Strong second—we should build up secure open computing from bare metal (secure, open verifiable CPUS, memory, etc.) to the OS, to compilers, to a secure applications layer.
I discussed this with a couple people ca. 2 years ago, and thought it was likely that a company like Google could design and produce a full stack secure system as a moderately large internal project. And some groups are already doing parts of this—for example, a provably secure OS microkernel, for far less than what we’d be able to spend.
As a fermi estimate on the high end, if we hire 10 top hardware design people for $500k/year each, throw in the same number of OS design people, and compiler designers at the same cost, and a team of 50 great people to do the rest of the development and testing at $300k/year, $100m means that we have 3 years to do this—and it’s an open source project, so we’d get universities, etc. working on this as well. (i.e. we could not mass produce the hardware at theses prices, but that’s commercialization, not design, and it should be funded by sales.)
(not an expert) My impression is that a perfectly secure OS doesn’t buy you much if you use insecure applications on an insecure network etc.
Also, if you think about classified work, the productivity tradeoff is massive: you can’t use your personal computer while working on the project, you can’t use any of your favorite software while working on the project, you can’t use an internet-connected computer while working on the project, you can’t have your cell phone in your pocket while talking about the project, you can’t talk to people about the project over normal phone lines and emails… And then of course viruses get into air-gapped classified networks within hours anyway. :-P
Not that we can’t or shouldn’t buy better security, I’m just slightly skeptical of specifically focusing on building a new low-level foundation rather than doing all the normal stuff really well, like network traffic monitoring, vetting applications and workflows, anti-spearphishing training, etc. etc. Well, I guess you’ll say, “we should do both”. Sure. I guess I just assume that the other things would rapidly become the weakest link.
In terms of low-level security, my old company has a big line of business designing chips themselves to be more secure; they spun out Dover Microsystems to sell that particular technology to commercial (as opposed to military) customers. Just FYI, that’s just one thing I happen to be familiar with. Actually I guess it’s not that relevant.
Agreed that secure low level without application security doesn’t get you there, which is why I said we need a full stack—and even if it wasn’t part of this, redeveloping network infrastructure to be done well and securely seems like a very useful investment.
But doing all the normal stuff well on top of systems that still have insecure chips, BIOS, and kernel just means that the exploits move to lower levels—even if there are fewer, the differences between 90% secure and 100% secure is far more important than moving from 50% to 90%. So we need the full stack.
Strong second—we should build up secure open computing from bare metal (secure, open verifiable CPUS, memory, etc.) to the OS, to compilers, to a secure applications layer.
Is this something we could purchase for a few hundred million in a few years?
I discussed this with a couple people ca. 2 years ago, and thought it was likely that a company like Google could design and produce a full stack secure system as a moderately large internal project. And some groups are already doing parts of this—for example, a provably secure OS microkernel, for far less than what we’d be able to spend.
As a fermi estimate on the high end, if we hire 10 top hardware design people for $500k/year each, throw in the same number of OS design people, and compiler designers at the same cost, and a team of 50 great people to do the rest of the development and testing at $300k/year, $100m means that we have 3 years to do this—and it’s an open source project, so we’d get universities, etc. working on this as well. (i.e. we could not mass produce the hardware at theses prices, but that’s commercialization, not design, and it should be funded by sales.)
(not an expert) My impression is that a perfectly secure OS doesn’t buy you much if you use insecure applications on an insecure network etc.
Also, if you think about classified work, the productivity tradeoff is massive: you can’t use your personal computer while working on the project, you can’t use any of your favorite software while working on the project, you can’t use an internet-connected computer while working on the project, you can’t have your cell phone in your pocket while talking about the project, you can’t talk to people about the project over normal phone lines and emails… And then of course viruses get into air-gapped classified networks within hours anyway. :-P
Not that we can’t or shouldn’t buy better security, I’m just slightly skeptical of specifically focusing on building a new low-level foundation rather than doing all the normal stuff really well, like network traffic monitoring, vetting applications and workflows, anti-spearphishing training, etc. etc. Well, I guess you’ll say, “we should do both”. Sure. I guess I just assume that the other things would rapidly become the weakest link.
In terms of low-level security, my old company has a big line of business designing chips themselves to be more secure; they spun out Dover Microsystems to sell that particular technology to commercial (as opposed to military) customers. Just FYI, that’s just one thing I happen to be familiar with. Actually I guess it’s not that relevant.
Agreed that secure low level without application security doesn’t get you there, which is why I said we need a full stack—and even if it wasn’t part of this, redeveloping network infrastructure to be done well and securely seems like a very useful investment.
But doing all the normal stuff well on top of systems that still have insecure chips, BIOS, and kernel just means that the exploits move to lower levels—even if there are fewer, the differences between 90% secure and 100% secure is far more important than moving from 50% to 90%. So we need the full stack.