Forgot your password?
typodupeerror
Government Security The Internet The Military News Technology Your Rights Online

NSA Chief Wants Internet Partitioned For Government, 'Critical' Industries 258

Posted by timothy
from the little-cubbies-for-everything dept.
GovTechGuy writes "NSA chief Keith Alexander, also the head of the US Cyber Command, told reporters that he would like to see the creation of a secure zone on the Internet for government and critical private sector industries such as utility companies and the financial sector. Alexander has repeatedly emphasized the dramatic nature of the cyber threat facing American networks and his comments were a further sign that the Pentagon does not think the war against foreign hackers can be won. Alexander denied the military has any role in safeguarding civilian networks currently, but didn't rule out the option in the future."
This discussion has been archived. No new comments can be posted.

NSA Chief Wants Internet Partitioned For Government, 'Critical' Industries

Comments Filter:
  • by Penguinisto (415985) on Thursday September 23, 2010 @06:28PM (#33681412) Journal

    The DoD owns those... NIPR is mostly bureaucratic military stuff, while SIPR is the secure one. Good luck with the Pentagon letting folks like HHS, DOI, DOE, congress-critters, or (heh) your local utility co-op getting latched onto to those.

    Speaking of "realistic security policies", just to even think of hooking into NIPR, you have to harden your boxes to the these specs [disa.mil] (ever had to put all of /usr onto its own partition and lock the whole thing read-only? I guess it all depends on your definition of "realistic"). SIPR's requirements are only 'slightly' more anal.

    /P

  • by Znork (31774) on Thursday September 23, 2010 @06:52PM (#33681678)

    Partitioning is a pipe dream; any network with a significant number of users will have uncontrolled exchanges with the internet.

    The only way to have reasonable security is to keep certain subsystems separate and accessible only via specific gateways; no user is ever logically placed on those segments, and they are only ever accessed over very few very specific interfaces.

  • by Aqualung812 (959532) on Thursday September 23, 2010 @07:11PM (#33681898)

    I used to work at a bank, and I really wished for something like this. Imagine a network with no home connections, nothing moving across it but VPNs. VPNs from bank to bank, power company to government, etc. Every node would be authenticated. No worms.

    In this type of network, I can turn the logging on my firewall to the max, and anything that even looks at my bank's firewall with a ping can be reported to the agency that runs the show. Once it is confirmed that they're going where they should not, they're kicked off the network.

    The issue I had is that because there are so many cases where bank A needs to talk to bank B, and neither want to have the T1 line under their name. If the Internet goes down, no money can be moved and there are big problems. Making a walled place for this would be great.

    People need to understand that you can EITHER have security OR the ability to be anonymous. If you want one, you're losing the other.

  • Re:Uhh (Score:4, Informative)

    by mangu (126918) on Thursday September 23, 2010 @07:16PM (#33681950)

    You beat me to it, that's exactly what I was going to write.

    Saying something as stupid as this "secure zone" proposal should be enough to get banned from ever working in a high responsibility government job again. "Secure zones" already exist [wikipedia.org], if they aren't being used correctly by the government is because people like Keith Alexander aren't doing their job.

  • by CherniyVolk (513591) on Thursday September 23, 2010 @07:37PM (#33682142)

    The government and military already have a "partitioned" inaccessible "internet". The real name of the "internet" you are using to view this site is called NIPRNET, and the "secure partitioned" one is called SIPRNET. The secured internet has been around for decades and is still used by governments around the world.

    So this proposition simply is a play on words, particularly a "partition" word, possibly for a total ground up restructuring scheme for sure. This is such a bold statement from a government official, it's baffling really.

  • by dwye (1127395) on Thursday September 23, 2010 @07:38PM (#33682154)

    > ever had to put all of /usr onto its own partition and lock the whole thing read-only?

    No, because SunOS5 had this on installation, back about 1990. With symbolic links and such, it was really quite simple. You remounted /usr as RW only when you had to remake the kernel, and then rebooted after (once a month or less often). In fact, our /usr was on a separate disk that had a hardware RO/RW switch on it.

    This stuff was worked out long ago. Then, it was ignored because someone decided to build from scratch with no more (prior) thoughts of security than a HAL-9000 had.

  • by Anonymous Coward on Thursday September 23, 2010 @09:15PM (#33682874)

    "The only real hard part is making sure you don't connect any machines to this network that also have connections to the public Internet."

    And that, my dear Watson, is the kicker. On the scale he's talking about, it's untenable. Someone, somewhere on the network, will hook up a modem, or an AP with WEP or a default PSK, or what-have-you, Maybe even deliberately. And then you get serious havoc.

    And yes, it already happened. "TJX", anyone? I'm sure you can find more where that one came from.

  • by mrogers (85392) on Friday September 24, 2010 @06:43AM (#33685210)

    I've always wondered why people in this situation didn't build private networks based on protocols other than IP. A quick glance at /etc/protocols shows dozens of different protocols that can be carried by ethernet --- there must be something there that's sufficiently flexible to build a useful network out of but can't be carried by the Internet without protocol conversion.

    It's even easier than that - just patch every host (and every router, unfortunately - but hey, Cisco, here's where you get your billion dollar contract) to set the version field of IP packets to something that's invalid on the internet - let's say 3 - and to reject all other versions. That's got to be, what, a ten line patch? After that you can use off-the-shelf software for all the higher protocol layers, but if someone accidentally connects the private network to the internet, no packets will pass between the two networks.

  • by jmauro (32523) on Friday September 24, 2010 @09:57AM (#33686606)

    It's not an error or misconfiguration, you don't have the .mil CA in your trusted CAs. The DOD runs it's own CA because they're pushing PKI for everything and don't want to have to pay another CA for each and every cert issues.

It is better to give than to lend, and it costs about the same.

Working...