General Keith Alexander heads the U.S. Cyber Command and is the Director of the NSA. In prepared testimony today he said the government should set up a secure zone for themselves and critical infrastructure, walled off from the rest of the Internet.
“You could come up with what I would call a secure zone, a protected zone, that you want government and critical infrastructure to work in that part,” Alexander said. “At some point it’s going to be on the table. The question is how are we going to do it.”
Alexander said setting up such a network would be technically straightforward, but difficult to sell to the businesses involved. Explaining the measure to the public would also be a challenge, he added.
I don’t think explaining it to the public would be too tough, but practically speaking this one is a non-starter. Even if you build it, it will only be marginally more secure than the current Internet. Here’s why:
The U.S. government currently runs its own private networks for managing classified information. For information of a certain classification, the networks and systems involved are completely segregated from the Internet. No playing Farmville on a SIPRnet-connected system.
Extending this to the private sector is essentially a non-starter, at least without heavy regulation and a ton of cash. Most of our critical infrastructure, such as power generation/transmission and financial services, used to also be on their own private networks. But – often against the advice of us security folks – due to various business pressures they’ve connected these to Internet-facing systems and created a heck of a mess. When you are allowed to check your email on the same system you use to control electricity, it’s hard to not get hacked. When you put Internet facing web applications on top of back-end financial servers, it’s hard to keep the bad guys from stealing your cash.
Backing out of our current situation could probably only happen with onerous legislation and government funding. And even then, training the work forces of those organizations to not screw it up and reconnect everything back to the Internet again would probably be an even tougher job. Gotta check that Facebook and email at work.
If they pull it off, more power to them. From a security perspective isolating the network could reduce some of our risk, but I can’t really imagine the disaster we’d have to experience before we could align public and private interests behind such a monumental change.
Reader interactions
One Reply to “Government Pipe Dreams”
This would presumably be the same head of Cyber Command who revealed that in 2008 one of their classified networks was compromised by a foreign agent who successfully got a mark to insert an infected USB stick into a connected system. If the DOD can’t protect its own classified networks, then why in the world would we think they could magically setup a special “secure” zone for so-called critical infrastructure?
Of course, more importantly is the complete and utter lack of outside-the-box thinking demonstrated here. This is ultimately consistent with everything these same politicians (yes, I realize he’s a general) have been trying for years, which is to expand their turf using FUD-based arguments that lack proper founding and only serve to expand the government’s footprint while doing nothing to improve security.
If they really wanted to help critical infrastructure (in particular, the energy sector), then they could start by slicing and dicing the mountain of regulations that is crushing this sector and literally preventing companies from making any sort of meaningful security improvements whatsoever. Not to mention the ill-sighted, heavy-handed push for SmartGrid before the technology is ready (not to mention that broken meters are being deployed with no fix available for weaknesses over a year old).