(not an expert) My impression is that a perfectly secure OS doesn’t buy you much if you use insecure applications on an insecure network etc.
Also, if you think about classified work, the productivity tradeoff is massive: you can’t use your personal computer while working on the project, you can’t use any of your favorite software while working on the project, you can’t use an internet-connected computer while working on the project, you can’t have your cell phone in your pocket while talking about the project, you can’t talk to people about the project over normal phone lines and emails… And then of course viruses get into air-gapped classified networks within hours anyway. :-P
Not that we can’t or shouldn’t buy better security, I’m just slightly skeptical of specifically focusing on building a new low-level foundation rather than doing all the normal stuff really well, like network traffic monitoring, vetting applications and workflows, anti-spearphishing training, etc. etc. Well, I guess you’ll say, “we should do both”. Sure. I guess I just assume that the other things would rapidly become the weakest link.
In terms of low-level security, my old company has a big line of business designing chips themselves to be more secure; they spun out Dover Microsystems to sell that particular technology to commercial (as opposed to military) customers. Just FYI, that’s just one thing I happen to be familiar with. Actually I guess it’s not that relevant.
Agreed that secure low level without application security doesn’t get you there, which is why I said we need a full stack—and even if it wasn’t part of this, redeveloping network infrastructure to be done well and securely seems like a very useful investment.
But doing all the normal stuff well on top of systems that still have insecure chips, BIOS, and kernel just means that the exploits move to lower levels—even if there are fewer, the differences between 90% secure and 100% secure is far more important than moving from 50% to 90%. So we need the full stack.
(not an expert) My impression is that a perfectly secure OS doesn’t buy you much if you use insecure applications on an insecure network etc.
Also, if you think about classified work, the productivity tradeoff is massive: you can’t use your personal computer while working on the project, you can’t use any of your favorite software while working on the project, you can’t use an internet-connected computer while working on the project, you can’t have your cell phone in your pocket while talking about the project, you can’t talk to people about the project over normal phone lines and emails… And then of course viruses get into air-gapped classified networks within hours anyway. :-P
Not that we can’t or shouldn’t buy better security, I’m just slightly skeptical of specifically focusing on building a new low-level foundation rather than doing all the normal stuff really well, like network traffic monitoring, vetting applications and workflows, anti-spearphishing training, etc. etc. Well, I guess you’ll say, “we should do both”. Sure. I guess I just assume that the other things would rapidly become the weakest link.
In terms of low-level security, my old company has a big line of business designing chips themselves to be more secure; they spun out Dover Microsystems to sell that particular technology to commercial (as opposed to military) customers. Just FYI, that’s just one thing I happen to be familiar with. Actually I guess it’s not that relevant.
Agreed that secure low level without application security doesn’t get you there, which is why I said we need a full stack—and even if it wasn’t part of this, redeveloping network infrastructure to be done well and securely seems like a very useful investment.
But doing all the normal stuff well on top of systems that still have insecure chips, BIOS, and kernel just means that the exploits move to lower levels—even if there are fewer, the differences between 90% secure and 100% secure is far more important than moving from 50% to 90%. So we need the full stack.