Picture a cyber warfare arms race where the participating countries have spent years of building offensive cyber warfare capabilities by exploiting the monoculture on one another's IT infrastructure.
Suddenly, one of the countries starts migrating to a hardened operating system of its own, and by integrating it on systems managing the critical infrastructure it successfully undermines the offensive cyber warfare capabilities developed by adversaries designed to be used primarily against Linux, UNIX and Windows.
"Chinese authors believe the United States already is carrying out offensive cyber espionage and exploitation against China. China therefore must protect its own assets first in order to preserve the capability to go on the offensive. While this is a highly unpopular statement, WE ARE IN THE EARLY STAGES OF A CYBER ARMS RACE AND NEED TO RESPOND ACCORDINGLY!
This race was intensified when China created Kylin, their own hardened server operating system and began to convert their systems back in 2007. This action also made our offensive cyber capabilities ineffective against them given the cyber weapons were designed to be used against Linux, UNIX and Windows."
Kylin is an operating system developed by the the University of Science and Technology for National Defense, and successfully approved by China's 863 Hi-tech Research and Development Program office in 2006. According to their web site, the OS has already achieved one of the highest national data security standards, and is therefore to be used as critical military and government servers. Is Kylin so unique and impenetrable as China is pitching it, following years of research and piles of money spent on branding it as the secure national operating system of choice? That may not be the case.
In a recently conducted kernel similarity analysis, a Chinese student debunks this notion by pointing out that not only are different versions of Kylin's kernel virtually the same, but also, that most of the kernel code is identical to the one of FreeBSD5.3:
"A Linux specialist who declined to be named, said recently that of all the Linux kernel codes, none are developed by Chinese. The situation has been acknowledged by Ni Guangnan, an academic with the Chinese Academy of Engineering and a strong advocate of Linux in China.
Prior to this, the Kylin operating system - which is funded by the National 863 High-Tech Program - was found to have plagiarized from the FreeBSD5.3. An anonymous internet user, who goes by the handle name "Dancefire", pointed out similarities between the two systems reached 99.45 percent."
All warfare is indeed based on deception, especially when you're re-branding.
"We tested 70 Web applications, some of which are used to disseminate information to the public over the Internet, such as communications frequencies for pilots and controllers; others are used internally within FAA to support eight ATC systems. Our test identified a total of 763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities, such as weak passwords and unprotected critical file folders."
Upon exploitation of the Web applications, they were able to gain unauthorized access to a Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower, an ATC system used to monitor critical power supply at six en route centers, and had the capability to install malicious code on users' computers part of FAA's network. How did they do that? By exploiting the basic insecurities that every 'secure' OS has, in this case exploiting the insecurely configured web applications allowing them to gain access, next to exploiting the unpatched ones or the usability and complexity altogether.
The bottom line - are secure operating systems the cornerstone for a hardened critical infrastructure, or is a misconfigured 'secure' operating system just as insecure as the supposedly insecure one in general, managing assets through a flawed and outdated risk assessment process? Talkback.