? It’s laughable to even think of that, but that’s - in essence -the kind of concession that software publishers have won here.
Given what we know about the State of Application Security, the reluctance of software vendors like Microsoft or (god forbid) Oracle to have their products put under the harsh light due to pieces of “critical infrastructure” is very understandable. It’s up to the Obama Administration, therefore, to listen to the protestations of the telecommunications firms (sour grapes they may be) and see that there’s more than a seed of truth in them.