Follow Slashdot stories on Twitter


Forgot your password?
Government Security The Internet The Military News Technology Your Rights Online

NSA Chief Wants Internet Partitioned For Government, 'Critical' Industries 258

GovTechGuy writes "NSA chief Keith Alexander, also the head of the US Cyber Command, told reporters that he would like to see the creation of a secure zone on the Internet for government and critical private sector industries such as utility companies and the financial sector. Alexander has repeatedly emphasized the dramatic nature of the cyber threat facing American networks and his comments were a further sign that the Pentagon does not think the war against foreign hackers can be won. Alexander denied the military has any role in safeguarding civilian networks currently, but didn't rule out the option in the future."
This discussion has been archived. No new comments can be posted.

NSA Chief Wants Internet Partitioned For Government, 'Critical' Industries

Comments Filter:
  • by Sooner Boomer ( 96864 ) <sooner.boomr@ g m a> on Thursday September 23, 2010 @06:27PM (#33681408) Journal

    I mean, wasn't the internet designed/made for the military in the first place (ARPA/DARPA)? Then first the institutions (.edu) and later the commercial market (.com) came along and took it over. I guess creating a new network from scratch (and doing it RIGHT this time) is easier than kicking the rest of us pikers off of what was theirs in the first place.

  • by bartle ( 447377 ) on Thursday September 23, 2010 @06:33PM (#33681468) Homepage
    This idea of a nationwide secure network has never made much sense to me. Creating a secure network in a small organization is pretty easy but creating one that links many public and private enterprises sounds like a disaster. Gaps will inevitably appear but worse it creates a real target for someone who wishes to create harm.
  • by causality ( 777677 ) on Thursday September 23, 2010 @06:35PM (#33681484)

    That's just it, though, the only way to truly securely establish a separate network would be to run separate lines -- build in separate hardware, build in an air gap. Attempting to "partition" the Internet at the software level is pure silliness -- unless you command both ends of the pipe, and all points in between, there's a chance that someone may be able to intercept your traffic. And with deep packet inspection and similar tools these days, they could thus also alter your traffic, meaning any communications over the Internet cannot be secure, at least not in the way this Keith Alexander is talking about.


    I think a much better approach is to assume that the intermediate network is insecure and beyond your control. Then, use very strong end-to-end encryption to make a secure tunnel, much like the SSH approach. I mean, this is the NSA here. It's not like they wouldn't know how to use good encryption.

  • Re:Uhh (Score:4, Interesting)

    by betterunixthanunix ( 980855 ) on Thursday September 23, 2010 @06:35PM (#33681500)
    The public statement is just a political maneuver, to help with the real goal: killing the open Internet. The free and open Internet is a nightmare for them, because it allows all sorts of people to communicate and do things without being monitored. It is bad for business (which is what the US Government is really interested in protecting) and bad for the politicians who bankroll the NSA.

    First they'll set up a new network for "critical infrastructure," which you can only connect "certified" devices to, and then you'll start to see suddenly your bank will require you to use that new, secure, not-open network. Then new and popular music will only be made available on that network. Then videos, games, books, and so forth, until eventually the Internet falls by the wayside, as forgotten as Fidonet, even if it even remains in existence. You will only be allowed to connect certain computers to that network, running certain software, and of course, you will not have any sort of root access to your system.
  • by david.given ( 6740 ) < minus author> on Thursday September 23, 2010 @07:25PM (#33682036) Homepage Journal

    I've always wondered why people in this situation didn't build private networks based on protocols other than IP. A quick glance at /etc/protocols shows dozens of different protocols that can be carried by ethernet --- there must be something there that's sufficiently flexible to build a useful network out of but can't be carried by the Internet without protocol conversion. The old OSI protocol suite, for example. Or even write your own if you want special features, such as pervasive authentication on all connections (so you always know who made a connection, not just where from).

    This adds an extra level of protection, in that it's much harder to be accidentally gatewayed onto the Internet; you need to have special applications that speak both IP and whatever protocol you're using and translate between them to even communicate.

    Of course, you'll probably end up having to rewrite your entire set of application software from scratch to speak the new protocol, but TBH if you really need the security this is likely to be a good idea anyway (provided you don't farm it out to the lowest bidder). And if you're so concerned about security that you're willing to contemplate partitioning the Internet, cost isn't likely to be an issue...

  • by Anonymous Coward on Thursday September 23, 2010 @08:12PM (#33682482)

    That already exists. Depending on the intelligence agency, there are many "high-side" networks that operate exactly like "The Internet". Some even have a version of twitter and facebook/myspace.

  • Bogus cruft (Score:2, Interesting)

    by woboyle ( 1044168 ) on Thursday September 23, 2010 @08:15PM (#33682500)
    The US military and defense establishment already has its own private internet (DarpaNet), along with backbone and such. This is just, in the words of Bruce Schneier, so much security theater. The physics research community also has its own network, PhysNet, that provides high bandwidth and secure connections between major research sites and universities world-wide. Yes, they interconnect to the broader Internet, but they don't carry general Internet traffic and are quite secure against outside hackers.
  • Re:Uhh (Score:2, Interesting)

    by im_thatoneguy ( 819432 ) on Thursday September 23, 2010 @08:21PM (#33682546)

    So you're saying this guy is a sociopath with a dream of world domination?

    Seems like quite a leap to accuse him of that based on "Maybe we should setup a second parallel network which we completely control for mission critical information."

    I love that half of the comments to this story read:
    and the other half respond

  • by MightyMartian ( 840721 ) on Thursday September 23, 2010 @09:10PM (#33682844) Journal

    In theory, the idea makes sense. In reality, unless you're going to have every terminal under armed guard, there's going to be risks, and even armed guards won't completely eliminate those risks. If it's an IP network, it and the protocols that flow on top of it will be vulnerable in the same way that the real Internet is.

    If there were a way to make safe zones in the manner that this guy is talking of it would have been done long ago. Unfortunately, security is really hard, and requires not just the talent of a lot of IT professionals in different disciplines, but it also requires the discipline of the users. You can only lock things down so far before they cease to be useful.

    But every few years you'll have some high-level mucky-muck declare something like this, as if security experts hadn't been at the problem for the last twenty years, since the Internet first really began to see people outside of government, military and academia started using it and the holes in the protocols started becoming more obvious.

  • by mr_mischief ( 456295 ) on Thursday September 23, 2010 @10:44PM (#33683434) Journal

    Depending on what data is at stake, you could get fired on really quickly if you refused to stand down from the terminal.

  • by ultranova ( 717540 ) on Friday September 24, 2010 @08:25AM (#33685610)

    As such, it'd be the most targeted network imaginable, with any entity (China Iran Venezuela, N. Korea, Cowboy Neal, al Qaeda, IRA, Libya..)

    Of this list, only China and Al-Qaeda are likely to attack the US's infrastructure. Iran and Venezuela have nothing to gain from such a stunt, and would simply be giving the US an excuse to invade. The same is true of North Korea, who's leader cares only about his own life of luxury. Al-Qaeda is nuts, while China is a rival for world power, so they might do it. Dunno about Libya. And Cowboy Neal is unlikely to saw off the branch he's sitting on.

    Stop making up boogeymen, OK?

  • by c6gunner ( 950153 ) on Friday September 24, 2010 @09:05AM (#33686002)


  • Re:How so? (Score:4, Interesting)

    by c6gunner ( 950153 ) on Friday September 24, 2010 @09:15AM (#33686120)

    What else would a person working on a secured network need to access?

    Depends what you mean by "secured". Speaking from experience ... the military runs a separate network, but provides gateways / proxies for external net access. At one point I was tasked to work on web development for the internal network, and I found external internet access to be invaluable as a reference - especially since a lot of the programming was in ASP, and I only had experience with PHP. Without it, I would have had to create a purchase request for an "ASP for Dummies" book, get the funding approved, wait a year (ok, maybe 3 months) for it to finally arrive, and then spend 3 times as long digging through it as it took to just punch a search into google every time I wasn't sure about something.

    That's just one example - there are plenty of other legitemate reasons to have internet access on an otherwise secure network. Of course, as I said, it depends on your definition of "secured network". If we're talking about the control systems for a nuclea power plant, then yeah, it might be a good idea to have an air-gap.

"Oh my! An `inflammatory attitude' in alt.flame? Never heard of such a thing..." -- Allen Gwinn, allen@sulaco.Sigma.COM