NSA Director Says the US Must Secure the Internet 250
Trailrunner7 writes "The United States has a responsibility to take a leadership role in securing the Internet against both internal and external attackers, a duty that the federal government takes very seriously, the country's top military cybersecurity official said Tuesday. However, Gen. Keith Alexander, director of the National Security Agency and commander of the US Cyber Command, provided virtually nothing in the way of details of how the government intends to accomplish this rather daunting task. 'We made the Internet and it seems to me that we ought to be the first folks to get out there and protect it,' Alexander said. 'The challenge before us is large and daunting. But we have an obligation to meet it head-on.' It's unlikely that any of Alexander's comments Tuesday will do much to quiet the criticisms of the Obama administration's security efforts thus far. Speaking mostly in generalities, Alexander emphasized the administration's commitment to the Comprehensive National Cybersecurity Initiative, a plan developed by the Bush administration and recently partially de-classified by Obama administration officials."
Are they joking? (Score:5, Insightful)
Until you control all the INPUTS, you can't control the OUTPUTS
I think these folks are actually trying to use scare-tactics in order to increase their own budgets short-term,
knowing that there is no feasible method of performing such a task.
What? (Score:5, Insightful)
Can we have our money back? (Score:5, Insightful)
We did make the Internet, and between government and business and private citizens we spent about $1 Trillion bringing it up to the state where Carly Fiorina and the other outsourcing robber-barons could use it to ship the whole information economy to India and China, cratering the return we expected from our investment, so they could pocket a few $billion in quick profit.
We'd like our money back. Someone tell Carly she owes us.
Re:The non-technical have lots of crazy ideas (Score:5, Insightful)
He has a masters degree in systems technology and another in physics, according to his biography, in addition to an MBA and a BS undergrad, plus lots of experience in intelligence and counter-intelligence, including in active combat scenarios, according to his biography. I suspect he's probably more "technical" than a large swath of people here, not to mention the general public. Just because he says folks doesn't mean his 'non-technical', so stfu.
I don't want a "protected" internet. (Score:5, Insightful)
The way to "protect" it is to not use it for stuff that, um, needs protecting.
Re:Easy Fix (Score:0, Insightful)
Ban all Microsoft products from connecting to the Internet.
Re:Are they joking? (Score:5, Insightful)
Exactly. What they are demanding is the banishment of anonymity at the very least.
Why.? (Score:1, Insightful)
Why would they be worried about securing the net when they won't secure our boarders...
Re:Already secure (Score:5, Insightful)
And how do you know that the host you SSH to is secure? It has at least one exposed attack vector if you can SSH to it, and probably more. And it's not enough that it's secure right now -- if it was broken into in the past (visibly or without traces), and someone made off with the host key, you can't protect against a man-in-the-middle attack.
Then there's the possibility of breaking in to the router in front of that host, which might give you access to other and less secure hosts in the same zone. Do you control that too?
And what about your system? Has it been 100% safe from day one until now?
No chain is stronger than the weakest link, including the endpoints.
Not quite (Score:5, Insightful)
You could be placed under investigation because of Who you ssh with.
Re:The non-technical have lots of crazy ideas (Score:5, Insightful)
if you read the summary about "Securing the internet" you'd know that the comment by this individual, technical or not, would give you the impression that he's a fucking moron.
I'm sure he's good at what he does, but "securing the internet" is not and will never be one of those things.
Even DNSSEC and IPv6 do nothing for "Security", because they haven't gotten back the original security issue: computers and/or users. Adding encryption, adding anything to allow anonymity and all you do is make it easier to poke holes in security. Get rid of anonymity and all you do is make it easier for people to use fraudulent identities since it assumes that nobody can be anonymous, which is also impossible. You're at the PC, and I'm behind you telling you what to do? Guess what, I'm anonymous.
Considering that security goes beyond the internet, shows how impossible the idea is. This is not even remotely reasonable.
Re:Already secure (Score:3, Insightful)
The internet is already secure for me, when using [Insert Technology Here]
I think that is missing the point somewhat - It is not secure against you speaking your mind on their corruption and organizing against it.
Plug a barrel with 10,000 holes? (Score:2, Insightful)
Should the government really be trying to manage security across the ENTIRE internet? Would you rather plug 10,000 holes in an old barrel or just build a new barrel? Maybe I just don't understand the issue enough, but wouldn't a separate Government/Military/infrastructure internet be more viable and easier to implement on existing systems thus costing less? And if you really needed access to the public internet, you could control the points of entry and monitor them much easier and more effectively.
Re:Are they joking? (Score:4, Insightful)
Well there's also relatively small steps like providing some better/simpler schemes for encryption/signing. PGP is pretty good, but poorly supported in most email clients. SSL is good, but CAs are lazy and expensive. SFTP provides encryption, but you generally need to blindly trust the host on the first connect.
One of the suggestions I've read around here is to support public keys in DNS records. If the DNS records are signed, then you can verify the public key did, in fact, come from the domain owner. Not a perfect solution, but it seems like it could be a first step to getting rid of the current CA system, which sucks IMO.
Re:Are they joking? (Score:2, Insightful)
Where are they saying that?
Re:Plug a barrel with 10,000 holes? (Score:4, Insightful)
Step 1) Set up the infrastructure you suggest; Step 2) allow academic researchers in; Step 3) allow college students in; Step 4) let other countries link up; Step 5) start allowing commercial enterprise in; Step 6) listen to the commercial enterprise whine how they should have more control over the internet; Step 7) listen to other countries whine since the US was nice enough to let them link up to the network, those countries are now entitled to equal control over the network; Step 8) listen to the open source crowd whine how the government is exercising too much control and security should be handled by them in a libertarian free-for-all. We've been through this before, the network won't stay secure.
Re:The non-technical have lots of crazy ideas (Score:5, Insightful)
At some point in history, there were doctors who were convinced that the four humours [wikipedia.org] were the chief actors in the body, and developed some pretty strange and barbaric rituals to regulate their levels. The finest doctors at that time went to the finest schools and received the best education in the world, as far as they were concerned. The trouble was that everything they believed was absolutely untrue. The foundation of every bit of their knowledge was built upon a lie.
Receiving a good education does not ensure that you are right or wrong, but it means you are very highly trained in the existing hubris of your culture. So I'm sure this guy worked very hard, and filled out all the right forms and kissed ass at the appropriate times and wrote brilliant regurgitations of his professor's theories to clamor his way to the top of the bourgeois dog pile of the desperately successful. But that doesn't mean his ideas are worth a damn.
And it also doesn't mean that they're not worth a damn. But the guy works for the government, and specifically, the part of the government that exists to protect American (corporate) interests above all else. His job is to make the internet safe for commerce, not to protect the free flow of information. He's got his hammer, and he intends to find some nails.
Re:The non-technical have lots of crazy ideas (Score:5, Insightful)
DNSSec is intended to prevent query cache poisoning. It's not a catch-all silver bullet and its not meant to be. Similarly, requiring IPSec in IPv6 solves certain problems, while leaving others untouched.
There will likely never be 100% security, for if there were, then you would have a 100% unusable system. But that doesn't mean that the current situation can't be made better. I just get the impression that a lot of people around here equate freedom with a reasonable expectation of getting away with a crime and have greasemonkey scripts to auto-respond with the Franklin security/liberty quote.
Re:Already secure (Score:5, Insightful)
You're missing the point entirely. When US gov. officials use the term "secure" they mean precisely "control and oppress those in question" or often "retain power at all costs". You must learn to read these statements properly.
Re:I don't want a "protected" internet. (Score:2, Insightful)
It's not broke and can't be "fixed".
All any attempts will do is F it up.
I'd say to help they could put some effort into enforcing the existing abuses spam and cyber fraud, but that would sadly be ineffective. Asshats won't enforce anything but the most blatant TOS violations.
Education is the answer, just like street savvy, folks need internet savvy.
Some are so gullible they should not be allowed on the Net, but it's not for me to say who.
Re:Are they joking? (Score:3, Insightful)
Of course.
By "securing the Internet" they really mean, "stop filesharing and wikileaks".
This is why neutrality regarding the infrastructure of the Internet has to be codified now. In a year, maybe two, it'll be too late. Once the telcos put up their toll booths and completely wipe out independent ISPs, it's all over.
I suppose though that the minute the first advertisement appeared on the web years ago the future was written in stone. You can't allow just anybody to connect to the Internet and provide content because that would make it a real free market, instead of the "Free Market" for very few that we have today.
The Internet was accidental, and the corporate elite has been working day and night to fix that happy accident. It won't happen again. That's why it's such a pity when you hear so-called "libertarians" talking about how we have to prevent "government regulation" of the Internet. They don't realize whose water they're carrying.
Re:The non-technical have lots of crazy ideas (Score:4, Insightful)
No, we can't secure the whole internet. What we can do, however, is make highly critical segments more secure. Part of that is physical security, part of it is better monitoring infrastructure, such as fiber tap splitters off to an IDS system at a backbone peering point. vendors such as Net Optics [netoptics.com] make just such a device, among others.
It would probably make more sense to run new lines, or light up some dark fiber, and move all the government stuff onto that, then have a few border crossings, like peerage points, where "real" internet access can be controlled and monitored to prevent breach of systems which aren't already on separate networks. They might do that already, I can't really say for sure.
Although, it still doesn't keep some random employee from doing something stupid on the inside, you can at least mitigate the impact. Then maybe, just leave much of the rest of the infrastructure as-is and have fend for ourselves, or whatever.
But yeah, we can just be picky and pedantic instead of just agreeing that there's a point of "good enough" that's more secure than what we have but less secure than just not having the system in the first place, or locking it away in a concrete bunker with no power.
Re:Are they joking? (Score:4, Insightful)
Re:Already secure (Score:3, Insightful)
For the US government (and likely any individual national government), the Internet has only one valid purpose: commerce. It must be a safe place to do business, first and foremost. Any other perks, such as free expression, political activism, and unbridled creativity are expendable if it makes pacifying the electorate and corporate interests easier.
When "national security" is discussed in context of the Internet, let's make no mistake, it just means "keep people from saying things we don't want them to say."
RTFS, FFS (Score:4, Insightful)
I know you can't ask Slashdot to read the article, but can't we even read the summary anymore? From the headline "US Must secure the Internet" (A change from the actual headline "US has a duty to secure the internet" to the actual NSA Director "has a responsibility to take a leadership role in securing the internet") maybe you can say they're talking about making online ID mandatory so all activities can be traced to an individuals internet license ID. Or something. But they're not. They're talking about providing expertise and advice to help others secure both public networks (like the Internet) as well as private networks (such as corporate and government networks.) This is similar to how the FDA advises the public on the proper temperature to cook your hamburger to to avoid e.coli, but doesn't send in the stormtroopers if their spy sats detect you BBQing undercooked meat. You can say that, given the government track record for incursions into their own networks, they have no business telling others how to secure their networks. And you'd probably be right, but you wouldn't be saying anything that TFA didn't say.
But, the majority of TFA is talking about how the government plans to improve the security of their own networks, and the steps that they have already taken. Very little is spent talking about their planned "leadership" roll in helping secure public and private networks across the country. It sounds an awful lot like leadership by example, however. There's no mention of new laws making security features mandatory, for example. More like just providing advice on how to secure a network, with examples of how they have improved their own security. It's being criticized as being overly broad and generalized. Which, again, is probably valid, since it's exactly the field of the people leveling the critiques. But nothing sounds malicious at all. Nothing sounds like, as people have been saying, they plan to eliminate anonymity by making all internet connections require a traceable license. That's pretty absurd, and if it's been brought up by the government, it wasn't by TFA or anybody in it. What he's saying is, the internet is important, and the government has a duty to protect it from attacks. Such as, a DDoS or other sort of attack taking down key points and knocking a substantial amount of the country offline. That would be a serious blow to the economy, so yes, the government does have a duty to do what it can to prevent that kind of attack.
Last but not least, is the quote that ends TFA.
Re:Already secure (Score:2, Insightful)
The internet is already secure enough for me, when using SSH to a trusted host.
Fixed parent's post for him.
I like the approach to personal security suggested in this [acm.org] article that was posted on Slashdot a while back. The basic gist is that the amount of effort we put into preventing an attack should be less than the probability of a successful attack occurring times the expected loss from a successful attack.
Now, I didn't RTFA, but I assume the types of attacks that the NSA director is referring to are more severe than loss of credit card theft and loss of personal data. Things like taking down our air traffic control systems or power grid. For those sorts of systems - yes I think we would want to invest the same level of effort into keeping those systems secure as we do keeping, say, our nuclear reactors secure.