From Sovereign Operating Systems to the Sovereign Digital Chain

NSA headquarters

This Chapter “From Sovereign Operating Systems to the Sovereign Digital Chain” has been written for the Third Symposium for the “History and Philosophy of Programming. History and Philosophy of Operating Systems” (CNAM, 2016). It has been peer-reviewed in 2017 and is planned to be published as part of a Springer  Volume (HaPop-3) on Summer 2018.

Keywords

Operating System, Internet, Software, Sovereignty, Security, Cryptography, Privacy, Open Source, CPU

Abstract

This chapter is a mostly non-technical reflection on the concept of “Sovereign Operating System” in the modern context of a globalized world. In a modern world, where software and data will potentially be driving anything in a near future, a nation sovereignty cannot be restricted to territory questions such as land, air, sea property and frontiers, or to general regulation of the national activity. It is either demonstrated or well admitted that many software pieces, including Operating System, include backdoors that can either be used to spy information on a system and send it to unauthorized parties, or be used by some unauthorized parties to take control of local or connected devices. Furthermore, nowadays, more and more third-party internet services (APIs) are integrated deeply in some modern OSes, and can be considered as fully part of them. Also some issues are suspected with networks and Inter- net, were massive amounts of data can be catched and analyzed illegally by hackers and countries, breaking confidentiality of information at corporate or government levels. Even computer hardware cannot be excluded from pos- sible takeovers as there are some rising evidences that some modern CPUs include backdoors by design. Therefore, it appears clearly that the Operating System, even in its modern form, can not be considered alone regarding the digital sovereignty question, as all parts of the digital chain in data processing and transit has to be carefully examined and reinforced.

1.1 Introduction

Could software or computers have any impact on the security, the economy or even the sovereignty of a nation?

It seems that until this day of early 2000’s years, the French State Secretary for Ministry of Economy, Finances and Industry, never ever wondered. The scene took place at MandrakeSoft headquarters in Paris, and the State Secretary was quite unbelieving when our team suggested that proprietary operating systems like Windows possibly had backdoors that could send in- formation outside an organization without any permission. Sending unau- thorized information outside his office, outside the French Army, outside a nuclear power plant. For example.

He was also doubtful when we suggested that those same proprietary op- erating systems, that are installed everywhere on computers in our country, could possibly be taken under control from the outside by foreign organiza- tion or hackers. Why? Because nobody else than the proprietary OS publisher can review its source code. Neither a government, nor a nation army, nor a sensitive organization like a nuclear power plant can know exactly that the software they have paid for and using can be trusted.

Another anecdote is about a former Ministry of Russian Government who had access to sensible information in the past. He once explained that during the war against Georgia in 2008, some Microsoft Windows operating sys- tems that were used in some military material eventually stopped to work as expected. This has been a trigger in the quest for a sovereign operating system in Russia.

This sounds unbelievable, but this is theoretically possible, and practically certain that operating systems can be used to spy information or be taken under control remotely in case of need, especially if they are connected to a network.

And over the past years, citizens and governments all over the world have started to realize that now, having full control of their territories, land, sea and air, and being in full control of their regulatory laws and army, are not anymore sufficient to ensure their full sovereignty. Nation’s security, integrity and privacy could be threatened by very quiet systems that have spread massively in the world since the 90s: computers, networks and software.

1.2 Not a fiction: these are real matters

A famous example of the capability of a group of nations to impact another nation is Stuxnet, a software worm suspected to have infected five Iranian organizations that were involved in Uranium-enrichment in 2010. Stuxnet is believed to be the result of a cooperation between the USA and Israel. It was using Windows operating systems to spread and finally attack Siemens industrial control systems in nuclear facilities in Iran.

Not directly a case related to Operating Systems is NSA’s PRISM program, which was launched in 2007 and disclosed in 2013 by medias. This global Internet surveillance program launched by US government, with help from Google, Facebook, Apple, Microsoft, Yahoo!, Skype. . . , has organized a systematic capture and analysis of most of the Internet traffic for the purpose of anti-terrorism. PRISM put another highlight both on citizen privacy con- cerns, economic intelligence matters and nation-wide sovereignties questions.

Some of these digital sovereignty concerns can be addressed efficiently: in response to the USA’s GPS positioning system infrastructure and to Russia’s GLONASS, the European Union (lately) succeeded to launch its own system Galileo that should start to operate in 2016/2017. In the end, this civil alternative to GPS will guarantee that EU civil and military infrastructures would still be able to rely on an efficient positioning system in case the US Army would decide to degrade the public GPS signal for instance.

The digital era is bringing a huge sovereignty challenge to nations as ev- erything is getting interconnected as the earth’s scale and information can be processed efficiently at a low cost. How can nations keep their freedom out from any external control when they cannot be certain that they control the systems that govern the logic of their modern infrastructure and sensitive activities such as national defense?

Some solutions can be found for global infrastructures (such as with the Galileo alternative) when they can cohabit with other systems. But offering security and privacy guarantees for operating systems is more difficult: if a state was designing and building a Sovereign Operating System, it would probably not be able to ensure compatibility with existing software. This would restrict its potential usage and its acceptation. And it is also becom- ing more of a challenge nowadays because over the years the operating sys- tem scope of features has moved from very low-level routines — that allow software programs to interact with basic hardware functionalities — to a higher-level, sophisticated, abstraction layers that can even include graph- ical interface toolkits. One can even wonder whether nowadays’ Operating System is not starting to move to internet services and Artificial Intelligence APIs, which most of the time are under control of software industry giants such as Google.

1.3 Towards an enlarged definition of “Operating System”?

Having a look at Merriam-Webster and Wikipedia definitions of an operating system, today it is still referring to the kernel, which allows low-level interactions with the file system, peripherals, memory and CPU processing, and also, according to Wikipedia, to a software layer that provides common services for computer programs, such as a networking software stack and a graphical interface. Understand: Linux , Apple’s macOS and iOS , Microsoft’s Windows, Google’s Android. . .

But for a few years, software applications have moved to web technologies, which are commonly referring to HTML5/CSS/Javascript technologies for programs that can be run within the web browser. An exception remains on mobile devices with iOS and Android, where applications need to be installed before they can be used. But more and more, many of these applications are using external Internet-based resources: dedicated backend web-services that run on remote servers. And in many cases these web-services are using “standard APIs” and very high-level toolkits designed and offered (more or less for free) by web giants, such as Facebook, Google, Twitter authentication APIs, Google Maps APIs, Google’s Firebase APIs. . . Even Google and Apple have integrated some basic web services as core operating services, in particular for user authentication (Apple’s iCloud user id and Google ID).

It has become evident that the “low-level” operating system, formerly the kernel, recently the kernel plus some middleware and a graphical interface, and currently all of these plus a web-browser, have become a “commodity software layer” in a more global infrastructure at Internet scale. Now we need to consider the Operating System as a whole: from memory, storage I/Os and processors to Google & al. APIs and any Internet service.

One of the most visible sign of this recent revolution, from a user perspective, is that the “OS war” between Windows, Linux and Mac supporters — which was real by the end of the 90s and the beginning of 2000’s — is now totally over. Most of the time you will use the same software and services on any of these platforms, for a simple reason: most of them are using a web-browser, such as Mozilla Firefox or Google Chrome. They are equally available on all OSes, and they offer a very high level of compatibility. Even Microsoft has started to offer Windows 10 updates for free in 2016, which means that Microsoft’s business model, one of the most profitable business model of all times in the industry, has violently disrupted in a very short time and that they need to reinvent totally this model, at the Internet scale.

1.4 Concerns rise with network connectivity and Internet

Although we have moved to one dominant operating system publisher in the 80s (Microsoft) and the 90s to three now (Microsoft, Apple and Google) — which can be seen as an improvement in some way — the control of the “Operating System New-Generation”[1] by Google, Apple, Microsoft and any Android-based smartphone integrators is still problematic because many of their core components remain closed-source. They don’t offer any guarantee to either individual users or organization, regarding their neutrality in term of security and absence of backdoors.

Deviances of this situation are not rare: in November 2016, two different backdoors have been found by security researchers on low-cost Android devices, that would affect more than 700 millions Android devices. These back-doors continuously sending user data to servers in China…

The same month, it was also disclosed that Apple’s iOS was secretly sending their user’s call history to Apple iCloud servers.

Worse, proprietary software publishers and software vendors are possibly cooperating with intelligence agencies to ease access to spying:

Sadly, even Open Source Operating Systems, which are known to offer better guarantees since their source code is fully opened, is not totally immune to backdoor risks: the Linux kernel security module “SELinux”, which is available in many Linux distributions, has been jointly developed by Red Hat and… surprisingly the NSA. It has also been alleged that Linus Torvalds was once approached by the NSA to introduce a backdoor in the Linux kernel .All in all, this means that users may be concerned heavily about their privacy, and that nations can be threatened on several aspects:

  • Economical impacts: unless they are disconnected from computer net- works, not any single organization can now ensure that their confidential data is not escaping outside to competitors or intelligence agencies. For instance, Airbus was possibly spied by the NSA that could have abused the German intelligence infrastructure.
  • Security impacts: as critical organization for a nation defense and army rely on computing system and software that are possibly connected to the Internet and that are possibly crippled with backdoors or trojan horse, there is no guarantee that these organizations can not be listened to or taken over by foreign organizations or hackers. Additionally, very sensible infrastructures such as nuclear power plants can be at risk because of these flaws, and expose people to major threats.

At this point, it’s important to notice that all these aspects can probably only be considered if some people can understand them and wonder about them. This means that the digital sovereignty concerns and the way they can be addressed can only be handled by people who have enough education to understand both all technical aspects and their impact on security and users’ privacy.

1.5 Would a Sovereign Operating System be a solution?

Over the past decade many nations have started to understand the stakes of a situation where a few nations have taken a huge advance and have been massively using all possible techniques to ensure that they could both listen to private and sensible information from any place in the planet such as with the PRISM program, and take control or attack others’ sovereign infrastructures, such as with the Stuxnet worm.

One of the key component of modern infrastructures is the computer operating system which is the bottom layer that is supporting all data processing and transit. Proprietary operating systems such as Microsoft Windows, Apple macOS and iOS… are massively used nationwide both by individuals for their personal life and professional life, and by civil, governmental and military organizations. And they are like black boxes that do not offer any guarantee about the privacy of all the information processed and possible interactions with other organizations: competitors or foreign nations. Each of this black box, such as a computer or a smartphone can be seen as a potential trojan horse at someone else’s service.

As a result, some countries have decided to build “national Operating Systems” that they could control from A to Z. These operating systems are often forked from the Linux Open Source operating system.

Red Flag started in China in 1999 as a fork of the Red Hat Linux distribution, initiated by the Institute of Software Research at the Chinese Academy of Sciences. The Chinese government eventually asked Chinese Ministries to replace Windows 2000 with Red Flag, but Red Flag was terminated in 2014. The same year, China launched COS “China’s Operating System”, a Linux-based alternative to iOS and Android.

In Russia, several initiatives tried to build a viable alternative to proprietary OSes, such as ROSA Linux that started as a fork of Mandriva Linux, and in 2015, “Open Mobile Platform” was announced as a fork of Linux-based Sailfish OS.

In Cuba, Nova is a state-sponsored Linux distribution launched in 2009, possibly discontinued in 2016.

Linux-based Canaima in Venezuela can also be seen as an attempt to have a Sovereign OS as it was required by a change in the Venezuelan law.

Red Star OS is probably one of the most used “Sovereign operating system”, as the official North-Korea OS. It is also a Linux-based operating system.

CLIP is an initiative that was started in 2005 by French Government agency ANSSI to build a secure operating system. It is built around a patched Linux kernel and is only available for government use and private partners (despite the fact that it is based on Open Source software…). It seems to be targeted only at office workers.

Early in 2016 the French Parliament decided by law to explore possible actions to better understand and improve French Digital Sovereignty. An Institute for Digital Sovereignty was created to federate actions in this field.

But it has become clear that a Sovereign Operating System, in the traditional meaning of an Operating System, wouldn’t be enough to guarantee digital sovereignty for a nation: software applications, networks, the nature of digital contents, and even hardware should be considered. Additionally, considering a nationwide perspective in non-democratic countries, a Sovereign Operating System wouldn’t prevent any dictator to embed software mechanisms into the OS, that would be meant to control freedom of speech and contribute to mass surveillance.

1.6 The “digital chain sovereignty”

In fact, the whole computing chain has to be considered when some digital information is processed:

  • Computer Hardware (CPU): on early 2016 it was revealed that new Intel x86s CPUs were incorporating an independant small CPU that served a dedicated TCP/IP server that could be used to manage the computer. As it is totally encrypted, only Intel engineers could manage it, and possible some US government security agencies such as the NSA. In fact, according to some technical studies, the whole x86 architecture is likely to have security and privacy concerns.
  • Operating System and applications: kernel and various OS services and software applications that run on the top of the operating system. They can possibly relay some information to non-authorized systems or be infected by a virus that can act as a Trojan Horse and perform actions within the operating system or hardware.
  • External APIs used by applications: when using an external API to get or process some information, the application is sending some non-sensitive or sensitive information to the API publisher, for instance: the user location. The API publisher can also restrict access to the API to some users or countries.
  • Network hardware: WAN and LAN switches and routers, firewalls. Backdoors have been found on consumer and professional hardware, and the PRISM surveillance program is collecting and analysing a big part of the Internet traffic.
  • Data contents: information is processed and is moving from place to place within the computer and outside the computer, using networks. Unencrypted or low-encrypted electronic documents are easy to spy.

In order to regain sovereignty on the whole digital chain, each piece of this chain has to be examined on their technical aspects and understood. Then, actions have to be taken to ensure that this digital chain won’t be taken over at some point by non-authorized parties:

  • Computer hardware is maybe one of the most problematic issue because in some cases, it may be impossible to avoid some non-encrypted data to

    transit through the processor and eventually be catched by some independent processor parts like they exist in new Intel processors. Routine evaluation tests are needed to detect such cases. Regulation and laws are probably a way to explore to prevent these drifts. Open-sourced hardware designs can also be an option and could be encouraged by governments and regulation.

    • External APIs concerns are also difficult to address since they are external black boxes that can not be trusted unless you can deal with its publisher to access their source-code. Regulation and laws are probably a way to explore to prevent possible drifts. An option would be to provide alternate, independently and transparently operated APIs that would offer all guarantees.
    • Network hardware: routine evaluation is needed to detect issues. Impact on data privacy can be lowered a lot if data is heavily encrypted since collected data would normally be impossible to unveil its useful content. Anyhow, a real concern remains specifically with Internet routers that need to be upgraded very carefully with latest security patches to avoid possible large-scale takeovers or other abuses.
    • Data content: it is a key aspect of the “digital sovereignty”. If all the data was heavily encrypted from its source to its destination, all the surrounding infrastructure could be open to any wind with low risk of being hijacked, although useful information about “who is talking with who” could still be catched by a third-party. This is reasonably easy to achieve for data transit by using modern encryption algorithms with long keys. It’s more of a challenge to perform the same with the operating system or the processor when it comes to process the data. Difficult to compute 2+2 when operands and operator are encrypted.

    1.7 Conclusion

    In the modern world, where software and data will potentially be driving anything in a near future, a nation sovereignty cannot be restricted to territory questions such as land, air, sea property and frontiers, or to general regulation of the national activity. It has been demonstrated or is well admitted that many software pieces, including operating systems, include backdoors that can either be used to spy information on a system and send it to unauthorized parties, or be used by some unauthorized parties to take control of local or connected devices. Furthermore, nowadays, more and more third-party internet services (APIs) are integrated deeply in some modern OSes, and can be considered as fully part of them. Also some issues are suspected with networks and Internet, where massive amounts of data can be catched and analysed illegally by hackers and countries, breaking confidentiality of information at corporate or government levels. Even the computer hardware cannot be excluded from possible takeovers as there are some rising evidences that some modern CPUs include backdoors by design.

    Therefore, it appears clearly that the operating system, even in its modern form, can not be considered alone regarding the digital sovereignty question, as all parts of the digital chain in data processing and transit have to be care- fully examined and reinforced, technically speaking. A key aspect regarding operating system is the capability for their users to access and review all their source code. As a result, Open Source software, even if it does not offer a full guarantee for digital sovereignty, should be highly encouraged by governments, as well as open-sourced hardware designs for CPUs.

    Another key aspect of data privacy and integrity is encryption. Robust and proven encryption techniques and algorithms should be used and en- couraged to ensure data integrity when transiting over networks. In a modern democratic country, just like for regular mail service, it can be accepted that governments can intentionally break into some data in specific situations, when they have good reasons to fear some illegal activities. But a massive interception and analysis of all users, corporate and government data that is going through networks, just in case of a possible future benefits, should not be tolerated.

    It should also be highlighted that digital sovereignty concerns and security questions can only be understood and addressed by educated people with sufficient knowledge and expertise to understand them, in particular in case of cyberattacks, that need to by analyzed in depth very quickly to be defeated. This means that the quest to Digital Sovereignty could hardly go without a strong educational system.

    A strict regulation on these questions, at a world level, should also be brought to the negotiation table between nations in the future, as losing the digital sovereignty is a threat for all, comparable to nuclear weapons and climate change threats. As a particular case, EU nations should probably reinforce their links and work together as a single voice if they want to be heard and impose their views: it appears clearly that small nations have not enough power to negotiate against big blocks such as the USA, China or Russia, or even against the giant “GAFAM”[2] corporates. If EU nations could join forces and speak as only one voice, it would be easier to negotiate and suggest new models to ensure nation’s sovereignty, by emphasizing on Open Source software and hardware designs, strict Internet regulation, public and/or own standards on cryptography, and a balanced policy on privacy versus security. Proposing a civil-oriented approach, just like it was done with Galileo positioning system and doing a lot of pedagogy on these questions, would also probably help to gain support from the majority of Citizens and therefore make possible a move to an ambitious and new strategy regarding the data chain sovereignty.

  • Operating systems: kernel security patches and isolation techniques can provide efficient ACLs to many parts of the system: memory, file system… Encryption and signature can also be introduced to guarantee software integrity and some level of privacy in data exchanges. Of course, having access to the operating system source code is a huge advantage to guar- antee its integrity, security and privacy through certification programs. Open Source operating systems such as Linux or BSD should be used when it’s possible but suspect security features such as NSA’s sponsored SELinux should be avoided. When highest confidentiality and security are needed, the use of a highly secured Open Source Operating System such as Qubes OS should be considered.

Gaël Duval 2016

[1] “Operating System New-Generation”, used to design new forms of Operating Systems that include not only the kernel but also Interned-wide services and APIs

[2] “GAFAM” is an acronym for “Google, Apple, Facebook, Amazon, Microsoft”

You can also download this paper as a PDF file.

Leave a Reply

Your email address will not be published. Required fields are marked *