NSA Chief Wants Internet Partitioned For Government, 'Critical' Industries 258
GovTechGuy writes "NSA chief Keith Alexander, also the head of the US Cyber Command, told reporters that he would like to see the creation of a secure zone on the Internet for government and critical private sector industries such as utility companies and the financial sector. Alexander has repeatedly emphasized the dramatic nature of the cyber threat facing American networks and his comments were a further sign that the Pentagon does not think the war against foreign hackers can be won. Alexander denied the military has any role in safeguarding civilian networks currently, but didn't rule out the option in the future."
Isn't this kinda backwards? (Score:3, Interesting)
I mean, wasn't the internet designed/made for the military in the first place (ARPA/DARPA)? Then first the institutions (.edu) and later the commercial market (.com) came along and took it over. I guess creating a new network from scratch (and doing it RIGHT this time) is easier than kicking the rest of us pikers off of what was theirs in the first place.
Re:Isn't that just a network? (Score:4, Interesting)
Re:"Partition"? Build separate infrastructure inst (Score:3, Interesting)
That's just it, though, the only way to truly securely establish a separate network would be to run separate lines -- build in separate hardware, build in an air gap. Attempting to "partition" the Internet at the software level is pure silliness -- unless you command both ends of the pipe, and all points in between, there's a chance that someone may be able to intercept your traffic. And with deep packet inspection and similar tools these days, they could thus also alter your traffic, meaning any communications over the Internet cannot be secure, at least not in the way this Keith Alexander is talking about.
Cheers,
I think a much better approach is to assume that the intermediate network is insecure and beyond your control. Then, use very strong end-to-end encryption to make a secure tunnel, much like the SSH approach. I mean, this is the NSA here. It's not like they wouldn't know how to use good encryption.
Re:Uhh (Score:4, Interesting)
First they'll set up a new network for "critical infrastructure," which you can only connect "certified" devices to, and then you'll start to see things...like suddenly your bank will require you to use that new, secure, not-open network. Then new and popular music will only be made available on that network. Then videos, games, books, and so forth, until eventually the Internet falls by the wayside, as forgotten as Fidonet, even if it even remains in existence. You will only be allowed to connect certain computers to that network, running certain software, and of course, you will not have any sort of root access to your system.
Re:So, what they want is... (Score:3, Interesting)
I've always wondered why people in this situation didn't build private networks based on protocols other than IP. A quick glance at /etc/protocols shows dozens of different protocols that can be carried by ethernet --- there must be something there that's sufficiently flexible to build a useful network out of but can't be carried by the Internet without protocol conversion. The old OSI protocol suite, for example. Or even write your own if you want special features, such as pervasive authentication on all connections (so you always know who made a connection, not just where from).
This adds an extra level of protection, in that it's much harder to be accidentally gatewayed onto the Internet; you need to have special applications that speak both IP and whatever protocol you're using and translate between them to even communicate.
Of course, you'll probably end up having to rewrite your entire set of application software from scratch to speak the new protocol, but TBH if you really need the security this is likely to be a good idea anyway (provided you don't farm it out to the lowest bidder). And if you're so concerned about security that you're willing to contemplate partitioning the Internet, cost isn't likely to be an issue...
Re:absolutely, do it yourself, fool (Score:2, Interesting)
That already exists. Depending on the intelligence agency, there are many "high-side" networks that operate exactly like "The Internet". Some even have a version of twitter and facebook/myspace.
http://en.wikipedia.org/wiki/Joint_Worldwide_Intelligence_Communications_System
Bogus cruft (Score:2, Interesting)
Re:Uhh (Score:2, Interesting)
So you're saying this guy is a sociopath with a dream of world domination?
Seems like quite a leap to accuse him of that based on "Maybe we should setup a second parallel network which we completely control for mission critical information."
I love that half of the comments to this story read:
"OMG DON'T USE THE INTERNET FOR MISSION CRITICAL FUNCTIONS IDIOTS!"
and the other half respond
"OMG IT'S ALL A PLOY TO STEAL OUR INTERNETZ!"
Re:absolutely, do it yourself, fool (Score:3, Interesting)
In theory, the idea makes sense. In reality, unless you're going to have every terminal under armed guard, there's going to be risks, and even armed guards won't completely eliminate those risks. If it's an IP network, it and the protocols that flow on top of it will be vulnerable in the same way that the real Internet is.
If there were a way to make safe zones in the manner that this guy is talking of it would have been done long ago. Unfortunately, security is really hard, and requires not just the talent of a lot of IT professionals in different disciplines, but it also requires the discipline of the users. You can only lock things down so far before they cease to be useful.
But every few years you'll have some high-level mucky-muck declare something like this, as if security experts hadn't been at the problem for the last twenty years, since the Internet first really began to see people outside of government, military and academia started using it and the holes in the protocols started becoming more obvious.
Re:do it yourself- it will work for seconds (Score:3, Interesting)
Depending on what data is at stake, you could get fired on really quickly if you refused to stand down from the terminal.
Re:absolutely, do it yourself, fool (Score:3, Interesting)
Of this list, only China and Al-Qaeda are likely to attack the US's infrastructure. Iran and Venezuela have nothing to gain from such a stunt, and would simply be giving the US an excuse to invade. The same is true of North Korea, who's leader cares only about his own life of luxury. Al-Qaeda is nuts, while China is a rival for world power, so they might do it. Dunno about Libya. And Cowboy Neal is unlikely to saw off the branch he's sitting on.
Stop making up boogeymen, OK?
Re:absolutely, do it yourself, fool (Score:4, Interesting)
Paranoia.
Re:How so? (Score:4, Interesting)
What else would a person working on a secured network need to access?
Depends what you mean by "secured". Speaking from experience ... the military runs a separate network, but provides gateways / proxies for external net access. At one point I was tasked to work on web development for the internal network, and I found external internet access to be invaluable as a reference - especially since a lot of the programming was in ASP, and I only had experience with PHP. Without it, I would have had to create a purchase request for an "ASP for Dummies" book, get the funding approved, wait a year (ok, maybe 3 months) for it to finally arrive, and then spend 3 times as long digging through it as it took to just punch a search into google every time I wasn't sure about something.
That's just one example - there are plenty of other legitemate reasons to have internet access on an otherwise secure network. Of course, as I said, it depends on your definition of "secured network". If we're talking about the control systems for a nuclea power plant, then yeah, it might be a good idea to have an air-gap.