Slashdot Mirror
NSA Chief Wants Internet Partitioned For Government, 'Critical' Industries
GovTechGuy writes "NSA chief Keith Alexander, also the head of the US Cyber Command, told reporters that he would like to see the creation of a secure zone on the Internet for government and critical private sector industries such as utility companies and the financial sector. Alexander has repeatedly emphasized the dramatic nature of the cyber threat facing American networks and his comments were a further sign that the Pentagon does not think the war against foreign hackers can be won. Alexander denied the military has any role in safeguarding civilian networks currently, but didn't rule out the option in the future."
Somebody's confused about the difference between "an internet" and "The Internet".
Help stamp out iliturcy.
This is what a bunch of us have been saying for a while: there's no reason for those really critical things to be on the Internet. Now they're proposing that they won't be, but are calling it a "partition". (??)
One little gateway to the great, unwashed Internet, and the whole walled garden is compromised.
In fact, thinking they are safe in a walled garden is likely to lower their level of caution.
And it doesn't require an active network link spanning the networks. Virus and other nasties can be entered via CD's, USB sticks (I'm looking at you, U.S. Navy), or malicious persons on the inside.
If this guy is serious, what he probably wants is the ability to partition the Internet such that walled gardens can be set up, torn down, and have their membership adjusted very quickly.
On, and to hope that the ability to mess with that never gets into the wrong hands.
I suppose it would be possible to build a whole second infrastructure across the country for Government agencies and 'critical industries', one that would never necessarily cross lines with any part of the 'insecure' internet. However, I would think the fact that you would need a nationwide infrastructure is what would make it just as insecure as the real thing, as there would be innumerable points for a malicious person to connect in. Also, unless you plan on creating a whole new 'secure' operating system to connect to every computer on this new network, you're still going to be vulnerable if anyone brings in a flash drive or a DVD with a virus.
Oh, and you could NEVER allow wireless connections to this network... that would just be too damn easy.
Cyber Command sounds WAY too much like some sort of comic book superhero hangout.
My other car is a 1984 Nark Avenger.
Let there be an internet for government and sensitive business entities. I'm all for it. This would give less cause for government to screw around with surveillance and monitoring on the global internet I should think. (Yeah, I know they will still want that) It would also allow better protection of data without unplugging entirely.
I don't think it should be "partitioned" so much as having a new one built in parallel... and while they are at it, make it all IPV6. We all need a way to transition and a big fat project like this would be a great way... and while we're at it, maybe we can get the U.S. on the metric system.
NIPR? SIPR? You want a third network that you don't manage properly or put realistic security policies on?
Fucking bureaucrat.
"What's up MPAA? Hey, RIAA are you in line too or just waiting for your order?"
Just tell all the companies worried about cyber attack to set their gateway as 127.0.0.1 and they'll be perfectly safe.
Is this guy legitimate? How the hell did someone so ignorant of networking become head of US cyber command? NOTHING stops someone from grabbing off the shelf hardware and creating a WAN that has no hardware connections with the global internet. Or, there's various virtual ways to do this that are almost as good. Companies and institutions have been doing this for decades. Hackers can only get in if the institution is dumb enough to put the mission critical hardware on a network that IS connected to the internet, or even dumber, run the mission critical control system on a windows machine. Of course, corporations do this all the time...
Because a segment of the internet dedicated to government and "high risk" sectors would be much safer...like when I put a DO NOT STEAL note on my bike.
My debut novel AMITY now available: http://jeremydbrooks.c
Jesus Christ, you mean they're not!?!?
What f$*!!ing moron thought it was a good idea to do this, anyway. I was always under the assumption that critical system were not connected to the internet.
Holy Moly, I'm not going to sleep well tonight.
The real Sig captains the Northwestern. This one captains
So, what they want is a private IP-based network. No sweat, we've been building those for a couple of decades now. When I did point-of-sale for a truck-stock company, we had our own private network for connecting to our stores, credit-card processors and the like. You need routers, appropriate leased-line or other dedicated bandwidth, and some time spent on a white-board laying out the topology. The only real hard part is making sure you don't connect any machines to this network that also have connections to the public Internet. Yes, this means the machines on that network aren't going to be able to access the public Internet. You wanted a private, isolated network, you get a private, isolated network. If you want to live dangerously you can create appropriate DMZs and firewalls and proxies to give internal machines external access, but remember that that means worms, viruses and other malware can ride in on stuff coming back in through that external access and infect machines inside the perimeter. At that point your "protected" network isn't protected at all (in fact it's probably more vulnerable, since you likely skimped on internal protection since it's supposed to be a protected network).
That's just it, though, the only way to truly securely establish a separate network would be to run separate lines -- build in separate hardware, build in an air gap. Attempting to "partition" the Internet at the software level is pure silliness -- unless you command both ends of the pipe, and all points in between, there's a chance that someone may be able to intercept your traffic. And with deep packet inspection and similar tools these days, they could thus also alter your traffic, meaning any communications over the Internet cannot be secure, at least not in the way this Keith Alexander is talking about.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
You hereby agree to pay Kilgore Trout of Euro 100,000,000 for consulting with Cyber Command about running their own private network.
Please see Private Network.
Thanks in advance.
Yours In Vladivostok,
Kilgore Trout, C.I.O.
Cool so those Critical Industries and Government areas can be more easily isolated and thus made less secure? Thats what it sounds like to me but I'm certainly not knowledgable...
If it is in charge of a critical resource in which people's lives and safety is at risk, it should not be connected to the internet. I can be on its own, internal private network with no actual physical connection externally. It can be a pain at first, but really it is not that bad. Even if you need to download patches, etc, you simply download them to a box that is on the internet, put it on removable media, scan the media for viruses, remove it and connect to the stand-alone network. Really not that big a deal.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Yes. And while we're at it, the NSA Chief would like a pony to go with his Internet Mk2, please.
I mean, wasn't the internet designed/made for the military in the first place (ARPA/DARPA)? Then first the institutions (.edu) and later the commercial market (.com) came along and took it over. I guess creating a new network from scratch (and doing it RIGHT this time) is easier than kicking the rest of us pikers off of what was theirs in the first place.
Chaos maximizes locally around me.
That's just it, though, the only way to truly securely establish a separate network would be to run separate lines -- build in separate hardware, build in an air gap. Attempting to "partition" the Internet at the software level is pure silliness -- unless you command both ends of the pipe, and all points in between, there's a chance that someone may be able to intercept your traffic. And with deep packet inspection and similar tools these days, they could thus also alter your traffic, meaning any communications over the Internet cannot be secure, at least not in the way this Keith Alexander is talking about.
Cheers,
I think a much better approach is to assume that the intermediate network is insecure and beyond your control. Then, use very strong end-to-end encryption to make a secure tunnel, much like the SSH approach. I mean, this is the NSA here. It's not like they wouldn't know how to use good encryption.
It is a miracle that curiosity survives formal education. - Einstein
Whats wrong with a government and critical infrastructure VPN?
While you still have people in any partition you make you will still be at risk. And you still want that people visit your sites, no? NO?
As many have no doubt pointed out, there is not now and has never been anything that stops anyone from building their own TCP/IP-based network and only allowing trusted users/machines/sites to connect to that network. There is no inherent need to connect *anything* to the public Internet, much less an asset that contains confidential information.
The thing that bothers me most about this announcement is the clear implication that secret data *isn't* currently partitioned onto private networks at top-secret government agencies.
Never heard of an "air gap".
I killed da wabbit -Elmer Fudd
you get yourself a bunch of private pipes, and you use them as a backbone using IP, and you use a private set of addresses like the 10-net, and you make no connections whatsoever between this and The Connected Internet.
and you have an internet.
and it's not connected to The Connected Internet.
and then you can control your own security.
and as long as you do not put any software on any machines on the private internet that comes from untrusted sources and has not been vetted, you're nice and secure.
nothing with any criticality should EVER be connected to The Connected Internet.
glad you've made a start in this process. now build one. a bunch of pre-teens could hash up one in an hour if you don't need a bunch of wacky routing rules.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Completely. They have the .mil network, and can't secure that. So the answer is to segregate the 'real' Internet and a 'secure' Internet?
And this will prevent infestations via USB drive how exactly?
I thought so. Next, please.
deleting the extra space after periods so i can stay relevant, yeah.
Although the signal content might be secure, the signal itself would still be prone to disruption through various shenanigans like DDOS attacks and the like. A dedicated physically separate network would not face the same issues unless physically compromised. On the wide-open Internet, though, some bored teenager in Kuala Lumpur or Rotorua or Arkhangelsk could conceivably disrupt government systems, especially when so many such systems seem to be run on known-insecure Windows.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
DDoS attacks don't rely on compromising data so much as they rely on denying you access to resources. If you're on the same network as the 'unwashed masses', they can flood your pipe and block you from getting out unless you've got some really good traffic management protocols.
Sure, the NSA is undoubtedly up on the best crytpo around. While encryption will secure a message payload, it doesn't ensure that the message gets where it's going -- routing traffic over the Internet leaves the end- and midpoints open to DDOS and other attacks, tying up servers and preventing message transmission. A physically separate network, however, would avoid much of the harmful noise that happens in teh intarwebs.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
The whole point of the Internet 2 project was to provide secure, robust, high-speed communication to those who needed it. Not that I really know what makes "Internet 2" anything more than a section of the regular Internet 1 with restrictions on traffic routing off the high-speed backbone they've got. That and a functional IPv6 infrastructure which they've had in place for about 15 years without the need of tunnel brokers. Oh, and IPv6-aware applications - something else Internet 1 users have too few of and they've plenty of.
So the military have only NOW realized that putting sensitive or mission-critical information over a public network is a Bad Idea? Pffft. Pull the other one. They're one of the key players IN the Internet 2 endeavor. I can understand them wanting to get power stations and other critical infrastructure onto it, I can even understand them thinking Joe Public is too stupid to remember all of the news coverage Internet 2 has had over they years, or to google to see if such a network exists. But I'm frankly amazed that they've not been called on it by anyone, and shocked (shocked I tell you!) that nobody on Slashdot has mentioned it.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I used to work at a bank, and I really wished for something like this. Imagine a network with no home connections, nothing moving across it but VPNs. VPNs from bank to bank, power company to government, etc. Every node would be authenticated. No worms.
In this type of network, I can turn the logging on my firewall to the max, and anything that even looks at my bank's firewall with a ping can be reported to the agency that runs the show. Once it is confirmed that they're going where they should not, they're kicked off the network.
The issue I had is that because there are so many cases where bank A needs to talk to bank B, and neither want to have the T1 line under their name. If the Internet goes down, no money can be moved and there are big problems. Making a walled place for this would be great.
People need to understand that you can EITHER have security OR the ability to be anonymous. If you want one, you're losing the other.
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
I have a feeling, since I want China and Spam providers off my Net, and the NSA wants us civilians off the Net we taxpayers paid for, that both of us will be disappointed when neither event occurs.
-- Tigger warning: This post may contain tiggers! --
> and while they are at it, make it all IPV6.
Why would the second, USA or NATO only, internet need IPV6? Remember, this is the one that YOU will never be allowed on (at least in your role as a private person), let alone Mexico, Central America, South America, Africa, the Middle East, Asia. Likewise, this is the one that toasters, your gas and water meter, the coke machine on the 7th floor of Science Hall, or any other such appliances would not need to be on. In short, this is the Internet before Al Gore ruined it by opening it up for blatant commerce, and will have that few hosts (i.e., few enough so that every admin on it would know all the top level domains, if not most of the other admins).
> and while we're at it, maybe we can get the U.S. on the metric system.
Obviously, you are too young to buy liquor. Try and buy a new *fifth* of bourbon (or get your parents to). The USA has been on the metric system for decades (since the yard was defined in terms of the meter) but doesn't send men with guns after people or companies who use the customary measurements instead.
I had to imagine this thread read by the movie trailer voice guy because of the title.
The government and military already have a "partitioned" inaccessible "internet". The real name of the "internet" you are using to view this site is called NIPRNET, and the "secure partitioned" one is called SIPRNET. The secured internet has been around for decades and is still used by governments around the world.
So this proposition simply is a play on words, particularly a "partition" word, possibly for a total ground up restructuring scheme for sure. This is such a bold statement from a government official, it's baffling really.
The ruling class doesn't want to be exposed to those peons who are subject to laws.
Oh well, at least they're not calling us Morlocks yet.
Do what the DoD's done, make another NIPRNet - but leave the Internet alone
It's Call an "Intranet" (F*^&ing Govt. Idiots)
The NSA wants to create the worlds largest honeypot.
http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant
Stop filling your critical industries with MS products that cannot use USB without risk.
Comments like this would many go hmmm "a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown."
The NSA is tapped into every big telco system within and outside the USA, they have the software and hardware to track and sort most issues, voice prints ect.
This sounds more like small next step, legal standing in some areas. Then the next.
Do you really want your entire telco system watching for you 24/7 without a court order?
Just to keep a cost cutting, rust belt network up?
Domestic spying is now "Benign Information Gathering"
Reminds me of the days when a bank's ATMs weren't networked the same way Joe Sixpack accesses his porn.
Like what?
The only one that immediately springs to mind is email and that's simple enough to handle.
What else would a person working on a secured network need to access?
The US military and defense establishment already has its own private internet (DarpaNet), along with backbone and such. This is just, in the words of Bruce Schneier, so much security theater. The physics research community also has its own network, PhysNet, that provides high bandwidth and secure connections between major research sites and universities world-wide. Yes, they interconnect to the broader Internet, but they don't carry general Internet traffic and are quite secure against outside hackers.
Sometimes, real fast is almost as good as real-time.
I've always said: "Why should [X] be connected to the public internet in the first place? Isn't connecting [X] to the public internet a really bad idea?"
Where [X] is any number of things: (list not exhaustive)
a power plant control system
a waste water treatment plant control system
an electrical plant control system
an electrical substation control system
a train station control system
a traffic control system
There are many things besides control systems, but for this post I am thinking of basic infrastructure. If these things need to be networked, they should be on their own private network with limited access. These problems also occurred before the internet existed. For example by connecting them to the public telephone system. (sometimes with no password, relying on the obscurity of the phone number to limit access)
It is not just the public sector that needs to learn this, but also private industry. If it is vitally important, limit physical access to it. Private networks exist for a reason. There is no need to do anything to the public internet.
-Mysteryvortex
Until someone gets tired of having to use another machine for the "real" net and hooks up a router between them. Half an hour tops before some idiot breaks the separation model. Yes, people ARE that dumb.
Why guess when you can know? Measure!
There's nobody else there anyway....
For the most part those things do need to be connected to the internet on some level, it's just this sort of information isn't very secure. Even information on Google isn't secure.
I am a network administrator by the definition of it; a mere desk jockey. I haven't a mind for international affairs, but I do for network related foo. Having said that, and having not read a single reply (thusly this could be a redundancy) to this article I have to say... there are some great ideas that come from the government, but they are not always practical. This I do not think is practical. What do they want, an 802.11q VLAN? Ok... no, they want better technology... but throw VPN/IPSec out of the picture. Instead of conforming to the Internet, they seek to change it; thus asking us to conform to them. Otherwise they are misinformed and do not understand the workings of a network in the present day and need to hire better informants, or I don't know what I'm talking about.
IF you control router along the path, a VPN makes it really hard for you to read the information. It makes it really easy, though, for you to just drop packets that are part of a VPN, mangle them so they are corrupted upon receipt, or record them offline for later brute-force attacks.
It will be politically impossible to keep Windows off this network. (It is said that the U.S. army runs on powerpoint.) And it is not possible to secure any network using Windows computers.
I can drop or mangle the packets if they cross my router, or redirect them to random destinations. Even though VPNs make it hard to read the data inside the packets, they don't secure the arrival of those packets.
Imagine we would have two "Internets". On one, you could connect however you want.
The other one is "secure(tm)" and not "secure because we use authentication and encryption and create mechanism for key exchange for those who want"
secure(tm) is defined by certifications. Now assume a product for the military (e.g. a new fighter) jet can be only build if every part was ordered via a secure(tm) terminal and a secure(tm) network connection. Who defines secure(tm). Probably the NSA will hand out these certificates, probably with the help of consultants/service companies. Wat may even worse is that the experts recommending it now (in their time at the NSA) may hold shares in companies which help the NSA, or may go there after leaving the NSA (after all they are the "experts in secure(tm) networks" and very valuable).
How much money do you believe can be earned in allowing companies to access the secure(tm) Internet, which then may be only way to deliver a bunch of screws which are going to be used in a tank?
I see business opportunities and a rise in power for organizations like the NSA; i understand that they may propose this.
Welcome our new "security by stupidity" overlords.
Sent from my ASR33 using ASCII
Partition all financial institutions and everybody would need to learn how to use cheques again. Partition the government institutions and tendering will revert to paper.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
It's called a private network.
Simply remove them Internet access and network them together. Sure they won't have access to internet then. That's the point tho.
their populace having unfettered access to information. Even in "America! F*ck Yeah!", they are slowly clamping down, all justified under the merkins of terrerists, pirates, pedophiles (they're everywhere and even have a mascot!), etc. Just this week, proposals were made at the UN to make providing information to a country's populace tantamount to cyberwar. And I'm sure there are elements of the US government thinking that's not a bad idea.
First comes the partition. Then comes the format. Time to back up teh iNternets!
Socialize the costs, privatize the profits. Companies balk at buying bandwidth - if they get the government to dictate it a "security" problem, we will all pay for it from taxes.
SIPRNet. Others as well.
Best Slashdot Co
what a firewall/IDS/IPS Etc... is for to partition your local network from the "ravages" of the internet. Security 101 please.
Kosh: "Understanding is a 3 edged sword, your side, their side, the Truth."
I'll stay out of the NSA's internet if they'll stay out of mine.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
The whole reason the military funded research into packet-switched networks was their potential for flexibility and uptime. On 9/11 a major Verizon switch was destroyed by the collapse of the WTC, but e-mails still got where they were going. The Internet routes around damage.
Now imagine setting up a secure, separate physical network. In order to provide the same flexibility and recoverability you will need to fund many redundant links from each node to many other nodes. Expensive!! The reason the Internet works is because each company only needs to fund a few links themselves. Then they can internetwork with everyone else's links and voila: mass redundancy and multiple paths for packets.
The answer to secure computing in the future is mostly in software and configuration IMO.
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
he read an article on slashdot about how once you have a network firewalled, you don't have to worry about the computers themselves.
Pity he ready only the summary and article and didn't read any of the comments from knowledgeable geeks refuting it.
If the govt wants to use the 'free' internet, then it has to accept the baggage that comes with it, including ads, hackers, potholes and viruses. If they want something different, it's like everyone else here suggests, build their own 'in their own image'. Damn fools to hook up critical systems to the internet anyhow, but then again, that's who we elected, and who the ones we elected selected. or... maybe it's just another exercise to see if we are so dumb we won't see this as a means to further control the citizens of planet Earth. (this IS Earth, isn't it? ooops..)