Air Force To Rewrite the Rules of the Internet

meridiangod writes "The Air Force is fed up with a seemingly endless barrage of attacks on its computer networks from stealthy adversaries whose motives and even locations are unclear. So now the service is looking to restore its advantage on the virtual battlefield by doing nothing less than the rewriting the 'laws of cyberspace.'" I'm sure that'll work out really well for them.

Disconnect

[electrictroy]

If they were smart, they would disconnect their computers from the public internet. People can't access hardware they can't access.

Re:Disconnect

[Kagura]

They actually are smart, and any computers accessing Secret information and above are NOT allowed to be hooked up to the internet or a network with access to the internet, EVER.

Re:Disconnect

[Atriqus]

Actually, I liked the previous version... it better illustrated the obviousness of the solution.

Re:Disconnect

[sam0737]

Someone, someday will carry lost a USB thumbdrive carrying the sensitive information.

Perhaps we need a new RFC, similar to this one [RFC1149], for USB thumbdrive.

Re:Disconnect

[Swizec]

Then there is that one company that started off very small and ended up changing the rules of the internet completely.

You know ... Google.

Re:Disconnect

[hey!]

Correction: any computer which is supposed to be allowed to access Secret information is not allowed to be hooked up to the Internet. I suspect there is no way to enforce the rule as you state it without possibly divulging what is secret and what is not. For example if I'm monitoring a computer and find that a bunch of files have been deleted, I might look at one of the files I downloaded that was purged, and say, "hey, this memo implies the F35 can climb at over 330 meters/second."

What I'm saying is that it's best not to trust in systems to operate according to the rules.

Re:Disconnect

[MrNaz]

Because the Air Force can't catch people over the internet, that must mean that they are also vulnerable to vans with tinted windows in the car park of the armed forces branch head quarters with a 20" dish antenna mounted on top.

Re:Disconnect

[ChrisA90278]

Yes that is pretty much the first rule. any machine with senitive data is not hooked up to the Internet. Not even via a firewall. They call it an "air gap" but today with wireless the term is an anachronism but still you get the idea "no connection at all".

Computers that handle REALLY sensitive stuff can't even be connected to normal AC power systems or even to normal building ground wires.

Many of the computers have removable disk drives. That is where ALL of the drives can be removed without tools. The rule requires the drives to be removed and stored in a safe when not in use.

Believe me they do have a few smart people who understand security and they have a decent educational system in place where people have to go to class and read some papers before they can use systems that handle sensitive information. And they are required to re-take the classes periodically

But then there are always ideots and weven normal people forget and make mistakes. But then typically some guard is assigned the task to walk around a pull on safe handles and check that desks are clear and so on. Hell likely catch most of the mistakes

Re:Disconnect

[Dun+Malg]

"hey, this memo implies the F35 can climb at over 330 meters/second."

Actually, there's plenty of that stuff around, and it's actually not necessarily classified, even if it's true. In the bad old days of the cold war, I asked the security officer in my Army unit why all this crap we were working with was classified SECRET and TOP SECRET when the same exact information was available to anyone purchasing a Jane's book by mail order. It was explained to me that it was not the raw information that was secret, but rather the positive verification that it was true that was being controlled. Most classified information falls into that category, really. Very little of it is truly secret, in that nobody without clearance knows it. I've seen quite a few pictures of "people and stuff at locations in Certain Southwest Asian Countries" that I know from personal experience would be classified SECRET or higher if they were government photos rather than casual snapshots taken by a yokel or journalist with a pocket camera. What the classification of the subject matter does is bar me (under penalty of waterboarding or whatever) from pointing out which pictures those are.

Re:Disconnect

[Swizec]

Google changed something very important about the internet. It made bookmarking obsolete by actually being able to find the content you need quicker than browsing through a list of bookmarks.

That's a pretty radical change to before-google-became-all-too-popular times.

Re:Disconnect

[Ethanol-fueled]

Google is a verb.

Altavista, Hotbot, and MSN are not verbs. Yahoo! tried to make its name a verb(with their "Do you Yahoo?" slogan) but failed. Ask is a verb, but unlike Google, Ask was born a verb, it wasn't made one because of its ubiquity and popularity among the masses.

Re:Disconnect

[Narpak]

The USAF would like to alter the permissive and decentralized nature of the Internet through technological and possibly political means to suit itself.

I reckon that if any entity tries a large scale centralisation of the "the internet" then the users will simply adapt and decentralize in other ways.

The more surveillance present on the internet the less useful it will be as a way to transmit information anonymously. However with advances in wireless technologies setting up other ways to transmit data is not only possible, but easier and cheaper than ever before. It's not about doing things that are illegal, but rather that to ensure freedom, liberty and justice there needs to be ways of communicating that is not subject to government (or corporate) scrutiny.

Of course that is not what this specific case is about, but I fear that whatever measures they implement (or try to) will carry with it a host of other issues that could inhibit the ability of ordinary citizens to access knowledge or data without being logged in an ever growing database. The phrase "if you are not doing anything illegal you have nothing to worry about" is misleading. Since it does not consider the possibility that what you did today, while not illegal, could be used months, years, decades, down the line when the motivations of those with access to the database changes (or indeed the database falls into the hands of antagonistic person(s)).

Re:Disconnect

[DeusExMach]

A googol is a one with a hundred zeros.

I internet all the time.

Re:Disconnect

[earlymon]

Not true. While working for the Dept of Defense I saw this scenario played out - it was around 1995.

A van pulled up about a quarter-block away from a BDM building (located on a very public street) but the van was just too suspicious, for reasons I'd rather not elaborate on. Secretaries returning from lunch noticed it and reported it to security. Local police cordoned off the area very, very quickly - almost real-time - coincident with a first-responder team from the local USAF base. Automatic rifles were pointed at the van from three directions, two Ruger AC-556s were layed against the back door, and the solid side of the van was struck with some sort of hammer, and a cry to get the fuck out of the van ensued. Public area, people put rapidly out of harm's way. I recall that from phone report to guy laid out being handcuffed took less than 20 minutes.

And yes, he was a spy, using the latest EM-based eavesdropping equipment. Saw it and heard it. None of this sir, please step out crap.

Maybe a decade later we've learned to coddle suspected spies... no, wait - I saw Harold and Kumar Escape from Guantanamo Bay (sorry, couldn't resist) - I rather doubt it, but then, I could be in error.

Re:Disconnect

[pcgabe]

almost real-time

As opposed to turn-based?

They've solved their own problem

[yttrstein]

""[M]ost threats should be made irrelevant by eliminating vulnerabilities beforehand by either moving them 'out of band' (i.e., making them technically or physically inaccessible to the adversary), or 'designing them out' completely," the request for proposals adds."

Luckily for the Air Force, they don't actually have to do any work at all to make this happen, since it's been not only possible, but actually implemented since at least 1998, when RFC 2341 was written all about Virtual Private Networks.

Helpful Hint for the Air Force: Pay your private sector computer engineers more and you'll get the innovation you're looking for.

Re:They've solved their own problem

[sexconker]

VPN?
How bout a private network.

Which is what all secret and above classifications use.

Physically disconnected from the internet.
Physically inaccessible by the plebes.

Code auditing, memory wiping, classification-based job scheduling (a machine works only on secret defense or only on top secret or only on top secret nuclear, or etc. jobs at a time, never mixing), secure attention keys, custom hardware, physical security, surveillance, custom hardware, etc.

I'd say that, for the shit that matters, they've got a pretty good setup. But let's listen to the internet nerds who think they know everything. They'll tell us how to fix it.

There is porn of it.

I hope they don't overlook Rule 34.

It worked for the Army!

[David+Gerard]

Remember that the 304th Military Intelligence Battalion declared Twitter a terrorist weapon. God forbid they discover pen and paper. Or modulated farting, for that matter.

Re:It worked for the Army!

[internerdj]

I was wondering who used Twitter.

there's nothing wrong here

[circletimessquare]

for an organization the size of the air force, and with the mandate it has, there is nothing laughable or overly ambitious about say, creating and implementing your own supersecure protocol, and supporting it within its subnet

and, if successful, watch it leave its military surroundings, be adapted by universities, then corporations, then the general public

kind of like the internet itself

somebody is going to do this at some point, considering the various shortcomings of our present dominant protocol suite

that it would be the military to do it first makes sense

Penny Arcade

[Sasayaki]

As usual, Penny Arcade predicted the future. (http://www.penny-arcade.com/comic/2007/07/16/)

Technician: Our webs are down, sir. We can't log in!

Agent: Which webs?

Technician: All of them.

Technician: They've penetrated our code walls. They're stealing the Internet!

Agent: We'll need to hack all IPs simultaneously.

prevent IP spoofing - save the world

[iceco2]

actually there is a very simple measure ISPs can take to prevent many attacks.
and that is to prevent their customers from spoofing the source IP in their IP packets.
If governments (starting with the US) would pressure(force by law) ISPs to do this, it can be done with out much technological difficulties.
This anti-spoofing measure can be implemented on many levels, so that even if a certain ISP does not co-operate other ISPs could prevent its customers from spoofing any IP which does not belong to the problematic ISP. This in itself helps protect against IP spoofing.

Without IP spoofing attackers are more easily identified and blocked.

achilles heel

[Eil]

The Air Force excels at just about everything they do. But for the past decade or two, their Achilles Heel has been computing technology because it moves faster than anything else they're used to.

The Air Force is a very old organization and although they can generally respond to most anything quickly, overall change tends to happen very very slowly. Not long after I enlisted in 1998, there were rumors that the uniform was going to change from the classic camouflage pattern to a kind of pixellated-marble look. Based on what recent photos I can find, they're still only about halfway through getting the new uniform out to everyone.

Also, I know for a fact we're still flying some planes with vacuum tubes in the autopilot computer even though upgrades for all airframes have been around since at least the 80's. Most of the technical manuals that I used to repair avionics were between 25-40 years old and still had technical errors in them. (We weren't able to make corrections to technical manuals any more than you'd be allowed to make pen-and-ink corrections to a federal law.)

Computer use only became common in most squadrons about 10 years ago and even then, they were not really used for the correct purposes. Some captain would get the bright idea that somebody should use a spreadsheet program instead of a paper form for some menial task, force everybody to use it, ignore the pleas from his subordinates that it tripled the effort required to perform the task, and then make up some elaborate report for his commander about how he just saved the Air Force $358,000.

While I was in the service, the Air Force never really caught on that you had to hire and train smart people who know about computers if you wanted to make the most of them. Some squadrons took young administrative airman fresh out of tech school and sat them down in front of the admin console and said, "All right, it's your job now to make sure this doesn't break." This is very uncharacteristic of the Air Force as you normally need at least several weeks of training before you can be trusted to mop the floor correctly. But when a commander has something that needs to be done and he doesn't know how to do it, it's not at all uncommon for him to assign someone to it while implying that they should be rather quiet about it.

Others units farmed out network administration to government contractors like Lockheed Martin which wasn't any better because most of their employees are old military retirees who thought they were going to get paid more as a civilian for doing the same thing they did in the military and ended up being wrong on both counts. (Got seven stripes and an MSCE? Then they're hiring!)

I guess this long-winded point it that it doesn't surprise me that high-level Air Force officers are saying, "Hey, who says we can't control this thing? We're the Air Force, after all." They're used to having fine-grained control over everything in their view and a high degree of security surrounding it.

"Defensive operations are constantly playing 'catch up' to an ever-increasing onslaught of attacks that seem to always stay one step ahead," says the Air Force Research Laboratory's "Integrated Cyber Defense" request for proposals. "In order to tip the balance in favor of the defender, we must develop a strategic approach to cyber defense that transcends the day to day reactive operations."

In other words, the Air Force is still nowhere near where they need to be in terms of network security. The only encouraging part of this is that they finally realize it.

Re:Jurisdiction...

[interstellar_donkey]

Right. And some harsh realities have to be realized by the AF or any DOD department.

1) The Internet does not belong to America. Period. It is a global network of good guys and bad guys, and the rest of the world won't, nor should they abide by our rules.

2) The Internet does not belong to the military. It has far more to do with domestic and international trade and information than it does to various arms of the DOD.

If the USAF wants a secure network, then they should create their own isolated network completely divorced from the civilian Internet. I'm sorry if that means generals can't look at porn sites from their office, but that's the way things go.