Cyber warfare is being conducted as a never-ending swordfight between black and white hats. Will the white hats ever suggest that they need to be made obsolete? Of course not! Even though they are well-intentioned and very talented engineers, they rely on the existence of both the black hats and the inherent software vulnerabilities. But if vendors can download software over the Internet, so can hackers. A computer does not have to be built this way. Instead, it can be constructed so that no software can ever be downloaded over the Internet. The Navy still has a few examples of a very old computing machine, the AN/YUK-7 (on Flight II Ticonderoga-class cruisers), that exhibits the solution.
The machine has two completely separate banks of magnetic core memory: one with the executable program code that is run on its central processing unit, and another that contains the data the program will use to make its computations as it runs. This was done to make it twice as fast, since it was a very slow memory architecture.
Today’s commercially derived personal computer was designed to be inexpensive and versatile, so the code and data are stored in the same memory path. This is inexpensive, since there only has to be one code/data buss and one cache memory in the microprocessor chip, one code/data buss and one set of set of memory on the mother board, one disk drive, and one network connection to the Internet. It is also versatile, because both the computer code and the data can be downloaded from the Internet. However, this commercially derived PC architecture is also vulnerable. And cyber-warfare practices continually exploit this susceptibility.
The new invulnerable PC looks like this: the code and data on each PC are stored in completely independent memory paths. This is more expensive, since there has to be one code, one data buss, and two independent cache memories (one for each buss) in the microprocessor chip itself; one code, one data buss, and two independent sets of memory on the mother board; two independent disk drives; and two independent network connections, one to the Internet, the other to a completely physically secured local network used by local system administrators to maintain and update software.
The expensive part of the hardware is the new secure microprocessor chip, including the firmware that is on board the chip. The new mother board will be nowhere near as expensive, and its memory, and the disk drives, will require no change. The current PC components will work perfectly well. However, one of the two network-connection boards will require a slight change: the connector will have to be keyed differently from the normal Internet connection to link to the physically secured local network. This will avoid the disaster of connecting the computer to the wrong networks by mistakenly swapping the cables.
The upgrade to the facility is expensive in that there needs to be a completely physically secured local network used by local system administrators to maintain and update software. This is a one-time cost, and the Department of Defense is used to managing separate secured and unsecured networks. Alternatively, the system administrators could physically visit each computer and bring the software on some portable media to configure one at a time. This is a continuing cost.
Upgrading the software is also expensive, because the secure microprocessor chip will likely have some new machine-level instructions, so a compiler vendor (or two) that uses cross-compiling techniques will need to develop a new back end for the secure microprocessor chip. An important consideration when choosing this vendor will be the variety of front-end computer languages that it already supports. If the vendor does not cover all the necessary languages, additional front ends will need to be built.
Software is often the largest cost in computer systems, but none of the existing libraries will need to be modified for this secure microprocessor chip. The software will only need to be recompiled and released, avoiding a huge potential cost. One exception will be if the software uses self-modifying code techniques. This has long been discouraged, so it should not be a widespread problem. But the new compiler front end will reveal all such occurrences, and they will need to be fixed.
This is only a partial possible solution that does not address everything, including how Java—which is ubiquitous on Internet web pages—would run under this secure computer architecture. Hopefully others are also working on the cyber-warfare problems, and hopefully they are on our side.