China's 'secure' OS Kylin - a threat to U.S offensive cyber capabilities?

Picture a cyber warfare arms race where the participating countries have spent years of building offensive cyber warfare capabilities by exploiting the monoculture on one another's IT infrastructure.

Suddenly, one of the countries starts migrating to a hardened operating system of its own, and by integrating it on systems managing the critical infrastructure it successfully undermines the offensive cyber warfare capabilities developed by adversaries designed to be used primarily against Linux, UNIX and Windows.

That's exactly what China is doing right now with their hardened OS Kylin according to Kevin G. Coleman, Senior Fellow and Strategic Management Consultant with the Technolytics Institute who presented his viewpoint in a hearing at the U.S. – China Economic and Security Review Commission.

Here's an excerpt from the hearing:

"Chinese authors believe the United States already is carrying out offensive cyber espionage and exploitation against China. China therefore must protect its own assets first in order to preserve the capability to go on the offensive. While this is a highly unpopular statement, WE ARE IN THE EARLY STAGES OF A CYBER ARMS RACE AND NEED TO RESPOND ACCORDINGLY!

This race was intensified when China created Kylin, their own hardened server operating system and began to convert their systems back in 2007. This action also made our offensive cyber capabilities ineffective against them given the cyber weapons were designed to be used against Linux, UNIX and Windows."

Kylin is an operating system developed by the the University of Science and Technology for National Defense, and successfully approved by China's 863 Hi-tech Research and Development Program office in 2006.  According to their web site, the OS has already achieved one of the highest national data security standards, and is therefore to be used as critical military and government servers. Is Kylin so unique and impenetrable as China is pitching it, following years of research and piles of money spent on branding it as the secure national operating system of choice? That may not be the case.

In a recently conducted kernel similarity analysis, a Chinese student debunks this notion by pointing out that not only are different versions of Kylin's kernel virtually the same, but also, that most of the kernel code is identical to the one of FreeBSD5.3:

"A Linux specialist who declined to be named, said recently that of all the Linux kernel codes, none are developed by Chinese. The situation has been acknowledged by Ni Guangnan, an academic with the Chinese Academy of Engineering and a strong advocate of Linux in China.

Prior to this, the Kylin operating system - which is funded by the National 863 High-Tech Program - was found to have plagiarized from the FreeBSD5.3. An anonymous internet user, who goes by the handle name "Dancefire", pointed out similarities between the two systems reached 99.45 percent."

All warfare is indeed based on deception, especially when you're re-branding.

The rush to participate in the "national security operating system" arms race is pretty evident across the world, with the European Union's secure OS Minix, the U.S Air Force new 'secure distribution of Windows XP' and Russia's interest in a similar secure OS.

What everyone appears to be forgetting is the fact that security is proportional with usability, and as well as the fact that complexity is the worst enemy of security. Combined, these complexities and usability issues end up in not so surprising results such as the recently conducted pen testing audit at the U.S Federal Aviation Administration, where the auditors from KPMG logically bypassed the "security through secure OS mentality" and by attacking the upper layers of the OSI Model presented the following results:

"We tested 70 Web applications, some of which are used to disseminate information to the public over the Internet, such as communications frequencies for pilots and controllers; others are used internally within FAA to support eight ATC systems. Our test identified a total of 763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities, such as weak passwords and unprotected critical file folders."

Upon exploitation of the Web applications, they were able to gain unauthorized access to a Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower, an ATC system used to monitor critical power supply at six en route centers, and had the capability to install malicious code on users' computers part of FAA's network. How did they do that? By exploiting the basic insecurities that every 'secure' OS has, in this case exploiting the insecurely configured web applications allowing them to gain access, next to exploiting the unpatched ones or the usability and complexity altogether.

The bottom line - are secure operating systems the cornerstone for a hardened critical infrastructure, or is a misconfigured 'secure' operating system just as insecure as the supposedly insecure one in general, managing assets through a flawed and outdated risk assessment process? Talkback.