NSA Chief Wants Internet Partitioned For Government, 'Critical' Industries

GovTechGuy writes "NSA chief Keith Alexander, also the head of the US Cyber Command, told reporters that he would like to see the creation of a secure zone on the Internet for government and critical private sector industries such as utility companies and the financial sector. Alexander has repeatedly emphasized the dramatic nature of the cyber threat facing American networks and his comments were a further sign that the Pentagon does not think the war against foreign hackers can be won. Alexander denied the military has any role in safeguarding civilian networks currently, but didn't rule out the option in the future."

Capitalized, with definite article

[symbolset]

Somebody's confused about the difference between "an internet" and "The Internet".

Re:Capitalized, with definite article

[tgatliff]

He apparently seems to have a misunderstanding on what a VPN is as well...

Also, the problem is not "the internet". The problem is people in general. If you only allow a system to be modified by a physical person in front of a unix/linux/vxworks (or similar) terminal with no network connection, then it makes "hacking" something like pretty much impossible unless a person is physically present.

Isn't that just a network?

[XanC]

This is what a bunch of us have been saying for a while: there's no reason for those really critical things to be on the Internet. Now they're proposing that they won't be, but are calling it a "partition". (??)

Re:Isn't that just a network?

[airfoobar]

Their goal is probably to get an excuse to somehow restructure the internet.. Who knows what "partitioning" may entail?

Re:Isn't that just a network?

[causality]

Their goal is probably to get an excuse to somehow restructure the internet.. Who knows what "partitioning" may entail?

This could be a great "excuse" for us, too. We should make him a deal. Partition off the governmental and "critical industry". Now the public Internet has no more high-profile targets. Then, drop all the warrantless wiretapping, eavesdropping, and other monitoring from the public Internet and use it to lock down the governmental and critical parts. All of the resources and manpower focused on a much smaller target should do wonders towards securing us against the currently trendy bogeyman of "cyberattack".

Re:Isn't that just a network?

[phantomfive]

The people doesn't need an 'excuse' to make a deal with the government. We don't need to make deals with the government. In a government of the people, by the people, and for the people, when we want something done, we tell the government to do it.

Now all we need to do is convince the vast majority of the country to oppose warrantless wiretapping, etc. Most people are ok with that kind of thing, you know, because it catches criminals or terrorists or something. In other words, he doesn't need to make a deal with you, and he won't, because he has the people on his side. See also, "how Bush got congress to agree to invade Iraq by convincing the vast majority (for a brief moment) that it would help with terrorists or something."

Re:Isn't that just a network?

[sokoban]

Their goal is probably to get an excuse to somehow restructure the internet..

Actually, it's an excuse to get the funding to somehow restructure the internet.

Re:Isn't that just a network?

[h00manist]

The people doesn't need an 'excuse' to make a deal with the government. We don't need to make deals with the government. In a government of the people, by the people, and for the people, when we want something done, we tell the government to do it. Now all we need to do is convince the vast majority of the country to oppose warrantless wiretapping, etc.

To start organizing people, finding 10 people who agree on anything besides drinking beer and partying would be a phenomenal start.

It just takes one...

[DoofusOfDeath]

One little gateway to the great, unwashed Internet, and the whole walled garden is compromised.

In fact, thinking they are safe in a walled garden is likely to lower their level of caution.

And it doesn't require an active network link spanning the networks. Virus and other nasties can be entered via CD's, USB sticks (I'm looking at you, U.S. Navy), or malicious persons on the inside.

If this guy is serious, what he probably wants is the ability to partition the Internet such that walled gardens can be set up, torn down, and have their membership adjusted very quickly.

On, and to hope that the ability to mess with that never gets into the wrong hands.

I suppose

[KarrdeSW]

I suppose it would be possible to build a whole second infrastructure across the country for Government agencies and 'critical industries', one that would never necessarily cross lines with any part of the 'insecure' internet. However, I would think the fact that you would need a nationwide infrastructure is what would make it just as insecure as the real thing, as there would be innumerable points for a malicious person to connect in. Also, unless you plan on creating a whole new 'secure' operating system to connect to every computer on this new network, you're still going to be vulnerable if anyone brings in a flash drive or a DVD with a virus.

Oh, and you could NEVER allow wireless connections to this network... that would just be too damn easy.

Re:I suppose

[countSudoku()]

They are compromised from the inside before they even string up one RJ-45 cable. Just tell Gen. Nuisance that "We'll just not dial into the bad guy's BBS, Sir." and call it a day. These are the great "cyber warriors" from the USA; unable to comprehend and put up a VPN for this shit. Dumb, and dumber.

Re:I suppose

[PCM2]

I suppose it would be possible to build a whole second infrastructure across the country for Government agencies and 'critical industries', one that would never necessarily cross lines with any part of the 'insecure' internet.

Yeah, but why would the NSA want that? This is the NSA we're talking about, not the Department of Defense. What they probably want is to reconfigure the Internet so that there are lots of "walls" all over the place, like a maze. Most of the walls will have doors on them, so your traffic will be able to pass through without noticing a thing. The NSA is selling this as if the idea is to make some special walls that don't have doors on them, so those parts of the network will be more secure -- but I'm betting the real idea is the NSA gets to sit on top of all those walls and look down.

Someone didn't get the memo

NIPR? SIPR? You want a third network that you don't manage properly or put realistic security policies on?

Fucking bureaucrat.

Uhh

[ShooterNeo]

Is this guy legitimate? How the hell did someone so ignorant of networking become head of US cyber command? NOTHING stops someone from grabbing off the shelf hardware and creating a WAN that has no hardware connections with the global internet. Or, there's various virtual ways to do this that are almost as good. Companies and institutions have been doing this for decades. Hackers can only get in if the institution is dumb enough to put the mission critical hardware on a network that IS connected to the internet, or even dumber, run the mission critical control system on a windows machine. Of course, corporations do this all the time...

Re:Uhh

[Strange+Ranger]

Keith knows about WANs and VLANs and VPNs. My guess is this is just Keith's way of campaigning for a 200 million dollar budget so he can go on a serious shopping spree.

Also, having direct control and access to all the information that will be on it. "Come on in banks and military suppliers, Telecoms, and Energy companies, etc., sure there's room for you on the Homeland Network!!"

My tin foil hat doesn't warp my brain. "Killing the open internet" isn't the goal of this public statement or this proposal. Growing his budget and expanding the scope of Homeland Security, certainly.

Do we still teach the dangers of Fascism in school these days? My tinfoil hat does compel me to include this Wikipedia quote "Fascists seek to organize a nation according to corporatist perspectives, values, and systems, including the political system and the economy."

Think how much easier it could be to share information without getting caught.

So, what they want is...

[Todd+Knarr]

So, what they want is a private IP-based network. No sweat, we've been building those for a couple of decades now. When I did point-of-sale for a truck-stock company, we had our own private network for connecting to our stores, credit-card processors and the like. You need routers, appropriate leased-line or other dedicated bandwidth, and some time spent on a white-board laying out the topology. The only real hard part is making sure you don't connect any machines to this network that also have connections to the public Internet. Yes, this means the machines on that network aren't going to be able to access the public Internet. You wanted a private, isolated network, you get a private, isolated network. If you want to live dangerously you can create appropriate DMZs and firewalls and proxies to give internal machines external access, but remember that that means worms, viruses and other malware can ride in on stuff coming back in through that external access and infect machines inside the perimeter. At that point your "protected" network isn't protected at all (in fact it's probably more vulnerable, since you likely skimped on internal protection since it's supposed to be a protected network).

"Partition"? Build separate infrastructure instead

[zooblethorpe]

That's just it, though, the only way to truly securely establish a separate network would be to run separate lines -- build in separate hardware, build in an air gap. Attempting to "partition" the Internet at the software level is pure silliness -- unless you command both ends of the pipe, and all points in between, there's a chance that someone may be able to intercept your traffic. And with deep packet inspection and similar tools these days, they could thus also alter your traffic, meaning any communications over the Internet cannot be secure, at least not in the way this Keith Alexander is talking about.

Cheers,

Re:WTF?!?

[Penguinisto]

They are for the Military - Google for NIPR and SIPR as a good start...

NSA chief invents "Networking", film at 11.

[eataTREE]

As many have no doubt pointed out, there is not now and has never been anything that stops anyone from building their own TCP/IP-based network and only allowing trusted users/machines/sites to connect to that network. There is no inherent need to connect *anything* to the public Internet, much less an asset that contains confidential information.

The thing that bothers me most about this announcement is the clear implication that secret data *isn't* currently partitioned onto private networks at top-secret government agencies.

absolutely, do it yourself, fool

[swschrad]

you get yourself a bunch of private pipes, and you use them as a backbone using IP, and you use a private set of addresses like the 10-net, and you make no connections whatsoever between this and The Connected Internet.

and you have an internet.

and it's not connected to The Connected Internet.

and then you can control your own security.

and as long as you do not put any software on any machines on the private internet that comes from untrusted sources and has not been vetted, you're nice and secure.

nothing with any criticality should EVER be connected to The Connected Internet.

glad you've made a start in this process. now build one. a bunch of pre-teens could hash up one in an hour if you don't need a bunch of wacky routing rules.

Re:absolutely, do it yourself, fool

[tgatliff]

Let me guess.... Actually, what this is really about is that the head of NSA is upset that he cannot currently stream HD 1080p porn directly to his desk from another government friend employee. I mean, it is just sooooo choppy. A new network must be made immediately!!!

Re:absolutely, do it yourself, fool

[gerf]

wacky routing rules

This is absolutely necessary. I'll asplain why.

A Unconnected Internet would be a pretty much by definition a lucrative honeypot for those who you are trying to keep out. As such, it'd be the most targeted network imaginable, with any entity (China Iran Venezuela, N. Korea, Cowboy Neal, al Qaeda, IRA, Libya..) that would possibly want to damage infrastructure a super huge easy target. Since it's a "separate" network run by the internet-incompetent government, it's going to be vulnerable once access is had. So, you're going to have people bribed to plug in USB sticks to Siemens controllers (see previous /. story). So, we'll need to find out where attacks are coming from, and not allow any kind of anonymity on this super-trusted network. Therefore, since we'll need uber traceability, we'll need some crazy routing.

Perhaps not. I just think that this sort of network, if made wrong (most likely), would be a detriment to security, especially with civilian access.

Re:absolutely, do it yourself, fool

[bev_tech_rob]

When I read the summary that is what I thought....'isn't he describing a private WAN?'.... Critical infrastructure control systems shouldn't be connected to the open internet, period. The CEO's can loosen their purse strings and hire someone to monitor the systems instead of trying to do it remotely.

Re:absolutely, do it yourself, fool

You forgot one thing. The biggest security hole is the massively large number of contractors who will unavoidably be accessing the net he is talking about.

Also, having everything inside such a net, if history is a guide, will likely lead to a false sense of security and standardizations across API's and automated control processes. Now instead of having to do perhaps something different to hack different banks, utilities or subsystems you only need to learn from a small set of common libraries.

"As a final safeguard against a sustained attack we have implemented the System.BringDownPrivateINet function. Upon triggering all systems simply turn off. System operators will restore systems to operational status from last good backup after the president gives the all clear......"

Re:absolutely, do it yourself, fool

[mr_mischief]

There's no reason to hook up just one network to your facility if you need real security. You can have public Internet access on one set of systems and private internet (small 'i') access on others.

If you need to search Google (which would probably have a separate government-funded server farm and Milnet (oops I mean "private secure internet") connection anyway) you go to an Internet-connected system. If you need to access a secure remote site, you go to the private network systems.

If you need to get data from the public Internet to your private network, you use removable media only, move only non-executable data, and scan it very carefully with a number of tools for cleverly crafted data formats designed to overflow buffers or smash stacks.

If you need to move info from your secure systems to the public Internet... then you don't really need your secure systems that damn much first of all. Yet if for some reason you do need to do this, you can use removable media for that. I've even seen people read from one terminal and type into another to bridge information across networks that were kept separate for security reasons.

Re:absolutely, do it yourself, fool

[fuzzyfuzzyfungus]

The trouble with the OS diversity argument is that it is really calibrated to the concerns of "low interest" targets. If my computer is worth maybe 25 cents as a low-reliability spam node, with perhaps a buck worth of credit card details cached somewhere, the fact that it is running the same OS as another $HUGE_NUMBER of machines is basically the only thing that makes it worth attacking. Writing a decent virus/worm/trojan and maybe doing some social engineering to get me to download it isn't free, nor does it take zero time. On the other side of the same coin, nuisances like spam are largely supported by the fact that huge swaths of homogeneous compromised boxes are available.

If you are a high interest target(either economically valuable, or because of some sort of cloak-and-dagger dickwaving) however, the argument changes. You, personally, could easily be economically or strategically viable as a target for your very own targeted attack, specifically crafted for whatever you are running. Unfortunately, the security of a lot of specialty systems is such utter shit that it makes a desktop windows box look ironclad(particularly if you are really mean and count vulnerabilities per unit features, rather than absolute number of vulnerabilities). "Many eyes make bugs shallow" isn't entirely true; but "no eyes makes bugs invisible" often is. It is rather like CAPTCHAs. If you are a low traffic/virtually no traffic site/forum/whatever, rolling your own CAPTCHA can actually be more secure than using an off the shelf one. Unless you are Real Serious, yours will be lousy; but what it guards is of such little worth that nobody is likely to take the time to tune their cracker to your unique, if probably flawed, system. A high value asset, on the other hand, can be assured that people will be tuning their systems against their CAPTCHA, so they are better off going with the best technology presently available for the purpose.

This certainly isn't an argument for monoculture, even extremely commonly used systems have flaws, and you can't risk having everything relying on them; but having obscure oddities around can make you less safe from the serious guys, even as it keeps the kiddies out(The specific Phillips programmable controllers targeted by the attack discussed earlier today, for example, probably aren't going to get turned into spam bots anytime soon; but somebody did some very specific legwork to hit those...)

The really big argument against monoculture, in high security type systems and environments(besides not making you a specific contractor's bitch forever) is probably institutional/cultural. Even if you start out with the best of intentions, and the most authoritative of admins, the fact that you are running some commodity system creates psychological and institutional pressures to start acting like everyone else. If, on the other hand, the distinction between Real Serious Systems and toy boxes is immediately visible as a difference in software, people are less likely to let their habits from one bleed over into the other(in fact, even if one were starting with a commodity OS like windows, linux, or BSD, one might consider deliberately breaking some convention good and hard, just to keep people from bringing their sloppy habits and software with them)...

Re:absolutely, do it yourself, fool

[fuzzyfuzzyfungus]

Barring a downright thermonuclear change in procurement practices, the large number of contractors won't just be accessing it, they'll build it, run it, administer it, heck, probably own it and lease it back to the feds for some absurd fee calculated according to what a set of mainframes connected by leased lines would have cost in the 80's...

Re:absolutely, do it yourself, fool

The best security is phsyical security, and that means only having connections to those you trust. The Internet is not that. I'm sorry, but you have to be blind to think something like IPSec on the connected Internet is even comparable. I also thank you for not being involved in computer security policy, but I do seemingly like your crash and burn mentality.

Re:absolutely, do it yourself, fool

[ultranova]

and you make no connections whatsoever between this and The Connected Internet.

And the larger your network grows, the harder this becomes to enforce. A single laptop connecting to a nearby open Wi-Fi port is sufficient to compromise you. So is someone using a mobile data connection or something to check their e-mail. And of course, if your network is big enough, an attacker can simply physically intersect the cables.

No, it's best to assume that any network will be compromised and design accordingly. Don't network the most critical control systems at all, isolate the semi-critical ones, let people connect to the public Internet from their desk/laptop computers, because they will anyway so you have to treat them as if they were, so they can as well get the convenience of a real connection.

Re:absolutely, do it yourself, fool

[navyjeff]

If a computer can be infected with a virus simply by plugging in a USB storage device, you're doing it wrong. The military needs to turn off Auto-Run (or any kind of execution privileges) for every one of their computers for external storage devices. This problem has been prevalent for 10 years and they still haven't fixed it.

An utter waste of time....

[rickb928]

Completely. They have the .mil network, and can't secure that. So the answer is to segregate the 'real' Internet and a 'secure' Internet?

And this will prevent infestations via USB drive how exactly?

I thought so. Next, please.

Encryption secures content, no gty on delivery

[zooblethorpe]

Sure, the NSA is undoubtedly up on the best crytpo around. While encryption will secure a message payload, it doesn't ensure that the message gets where it's going -- routing traffic over the Internet leaves the end- and midpoints open to DDOS and other attacks, tying up servers and preventing message transmission. A physically separate network, however, would avoid much of the harmful noise that happens in teh intarwebs.

Cheers,

Isn't that Internet 2?

[jd]

The whole point of the Internet 2 project was to provide secure, robust, high-speed communication to those who needed it. Not that I really know what makes "Internet 2" anything more than a section of the regular Internet 1 with restrictions on traffic routing off the high-speed backbone they've got. That and a functional IPv6 infrastructure which they've had in place for about 15 years without the need of tunnel brokers. Oh, and IPv6-aware applications - something else Internet 1 users have too few of and they've plenty of.

So the military have only NOW realized that putting sensitive or mission-critical information over a public network is a Bad Idea? Pffft. Pull the other one. They're one of the key players IN the Internet 2 endeavor. I can understand them wanting to get power stations and other critical infrastructure onto it, I can even understand them thinking Joe Public is too stupid to remember all of the news coverage Internet 2 has had over they years, or to google to see if such a network exists. But I'm frankly amazed that they've not been called on it by anyone, and shocked (shocked I tell you!) that nobody on Slashdot has mentioned it.

Re:Fine! Let it be so!

[dwye]

> and while they are at it, make it all IPV6.

Why would the second, USA or NATO only, internet need IPV6? Remember, this is the one that YOU will never be allowed on (at least in your role as a private person), let alone Mexico, Central America, South America, Africa, the Middle East, Asia. Likewise, this is the one that toasters, your gas and water meter, the coke machine on the 7th floor of Science Hall, or any other such appliances would not need to be on. In short, this is the Internet before Al Gore ruined it by opening it up for blatant commerce, and will have that few hosts (i.e., few enough so that every admin on it would know all the top level domains, if not most of the other admins).

> and while we're at it, maybe we can get the U.S. on the metric system.

Obviously, you are too young to buy liquor. Try and buy a new *fifth* of bourbon (or get your parents to). The USA has been on the metric system for decades (since the yard was defined in terms of the meter) but doesn't send men with guns after people or companies who use the customary measurements instead.

In other words...

[straponego]

The ruling class doesn't want to be exposed to those peons who are subject to laws.

Oh well, at least they're not calling us Morlocks yet.

How so?

[khasim]

And a lot of useful information that exists on the Internet will be unavailable, so the disadvantages of the private net will outweigh the advantages.

Like what?

The only one that immediately springs to mind is email and that's simple enough to handle.

What else would a person working on a secured network need to access?

Why is this stuff connected to *the* internet?

[mysteryvortex]

I've always said: "Why should [X] be connected to the public internet in the first place? Isn't connecting [X] to the public internet a really bad idea?"

Where [X] is any number of things: (list not exhaustive)
a power plant control system
a waste water treatment plant control system
an electrical plant control system
an electrical substation control system
a train station control system
a traffic control system

There are many things besides control systems, but for this post I am thinking of basic infrastructure. If these things need to be networked, they should be on their own private network with limited access. These problems also occurred before the internet existed. For example by connecting them to the public telephone system. (sometimes with no password, relying on the obscurity of the phone number to limit access)

It is not just the public sector that needs to learn this, but also private industry. If it is vitally important, limit physical access to it. Private networks exist for a reason. There is no need to do anything to the public internet.

-Mysteryvortex

Re:Why is this stuff connected to *the* internet?

[plover]

So what you're implying is the ideal system would then have control on a private network, but monitoring on a less secure network that could safely interconnect to the public Internet. Not a bad idea for a limited number of systems.

But then you start talking about "what goes where?" Is VoIP a critical secure system? Well, if the phone rings and a voice says "It's Charlie in fire control, shut down the generators now!" you sure want to be able to trust it's not Victor in Estonia coming in over Skype. But if the phones are only on the secure side, how do you call the FBI to report a problem?

So it sounds like a simple solution, but like with anything in security there are a metric ton of problems with even the simplest of ideas.

do it yourself- it will work for seconds

[DCFusor]

Until someone gets tired of having to use another machine for the "real" net and hooks up a router between them. Half an hour tops before some idiot breaks the separation model. Yes, people ARE that dumb.

Re:There is a good reason for this

People need to understand that you can EITHER have security OR the ability to be anonymous. If you want one, you're losing the other.

Only if you're talking in absolutes. But total absolute security or anonymity probably isn't possible anyway.

Security and anonymity aren't mutually exclusive. In some cases security might be easier to achieve if we don't care about anonymity, and vice versa. But you're obviously presenting us with a false dichotomy, which is easily shown with an small example:
A member of the resistance in Nazi-Germany can improve his security by remaining anonymous when when criticizing the government.