NSA Director Says the US Must Secure the Internet

Trailrunner7 writes "The United States has a responsibility to take a leadership role in securing the Internet against both internal and external attackers, a duty that the federal government takes very seriously, the country's top military cybersecurity official said Tuesday. However, Gen. Keith Alexander, director of the National Security Agency and commander of the US Cyber Command, provided virtually nothing in the way of details of how the government intends to accomplish this rather daunting task. 'We made the Internet and it seems to me that we ought to be the first folks to get out there and protect it,' Alexander said. 'The challenge before us is large and daunting. But we have an obligation to meet it head-on.' It's unlikely that any of Alexander's comments Tuesday will do much to quiet the criticisms of the Obama administration's security efforts thus far. Speaking mostly in generalities, Alexander emphasized the administration's commitment to the Comprehensive National Cybersecurity Initiative, a plan developed by the Bush administration and recently partially de-classified by Obama administration officials."

He's right!

[Anonymous Coward]

Gen. Keith Alexander is absolutely correct.
It is a daunting task, but the USA should be leading the fight in securing the internet from nefarious organizations like the NSA.

Protection

[D3]

I think it would be more accurate to say we need to protect ourselves from the Internet vs. we should protect the Internet.

Re:Are they joking?

[rwa2]

Meh, joking aside, there's plenty of technical measures that they could be doing (not that we'd necessarily want these people to do this kind of thing for us)...

* Plopping down firewalls at internet trunks, then using them to filter out spam and portscans. Propagate rules to shut down bot traffic at the edge routers.

* Sniffing / logging all traffic with snort / ntop (but more likely something big commercial and expensive) for, uh, forensic analysis

* Requiring some sort of RealID authenticated onramps, so net access can be traced back to a credit card or better yet an "internet license" associated with someone's passport or other unique government ID

* Encrypted key escrow so they can peek inside encrypted data and streams.

Scary stuff with lots of room for abuse, but really not any different than what a mildly competent corporate IT department already does.

Maybe on the internet2 for mobile phones (the next generation).... the question is whether the new system will be "pre-secured" by the corporate walled gardens, or if the government will finally finish "securing" and thus killing off the first gen internet just as the new one comes online ;-P

The Internet is insecure?

[Nkwe]

I didn’t realize the Internet itself was insecure.

We could talk about securing applications that run on top of the Internet, but that would be a different conversation and I am not sure that is where we want the government to be.

Not possible...

[Last_Available_Usern]

The internet is basically hosted on public infrastructure. Until the government decides to lay down it's own lines (above and beyond what it currently has, which in no way would support national bandwidth requirements) and host it on hardened equipment there's little the administration can do other than wave their finger and say, "Hey you guys, make this safer!" And to be honest, this has a lot less to do with protecting us from cyber threats and a lot more to do with implementing federal taxation on usage/commerce as well as visibility of data in and out of any node on the national network without all the red tape that's currently involved. You can call me a conspiracist, but it doesn't sound as crazy when you consider all the truly critical Government/Military traffic is already hosted on dedicated government-owned lines/equipment.

Re:Already secure

[digitig]

"Secure" means different things to different people.

There's an old saying that if you ask the army to secure a building then they place armed guards at intervals around the perimeter and at strategic points within the building. If you ask the navy to secure a building then they make sure the doors and windows are locked before they leave. And if you ask the air force to secure a building then they take out a ten-year lease with an option to extend to twenty-five.

Which meaning is this one?

Perhaps offer some standards?

[mlts]

There are ways the US government can do some in advancing Internet security as a whole. Some that come to my mind (usual long list):

1: Subsidizing an OATH compatible OTP system. Perhaps get Aladdin/SafeNet or RSA to make tokens which support numbers that change every 30 seconds, and apps for devices. Now, a thief has to do more than just slurp a password to compromise a bank account. They would have to actively mess with the Web browser. This leads to #2.

2: A ZTIC-like system. This way, transactions are confirmed actively, so malware present on the system can't actively transfer money even if a bank account's password is compromised. This can be a hardware device, or a phone app.

3: Crypto contest for a RSA successor. RSA has stood strong, but another public key algorithm that is quantum computer resistant is needed. Of course, this isn't an easy task, compared to making symmetric key algos.

4: A backbone between businesses similar to NIPRnet, but for civilian transactions.

5: A civilian CAC for client certificates, with good mechanisms in place to deal with cards that are lost, stolen, locked out due to bad PIN retries, or accidentally microwaved.

6: SELinux's successor. Preferably a hybrid between it and AppArmor. The more technology in keeping applications to just what they need to run, the better.

7: This isn't directly Internet affecting, but perhaps find some R&D into backup technologies? It used to be a while back that companies were through about backups, and if you even thought about being a sysadmin, you knew how to do dumps, tars, full/incremental/differential backups, tape rotations (grandfather/father/son), offsite tapes, and so on. These days, people don't even bother with backups, and if they do, they think the cloud can do it, forgetting the time it takes to suck all that info back through a WAN connection on restore. Yes, backups are boring as all get-out, but in case other security measures fall apart, backups are what one uses to piece things back together.

Re:Already secure

[arth1]

I like the approach to personal security suggested in this article that was posted on Slashdot a while back. The basic gist is that the amount of effort we put into preventing an attack should be less than the probability of a successful attack occurring times the expected loss from a successful attack.

Should it? The whole justification for insurance is that we are willing to pay MORE than ( the probability of a disaster times the expected loss from a disaster ) whenever we are unable or unwilling to absorb the loss from a disaster.
The difference between actual risks and how much more we're willing to pay is what keeps insurance companies afloat.

Anyhow, the best way to strengthen security isn't through greenbacks but through intelligent implementations. A single gullible person in the chain of design can have extraordinary negative consequences.
I.e. don't put an MBA to do a man's job.