Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Chief Wants Internet Partitioned For Government, 'Critical' Industries

Posted by timothy on from the little-cubbies-for-everything dept.

GovTechGuy writes "NSA chief Keith Alexander, also the head of the US Cyber Command, told reporters that he would like to see the creation of a secure zone on the Internet for government and critical private sector industries such as utility companies and the financial sector. Alexander has repeatedly emphasized the dramatic nature of the cyber threat facing American networks and his comments were a further sign that the Pentagon does not think the war against foreign hackers can be won. Alexander denied the military has any role in safeguarding civilian networks currently, but didn't rule out the option in the future."

16 of 258 comments (clear)

  1. Capitalized, with definite article by symbolset · · Score: 5, Insightful

    Somebody's confused about the difference between "an internet" and "The Internet".

    --
    Help stamp out iliturcy.
  2. Isn't that just a network? by XanC · · Score: 4, Insightful

    This is what a bunch of us have been saying for a while: there's no reason for those really critical things to be on the Internet. Now they're proposing that they won't be, but are calling it a "partition". (??)

    1. Re:Isn't that just a network? by airfoobar · · Score: 4, Insightful

      Their goal is probably to get an excuse to somehow restructure the internet.. Who knows what "partitioning" may entail?

    2. Re:Isn't that just a network? by causality · · Score: 5, Insightful

      Their goal is probably to get an excuse to somehow restructure the internet.. Who knows what "partitioning" may entail?

      This could be a great "excuse" for us, too. We should make him a deal. Partition off the governmental and "critical industry". Now the public Internet has no more high-profile targets. Then, drop all the warrantless wiretapping, eavesdropping, and other monitoring from the public Internet and use it to lock down the governmental and critical parts. All of the resources and manpower focused on a much smaller target should do wonders towards securing us against the currently trendy bogeyman of "cyberattack".

      --
      It is a miracle that curiosity survives formal education. - Einstein
    3. Re:Isn't that just a network? by phantomfive · · Score: 4, Insightful

      The people doesn't need an 'excuse' to make a deal with the government. We don't need to make deals with the government. In a government of the people, by the people, and for the people, when we want something done, we tell the government to do it.

      Now all we need to do is convince the vast majority of the country to oppose warrantless wiretapping, etc. Most people are ok with that kind of thing, you know, because it catches criminals or terrorists or something. In other words, he doesn't need to make a deal with you, and he won't, because he has the people on his side. See also, "how Bush got congress to agree to invade Iraq by convincing the vast majority (for a brief moment) that it would help with terrorists or something."

      --
      Qxe4
  3. It just takes one... by DoofusOfDeath · · Score: 4, Insightful

    One little gateway to the great, unwashed Internet, and the whole walled garden is compromised.

    In fact, thinking they are safe in a walled garden is likely to lower their level of caution.

    And it doesn't require an active network link spanning the networks. Virus and other nasties can be entered via CD's, USB sticks (I'm looking at you, U.S. Navy), or malicious persons on the inside.

    If this guy is serious, what he probably wants is the ability to partition the Internet such that walled gardens can be set up, torn down, and have their membership adjusted very quickly.

    On, and to hope that the ability to mess with that never gets into the wrong hands.

  4. Uhh by ShooterNeo · · Score: 4, Insightful

    Is this guy legitimate? How the hell did someone so ignorant of networking become head of US cyber command? NOTHING stops someone from grabbing off the shelf hardware and creating a WAN that has no hardware connections with the global internet. Or, there's various virtual ways to do this that are almost as good. Companies and institutions have been doing this for decades. Hackers can only get in if the institution is dumb enough to put the mission critical hardware on a network that IS connected to the internet, or even dumber, run the mission critical control system on a windows machine. Of course, corporations do this all the time...

    1. Re:Uhh by Strange+Ranger · · Score: 4, Insightful

      Keith knows about WANs and VLANs and VPNs. My guess is this is just Keith's way of campaigning for a 200 million dollar budget so he can go on a serious shopping spree.

      Also, having direct control and access to all the information that will be on it. "Come on in banks and military suppliers, Telecoms, and Energy companies, etc., sure there's room for you on the Homeland Network!!"

      My tin foil hat doesn't warp my brain. "Killing the open internet" isn't the goal of this public statement or this proposal. Growing his budget and expanding the scope of Homeland Security, certainly.

      Do we still teach the dangers of Fascism in school these days? My tinfoil hat does compel me to include this Wikipedia quote "Fascists seek to organize a nation according to corporatist perspectives, values, and systems, including the political system and the economy."

      Think how much easier it could be to share information without getting caught.

      --

      Operator, give me the number for 911!
  5. So, what they want is... by Todd+Knarr · · Score: 5, Insightful

    So, what they want is a private IP-based network. No sweat, we've been building those for a couple of decades now. When I did point-of-sale for a truck-stock company, we had our own private network for connecting to our stores, credit-card processors and the like. You need routers, appropriate leased-line or other dedicated bandwidth, and some time spent on a white-board laying out the topology. The only real hard part is making sure you don't connect any machines to this network that also have connections to the public Internet. Yes, this means the machines on that network aren't going to be able to access the public Internet. You wanted a private, isolated network, you get a private, isolated network. If you want to live dangerously you can create appropriate DMZs and firewalls and proxies to give internal machines external access, but remember that that means worms, viruses and other malware can ride in on stuff coming back in through that external access and infect machines inside the perimeter. At that point your "protected" network isn't protected at all (in fact it's probably more vulnerable, since you likely skimped on internal protection since it's supposed to be a protected network).

  6. Re:Someone didn't get the memo by Penguinisto · · Score: 4, Informative

    The DoD owns those... NIPR is mostly bureaucratic military stuff, while SIPR is the secure one. Good luck with the Pentagon letting folks like HHS, DOI, DOE, congress-critters, or (heh) your local utility co-op getting latched onto to those.

    Speaking of "realistic security policies", just to even think of hooking into NIPR, you have to harden your boxes to the these specs (ever had to put all of /usr onto its own partition and lock the whole thing read-only? I guess it all depends on your definition of "realistic"). SIPR's requirements are only 'slightly' more anal.

    /P

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  7. absolutely, do it yourself, fool by swschrad · · Score: 4, Insightful

    you get yourself a bunch of private pipes, and you use them as a backbone using IP, and you use a private set of addresses like the 10-net, and you make no connections whatsoever between this and The Connected Internet.

    and you have an internet.

    and it's not connected to The Connected Internet.

    and then you can control your own security.

    and as long as you do not put any software on any machines on the private internet that comes from untrusted sources and has not been vetted, you're nice and secure.

    nothing with any criticality should EVER be connected to The Connected Internet.

    glad you've made a start in this process. now build one. a bunch of pre-teens could hash up one in an hour if you don't need a bunch of wacky routing rules.

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
  8. There is a good reason for this by Aqualung812 · · Score: 4, Informative

    I used to work at a bank, and I really wished for something like this. Imagine a network with no home connections, nothing moving across it but VPNs. VPNs from bank to bank, power company to government, etc. Every node would be authenticated. No worms.

    In this type of network, I can turn the logging on my firewall to the max, and anything that even looks at my bank's firewall with a ping can be reported to the agency that runs the show. Once it is confirmed that they're going where they should not, they're kicked off the network.

    The issue I had is that because there are so many cases where bank A needs to talk to bank B, and neither want to have the T1 line under their name. If the Internet goes down, no money can be moved and there are big problems. Making a walled place for this would be great.

    People need to understand that you can EITHER have security OR the ability to be anonymous. If you want one, you're losing the other.

    --
    Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
  9. Re:Someone didn't get the memo by dwye · · Score: 4, Informative

    > ever had to put all of /usr onto its own partition and lock the whole thing read-only?

    No, because SunOS5 had this on installation, back about 1990. With symbolic links and such, it was really quite simple. You remounted /usr as RW only when you had to remake the kernel, and then rebooted after (once a month or less often). In fact, our /usr was on a separate disk that had a hardware RO/RW switch on it.

    This stuff was worked out long ago. Then, it was ignored because someone decided to build from scratch with no more (prior) thoughts of security than a HAL-9000 had.

  10. Why is this stuff connected to *the* internet? by mysteryvortex · · Score: 5, Insightful

    I've always said: "Why should [X] be connected to the public internet in the first place? Isn't connecting [X] to the public internet a really bad idea?"

    Where [X] is any number of things: (list not exhaustive)
    a power plant control system
    a waste water treatment plant control system
    an electrical plant control system
    an electrical substation control system
    a train station control system
    a traffic control system

    There are many things besides control systems, but for this post I am thinking of basic infrastructure. If these things need to be networked, they should be on their own private network with limited access. These problems also occurred before the internet existed. For example by connecting them to the public telephone system. (sometimes with no password, relying on the obscurity of the phone number to limit access)

    It is not just the public sector that needs to learn this, but also private industry. If it is vitally important, limit physical access to it. Private networks exist for a reason. There is no need to do anything to the public internet.

    -Mysteryvortex

  11. do it yourself- it will work for seconds by DCFusor · · Score: 5, Insightful

    Until someone gets tired of having to use another machine for the "real" net and hooks up a router between them. Half an hour tops before some idiot breaks the separation model. Yes, people ARE that dumb.

    --
    Why guess when you can know? Measure!
  12. How about just moving to IPv6? by dbc · · Score: 4, Funny

    There's nobody else there anyway....