Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Government Privacy Security The Internet United States Your Rights Online

NSA Director Says the US Must Secure the Internet 250

Trailrunner7 writes "The United States has a responsibility to take a leadership role in securing the Internet against both internal and external attackers, a duty that the federal government takes very seriously, the country's top military cybersecurity official said Tuesday. However, Gen. Keith Alexander, director of the National Security Agency and commander of the US Cyber Command, provided virtually nothing in the way of details of how the government intends to accomplish this rather daunting task. 'We made the Internet and it seems to me that we ought to be the first folks to get out there and protect it,' Alexander said. 'The challenge before us is large and daunting. But we have an obligation to meet it head-on.' It's unlikely that any of Alexander's comments Tuesday will do much to quiet the criticisms of the Obama administration's security efforts thus far. Speaking mostly in generalities, Alexander emphasized the administration's commitment to the Comprehensive National Cybersecurity Initiative, a plan developed by the Bush administration and recently partially de-classified by Obama administration officials."
This discussion has been archived. No new comments can be posted.

NSA Director Says the US Must Secure the Internet

Comments Filter:
  • Are they joking? (Score:5, Insightful)

    by ak_hepcat ( 468765 ) <slashdot@akhepc[ ]com ['at.' in gap]> on Tuesday September 07, 2010 @12:29PM (#33499474) Homepage Journal

    Until you control all the INPUTS, you can't control the OUTPUTS

    I think these folks are actually trying to use scare-tactics in order to increase their own budgets short-term,
    knowing that there is no feasible method of performing such a task.

    • The internet is already secure for me, when using SSH to a trusted host.
      Job done.

      • Re:Already secure (Score:5, Insightful)

        by arth1 ( 260657 ) on Tuesday September 07, 2010 @12:50PM (#33499726) Homepage Journal

        And how do you know that the host you SSH to is secure? It has at least one exposed attack vector if you can SSH to it, and probably more. And it's not enough that it's secure right now -- if it was broken into in the past (visibly or without traces), and someone made off with the host key, you can't protect against a man-in-the-middle attack.
        Then there's the possibility of breaking in to the router in front of that host, which might give you access to other and less secure hosts in the same zone. Do you control that too?
        And what about your system? Has it been 100% safe from day one until now?

        No chain is stronger than the weakest link, including the endpoints.

        • Re: (Score:2, Insightful)

          by gregrah ( 1605707 )

          The internet is already secure enough for me, when using SSH to a trusted host.

          Fixed parent's post for him.

          I like the approach to personal security suggested in this [acm.org] article that was posted on Slashdot a while back. The basic gist is that the amount of effort we put into preventing an attack should be less than the probability of a successful attack occurring times the expected loss from a successful attack.

          Now, I didn't RTFA, but I assume the types of attacks that the NSA director is referring to are more severe than loss of credit card theft and loss of personal data. Things

          • Re: (Score:3, Interesting)

            by arth1 ( 260657 )

            I like the approach to personal security suggested in this article that was posted on Slashdot a while back. The basic gist is that the amount of effort we put into preventing an attack should be less than the probability of a successful attack occurring times the expected loss from a successful attack.

            Should it? The whole justification for insurance is that we are willing to pay MORE than ( the probability of a disaster times the expected loss from a disaster ) whenever we are unable or unwilling to abs

          • by dodobh ( 65811 )

            The probability of a successful attack tends to 1 given sufficient time.

      • Not quite (Score:5, Insightful)

        by Burz ( 138833 ) on Tuesday September 07, 2010 @12:50PM (#33499742) Homepage Journal

        You could be placed under investigation because of Who you ssh with.

      • Re: (Score:3, Insightful)

        Obligatory Pentagon War on Internet Video [youtube.com].

        The internet is already secure for me, when using [Insert Technology Here]

        I think that is missing the point somewhat - It is not secure against you speaking your mind on their corruption and organizing against it.

      • Re:Already secure (Score:5, Insightful)

        by Anonymous Coward on Tuesday September 07, 2010 @01:12PM (#33500026)

        You're missing the point entirely. When US gov. officials use the term "secure" they mean precisely "control and oppress those in question" or often "retain power at all costs". You must learn to read these statements properly.

        • Re: (Score:3, Insightful)

          by gorzek ( 647352 )

          For the US government (and likely any individual national government), the Internet has only one valid purpose: commerce. It must be a safe place to do business, first and foremost. Any other perks, such as free expression, political activism, and unbridled creativity are expendable if it makes pacifying the electorate and corporate interests easier.

          When "national security" is discussed in context of the Internet, let's make no mistake, it just means "keep people from saying things we don't want them to say

        • but disliking the us govt for what all govts do just makes you look silly

        • exactly right.

          This is about absolute control and power.... Not security

        • You're missing the point entirely. When US gov. officials use the term "secure" they mean precisely "control and oppress those in question" or often "retain power at all costs". You must learn to read these statements properly.

          It's naive to only call out "US gov. officials". Every gov't wants this power, and quite a few (maybe more than you'd like to admit) are working hard to get it.

        • Re: (Score:3, Funny)

          by jewens ( 993139 )

          CJCS to JCS: Gentlement, secure that building (points to building) and report back to me tomorrow.
          JCS: Yes sir!
          -24 hours later-
          Admiral: Sir, we've repainted the entire building and made sure all the doors are closed and locked.
          Army General: Sir, we've dug defensive fighting positions and established clear fields of fire 360 degrees around the building.
          Marine General: Sir, my men will secure the building in (checks watch) 3..2..1.. (Explosion heard in distance)
          Air Force General: D*****t! We just signed a 99

          • You just made my friggin' day. Normally, I'd be obliged to snort a beverage on my keyboard, thus ruining it, but I am without a drink at the moment. So, as a substitute, I'll simply smash it.
      • Re: (Score:3, Interesting)

        by digitig ( 1056110 )

        "Secure" means different things to different people.

        There's an old saying that if you ask the army to secure a building then they place armed guards at intervals around the perimeter and at strategic points within the building. If you ask the navy to secure a building then they make sure the doors and windows are locked before they leave. And if you ask the air force to secure a building then they take out a ten-year lease with an option to extend to twenty-five.

        Which meaning is this one?

      • Re: (Score:3, Informative)

        You are assuming that SSH is secure; I know of at least one attack on SSHv1, and it is likely that there are other attacks on SSHv2 (and yet-undiscovered attacks).
    • Of course they're not joking. All just part of securing the planet, you know. Did you imagine they had some smaller goal in mind?
    • by Burz ( 138833 ) on Tuesday September 07, 2010 @12:49PM (#33499722) Homepage Journal

      Exactly. What they are demanding is the banishment of anonymity at the very least.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Where are they saying that?

        • by Totenglocke ( 1291680 ) on Tuesday September 07, 2010 @01:32PM (#33500308)
          How does any government ever "secure" something? By adding multiple layers of bureaucracy and requiring multiple forms of identification to use the service.
          • How does any government ever "secure" something? By adding multiple layers of bureaucracy and requiring multiple forms of identification to use the service.

            That only slows down and annoys law abiding citizens while criminals continue to get through and around such regulations.
            Sources -
              - prohibition
              - gun control
              - war on drugs
              - TSA
              - border fence

      • Re: (Score:3, Insightful)

        by PopeRatzo ( 965947 ) *

        the banishment of anonymity

        Of course.

        By "securing the Internet" they really mean, "stop filesharing and wikileaks".

        This is why neutrality regarding the infrastructure of the Internet has to be codified now. In a year, maybe two, it'll be too late. Once the telcos put up their toll booths and completely wipe out independent ISPs, it's all over.

        I suppose though that the minute the first advertisement appeared on the web years ago the future was written in stone. You can't allow just anybody to connect to t

    • How to be secure from the internet:

      Disconnect the ethernet cable and the Wifi.

      $1 million for my groundbreaking solution please.

    • Re:Are they joking? (Score:5, Interesting)

      by rwa2 ( 4391 ) * on Tuesday September 07, 2010 @12:54PM (#33499786) Homepage Journal

      Meh, joking aside, there's plenty of technical measures that they could be doing (not that we'd necessarily want these people to do this kind of thing for us)...

      * Plopping down firewalls at internet trunks, then using them to filter out spam and portscans. Propagate rules to shut down bot traffic at the edge routers.

      * Sniffing / logging all traffic with snort / ntop (but more likely something big commercial and expensive) for, uh, forensic analysis

      * Requiring some sort of RealID authenticated onramps, so net access can be traced back to a credit card or better yet an "internet license" associated with someone's passport or other unique government ID

      * Encrypted key escrow so they can peek inside encrypted data and streams.

      Scary stuff with lots of room for abuse, but really not any different than what a mildly competent corporate IT department already does.

      Maybe on the internet2 for mobile phones (the next generation).... the question is whether the new system will be "pre-secured" by the corporate walled gardens, or if the government will finally finish "securing" and thus killing off the first gen internet just as the new one comes online ;-P

      • by nine-times ( 778537 ) <nine.times@gmail.com> on Tuesday September 07, 2010 @01:04PM (#33499904) Homepage

        Well there's also relatively small steps like providing some better/simpler schemes for encryption/signing. PGP is pretty good, but poorly supported in most email clients. SSL is good, but CAs are lazy and expensive. SFTP provides encryption, but you generally need to blindly trust the host on the first connect.

        One of the suggestions I've read around here is to support public keys in DNS records. If the DNS records are signed, then you can verify the public key did, in fact, come from the domain owner. Not a perfect solution, but it seems like it could be a first step to getting rid of the current CA system, which sucks IMO.

        • by bsDaemon ( 87307 )

          PGP is pretty good, ...

          Well, yeah... isn't that the point? /sarcasm (note to the uninitiated: PGP == Pretty Good Privacy).

        • Re: (Score:3, Informative)

          by arth1 ( 260657 )

          One of the suggestions I've read around here is to support public keys in DNS records. If the DNS records are signed, then you can verify the public key did, in fact, come from the domain owner.

          That feature has been in DNS and SSH for several years [ietf.org] now. The optional SSHFP record contains a fingerprint of the public key, and if the ssh client has VerifyHostKeyDNS set to "yes", you don't have to manually verify the host key.
          The question then is whether the DNS can be trusted.

          Anyhow, to generate a couple of D

          • Good to know, but it'd still be good if there were a consistent, uniform, and comprehensive approach to these things.

      • by mcgrew ( 92797 ) *

        Scary stuff with lots of room for abuse, but really not any different than what a mildly competent corporate IT department already does.

        The difference is that your employer owns his network and his employees' computers, and can do whatever he wants with them; they're his property. Not so the US and the internet and YOUR computer. The government has no right to restrict my computer use in any way, except to investigate and prosecute any criminal activity. And the investigation has to be legal and not trample

      • Oh, yeah "Internet license" -- that sounds good, huh? OMFG
    • in this case, the NSA stands for "Not Something Attainable"
    • I think these folks are actually trying to use scare-tactics in order to increase their own budgets short-term

      Dear citizens of the United States,

      In case you have not noticed, your government is spending and borrowing so much that the economy is seen by outsiders as being virtually on it's last legs, you cannot carry on printing money thinking it's going to fix the problem. You may fantasise that you can spend money on this and that, but you no longer can.

      Trying to "fix" the internet is the least of the US problems. Your budget deficit needs IMMEDIATE attention.

      Yours Sincerely,
      Someone who loves in another country wh

    • by ydrol ( 626558 )

      They should prevent "typing 'Google' into Google" denial of service attack for starters.

  • What? (Score:5, Insightful)

    by bhcompy ( 1877290 ) on Tuesday September 07, 2010 @12:30PM (#33499490)
    Secure it from you control freaks? Sure.
    • Because we can!
      Or at least that was 'good enough' of a reason for the Thunderbirds

      Allwe need now are some 'net savvy puppets with supersonic jets

  • by blair1q ( 305137 ) on Tuesday September 07, 2010 @12:33PM (#33499516) Journal

    We did make the Internet, and between government and business and private citizens we spent about $1 Trillion bringing it up to the state where Carly Fiorina and the other outsourcing robber-barons could use it to ship the whole information economy to India and China, cratering the return we expected from our investment, so they could pocket a few $billion in quick profit.

    We'd like our money back. Someone tell Carly she owes us.

    • Then send over some programmers with pliers and a blowtorch and get medieval on her ass

    • Someone tell Carly she owes us.

      Don't worry! She'll pay it back in service as California's next Senator!!! I can't wait until she starts outsourcing citizen positions to India - we could cut Social Security and Medicare payments by 70%! Go, Carly!!!!!

    • by Kjella ( 173770 )

      I'd love to see you try again only to see computers and networks merge into the Internet somewhere else, the US information economy would have fallen before it had even properly risen. Like that quote people pull out about the MPAA and RIAA, you don't have the right to halt progress just to preserve your profits and that goes for countries too. The rest of the world would have moved on and the US would be the one left behind.

      • by blair1q ( 305137 )

        The US was leading on everything. The rest of the world would have played catch-up. But rather than continue to compete, Carly & Co. shut down American jobs and moved the Internet economy across the ocean. It made her money and destroyed America's economy, and the shock to the financial sector almost took the world's economy with it. If there hadn't been a coincidental situation brewing with the real-estate/credit fraud market there would have been no bubble/bust in the mid-00s to camouflage it.

        See,

    • I don't agree with you. Internet maybe first started at ARPA to have a communication network system that could still work if some catastrophe would happen. However later it was used to share information between universities and later businesses. Since we all like freetrade and don't like tight government control over business, it is America who has to keep up or lead. A way to lead is by creating products cheaper and of higher quality than others (the combination of those two). If you can't do it cheaper, y
  • Easy Fix (Score:3, Funny)

    by Kagato ( 116051 ) on Tuesday September 07, 2010 @12:34PM (#33499528)

    Block all traffic to .ru and .cn.

  • So long as the smarter people remain outside the law, it will never be secure. /generalization

  • by wcrowe ( 94389 ) on Tuesday September 07, 2010 @12:42PM (#33499632)

    The way to "protect" it is to not use it for stuff that, um, needs protecting.

    • Re: (Score:2, Insightful)

      by Grand Facade ( 35180 )

      It's not broke and can't be "fixed".

      All any attempts will do is F it up.

      I'd say to help they could put some effort into enforcing the existing abuses spam and cyber fraud, but that would sadly be ineffective. Asshats won't enforce anything but the most blatant TOS violations.

      Education is the answer, just like street savvy, folks need internet savvy.

      Some are so gullible they should not be allowed on the Net, but it's not for me to say who.

  • Protection (Score:5, Interesting)

    by D3 ( 31029 ) <.moc.liamg. .ta. .gninnehddivad.> on Tuesday September 07, 2010 @12:48PM (#33499698) Journal
    I think it would be more accurate to say we need to protect ourselves from the Internet vs. we should protect the Internet.
  • Should the government really be trying to manage security across the ENTIRE internet? Would you rather plug 10,000 holes in an old barrel or just build a new barrel? Maybe I just don't understand the issue enough, but wouldn't a separate Government/Military/infrastructure internet be more viable and easier to implement on existing systems thus costing less? And if you really needed access to the public internet, you could control the points of entry and monitor them much easier and more effectively.

    • by nomadic ( 141991 ) <nomadicworld@ g m a i l . com> on Tuesday September 07, 2010 @01:09PM (#33499984) Homepage
      Should the government really be trying to manage security across the ENTIRE internet? Would you rather plug 10,000 holes in an old barrel or just build a new barrel? Maybe I just don't understand the issue enough, but wouldn't a separate Government/Military/infrastructure internet be more viable and easier to implement on existing systems thus costing less? And if you really needed access to the public internet, you could control the points of entry and monitor them much easier and more effectively.

      Step 1) Set up the infrastructure you suggest; Step 2) allow academic researchers in; Step 3) allow college students in; Step 4) let other countries link up; Step 5) start allowing commercial enterprise in; Step 6) listen to the commercial enterprise whine how they should have more control over the internet; Step 7) listen to other countries whine since the US was nice enough to let them link up to the network, those countries are now entitled to equal control over the network; Step 8) listen to the open source crowd whine how the government is exercising too much control and security should be handled by them in a libertarian free-for-all. We've been through this before, the network won't stay secure.
  • by Nkwe ( 604125 ) on Tuesday September 07, 2010 @01:01PM (#33499862)
    I didn’t realize the Internet itself was insecure.

    We could talk about securing applications that run on top of the Internet, but that would be a different conversation and I am not sure that is where we want the government to be.
  • Not possible... (Score:3, Interesting)

    by Last_Available_Usern ( 756093 ) on Tuesday September 07, 2010 @01:04PM (#33499896)
    The internet is basically hosted on public infrastructure. Until the government decides to lay down it's own lines (above and beyond what it currently has, which in no way would support national bandwidth requirements) and host it on hardened equipment there's little the administration can do other than wave their finger and say, "Hey you guys, make this safer!" And to be honest, this has a lot less to do with protecting us from cyber threats and a lot more to do with implementing federal taxation on usage/commerce as well as visibility of data in and out of any node on the national network without all the red tape that's currently involved. You can call me a conspiracist, but it doesn't sound as crazy when you consider all the truly critical Government/Military traffic is already hosted on dedicated government-owned lines/equipment.
  • ...Why doesn't the government worry about securing their own networks before acting like they have the "expertise" to secure the entire internet.
  • The first step is to stop movie and music piracy, right? Truly the biggest threat to our country (if you ask any politician getting big campaign donations from Hollywood and big media, that is).
  • Just add an "s" to your "http"!

  • A house can be considered secure when doors and windows are closed and locked. Is the hose secure from criminal invasion? No
    The house is secured from unauthorized access. Can the house be secured? No

    So, How do you stop criminal entry? Stop the criminal. In the process of stopping the criminal can the home be used? No
    Using the home will endanger or at least penalize the private home owners, and may inadvertently criminalize the home owner,
    because there is a pot-plant growing (not for use/distribution) in the

    • by Aladrin ( 926209 )

      Should have gone with the car analogy. Since they were invented here (like the internet) they fit a little better. ;)

  • by mlts ( 1038732 ) * on Tuesday September 07, 2010 @01:43PM (#33500456)

    There are ways the US government can do some in advancing Internet security as a whole. Some that come to my mind (usual long list):

    1: Subsidizing an OATH compatible OTP system. Perhaps get Aladdin/SafeNet or RSA to make tokens which support numbers that change every 30 seconds, and apps for devices. Now, a thief has to do more than just slurp a password to compromise a bank account. They would have to actively mess with the Web browser. This leads to #2.

    2: A ZTIC-like system. This way, transactions are confirmed actively, so malware present on the system can't actively transfer money even if a bank account's password is compromised. This can be a hardware device, or a phone app.

    3: Crypto contest for a RSA successor. RSA has stood strong, but another public key algorithm that is quantum computer resistant is needed. Of course, this isn't an easy task, compared to making symmetric key algos.

    4: A backbone between businesses similar to NIPRnet, but for civilian transactions.

    5: A civilian CAC for client certificates, with good mechanisms in place to deal with cards that are lost, stolen, locked out due to bad PIN retries, or accidentally microwaved.

    6: SELinux's successor. Preferably a hybrid between it and AppArmor. The more technology in keeping applications to just what they need to run, the better.

    7: This isn't directly Internet affecting, but perhaps find some R&D into backup technologies? It used to be a while back that companies were through about backups, and if you even thought about being a sysadmin, you knew how to do dumps, tars, full/incremental/differential backups, tape rotations (grandfather/father/son), offsite tapes, and so on. These days, people don't even bother with backups, and if they do, they think the cloud can do it, forgetting the time it takes to suck all that info back through a WAN connection on restore. Yes, backups are boring as all get-out, but in case other security measures fall apart, backups are what one uses to piece things back together.

  • RTFS, FFS (Score:4, Insightful)

    by canajin56 ( 660655 ) on Tuesday September 07, 2010 @02:03PM (#33500708)

    I know you can't ask Slashdot to read the article, but can't we even read the summary anymore? From the headline "US Must secure the Internet" (A change from the actual headline "US has a duty to secure the internet" to the actual NSA Director "has a responsibility to take a leadership role in securing the internet") maybe you can say they're talking about making online ID mandatory so all activities can be traced to an individuals internet license ID. Or something. But they're not. They're talking about providing expertise and advice to help others secure both public networks (like the Internet) as well as private networks (such as corporate and government networks.) This is similar to how the FDA advises the public on the proper temperature to cook your hamburger to to avoid e.coli, but doesn't send in the stormtroopers if their spy sats detect you BBQing undercooked meat. You can say that, given the government track record for incursions into their own networks, they have no business telling others how to secure their networks. And you'd probably be right, but you wouldn't be saying anything that TFA didn't say.

    But, the majority of TFA is talking about how the government plans to improve the security of their own networks, and the steps that they have already taken. Very little is spent talking about their planned "leadership" roll in helping secure public and private networks across the country. It sounds an awful lot like leadership by example, however. There's no mention of new laws making security features mandatory, for example. More like just providing advice on how to secure a network, with examples of how they have improved their own security. It's being criticized as being overly broad and generalized. Which, again, is probably valid, since it's exactly the field of the people leveling the critiques. But nothing sounds malicious at all. Nothing sounds like, as people have been saying, they plan to eliminate anonymity by making all internet connections require a traceable license. That's pretty absurd, and if it's been brought up by the government, it wasn't by TFA or anybody in it. What he's saying is, the internet is important, and the government has a duty to protect it from attacks. Such as, a DDoS or other sort of attack taking down key points and knocking a substantial amount of the country offline. That would be a serious blow to the economy, so yes, the government does have a duty to do what it can to prevent that kind of attack.

    Last but not least, is the quote that ends TFA.

    "Our citizens take a lot of interest in the government's activities in this area, and I have an obligation to the law and the American people to ensure everything we do preserves and protects their rights while protecting our interests," he said. "That's an obligation that's never compromised."

  • done (Score:4, Informative)

    by Venik ( 915777 ) on Tuesday September 07, 2010 @02:16PM (#33500944)

    NSA Director Says the US Must Secure the Internet

    As of 10am EST this morning I have completely secured the Internet. The NSA director and my immediate management have been notified. I closed the ticket.

  • wrap the tubes with tape.
  • The "Internet" provides a pipe into my network. My network is secure. I am not sure how anyone would go and secure the inter-networking connection between my network and others. Well, yes, I can see the value of hardening the infrastructure (protecting fiber-optic and cable links). And, taking this literally, that is the meaning.

    But, for some reason, I am sure that is not what is meant. What I suspect is that anyone who connects to the main backbones, or a subsidiary will need to have some confirmation that

  • ... or doesn't see the sub-contractor profit in it.

  • a responsibility to take a leadership role in securing the Internet against both internal and external attackers,

    When the man says "external attackers" does he mean people who are not current users and should be forcibly kept out of the internet, or does he mean *reaaaally external* attackers, such as the Borg?

  • Here It Comes... (Score:3, Informative)

    by BlueStrat ( 756137 ) on Tuesday September 07, 2010 @03:31PM (#33501994)

    They've been working themselves up to this for a while now, and it appears that the lead-in propaganda campaign has heated up. I can't believe that I haven't seen another post discussing this yet. It fits perfectly with TFA/TFS. Two words.

    Trusted Computing. [trustedcom...ggroup.org]

    Here [cam.ac.uk] is a paper by Ross Anderson on some of what implementing Trusted Computing will mean.

    This had better be nipped before implementation or there won't be another chance. The internet is a tool with more than one use, just as with nearly any tool. While the internet has tremendous power to empower, inform, and enrich, it also has tremendous power to monitor, control, and suppress if Trusted Computing is allowed to be implemented.

    Strat

  • They should have thought of that in the seventies.

    Or how about security eye for the promiscuous guy.

Technology is dominated by those who manage what they do not understand.

Working...