Ex-NSA Chief Supports Separate Secure Internet

Hugh Pickens writes "Nextgove reports that Michael Hayden, former director of both the NSA and the CIA, says the United States may seriously want to consider creating a new Internet infrastructure to reduce the threat of cyberattacks and several current federal officials, including U.S. Cyber Command chief Gen. Keith Alexander, also have floated the concept of a '.secure' network for critical services such as financial institutions, sensitive infrastructure, government contractors, and the government itself that would be walled off from the public web. Unlike .com, .xxx and other new domains now proliferating the Internet, .secure would require visitors to use certified credentials for entry and would do away with users' Fourth Amendment rights to privacy. 'I think what Keith is trying to suggest is that we need a more hardened enterprise structure for some activities and we need to go build it,' says Hayden. 'All those people who want to violate their privacy on Facebook — let them continue to play.' Clay Dillow writes that on the existing internet everyone does everything online anonymously, and while that's great for liberties, it's also dangerous when cyber criminals/foreign hackers are roaming the cyber countryside. Under the proposed .secure internet 'you may not be able to go to certain neighborhoods of the Web without showing your papers at a checkpoint — and perhaps subjecting yourself to one of those humiliating electronic pat-downs as well,' writes Dillow. 'Those who want to remain anonymous on the Web can still frolic about in the world of dot-com, but in the dot-secure realm you would have to prove you are you.'"

Re:No Privacy == No Security

[Jeremiah Cornelius]

He learned everything from his time there.

Your security is not the issue.

Bridge

[Anonymous Coward]

Not sure how this will work if he means that it should be a broad public network. All it takes is one user to "bridge" the networks (log in on the secure network while being connected to the Internet, say via public wireless) and you're not much better off than today.

Sounds very soft-shell, a.k.a as "billions in the sea with nothing to show but some theater".

Re:No Privacy == No Security

[zero.kalvin]

Well goodie then, bit by bit they will demand more and more services to be moved to new "secure", until all is left on the old internet is unlawful sites. And by then it will be easy to argue for the prohibition of it and if that anyone is using it, then this person is a criminal. So thanks, but no thanks.

Well, not ALL users rights would be abrogated

[rbrander]

It's funny how hard it is to let go of past models. The heart of the Internet model is, as the saying goes "a sphere", where every node has equal access to every other node. No clients, no servers, just equal connectors. Society as a whole (when weighted by money rather than head-count) keeps trying to reject that in favour of it being a fancy way to broadcast: a few large hosts running Wal-Mart-sized data centres, many clients on as dumb a terminal as possible. Efforts to democratize information flow are opposed as either unserious utopianism or outright crime. (They can't seem to find a statute forbidding Wikileaks that doesn't forbid the Times, but from the rhetoric, you'd never guess.)

When Hayden says that "users" 4th-amendment rights would be abrogated, he isn't thinking of all the users, not the big ones. Just the little ones. Which I think just models how Hayden sees society itself. Little folks don't have rights, just privileges.

Re:No Privacy == No Security

[NoNonAlphaCharsHere]

Yup. This is just Clipper chip / Trusted Computing / HDMI / 'show us your papers' all over again, in new clothing.

Here's a novel idea

[king neckbeard]

"Core elements of our electric grid, of our financial, transportation and communications infrastructure would be obvious candidates. But we simply cannot leave that core infrastructure on which the life and death of Americans depends without better security."
Here's an idea, if a service being infiltrated can result in deaths, DON'T CONNECT IT TO THE FUCKING INTERNET

It doesn't really solve the problem ...

[MacTO]

Ignore the privacy bit for a moment, because that seems to garner knee-jerk reactions around these parts, and look at the security bit.

There are a lot of transactions that need to be secure, yet would not qualify for the .secure network. For example: you could cram bank systems into the new network, but are you really going to allow every business that uses these financial systems on it (e.g. credit card transactions or trades on the stock market)? Even if you did, you would still end up with 'insecure' connections between the customer and the business. Or are you going to give every citizen a security token too? In that case, the ability to verify the identity of the user drops to nil since identify theft becomes an issue. Or people lending their identity to friends. Or people using loopholes in the system to create new identities.

Even a network which tightly restricts who could access it would face hurdles. Research labs attract all sort of riff-raff scientists and technicians. Some of those people will create bridges between the .secure network and everything else. Even if it is unintentional, because they are using the same systems to access secure databases as they use to access journals (and their goof-off resources). I'm not saying that it is impossible to stop that sort of thing, but it will be awfully difficult given the population involved.

Re:Revelation: 13-17

[xkuehn]

Please, please can we not mention religion on Slashdot?

It's always the same. Religious people flaming atheists, atheists flaming religious people and agnostics flaming both sides. The universal argument? "I'm right because it's obvious and you're stupid for not agreeing".

Re:Here's a novel idea

[YrWrstNtmr]

Here's an idea, if a service being infiltrated can result in deaths, DON'T CONNECT IT TO THE FUCKING INTERNET

Given that some of these systems have to communicate, that is exactly what this guy is proposing!
Don't connect them to the regular 'Net, but some other communication setup.

Re:No Privacy == No Security

[LordLimecat]

You DO realize that in order to enter the Supreme Court building, or the White House, or the Capitol, you are required to "show us your papers", right? In fact, many high-security buildings in the district require it. And yet it has not become a mandatory norm across all parts of our society-- this seems to be a classic "slippery slope" fallacy.

A new TLD does not a secure network make

[Nkwe]

So is the article talking about a separate physical network that is firewalled off from what we now call the Internet or is it just talking about a new top level domain that by policy requires domain owners to demand some sort of verifiable credentials for access to services on hosts that are pointed to by DNS entries within the new domain?

Unless it is a separate physical network with firewalls or other edge devices that require authentication and there is a mechanism to securely forward the credentials from the edge device to the internal host, you haven't crated any more real security.

Creating a new TLD on an existing "insecure" network that doesn't require authentication to access the physical network doesn't add any security. In this scenario anyone can still access the machines and it is up the owners of the machines to implement their own security. If the government (and others) can't manage security on their machines now, crating a new naming system for those machines isn't going to help.

Re:Well, not ALL users rights would be abrogated

[c6gunner]

The heart of the Internet model is, as the saying goes "a sphere", where every node has equal access to every other node

No, it's not, nor has it ever been. Such a network would be completely impractical, both from a technological/economic perspective, and from a security perspective.

Society as a whole (when weighted by money rather than head-count) keeps trying to reject that in favour of it being a fancy way to broadcast: a few large hosts running Wal-Mart-sized data centres, many clients on as dumb a terminal as possible.

Right - people want functionality. They don't want every person to write their own version of facebook - they want a large service which everyone can access. Money has nothing to do with it - it's about usefulness.

Efforts to democratize information flow are opposed as either unserious utopianism or outright crime. (They can't seem to find a statute forbidding Wikileaks that doesn't forbid the Times, but from the rhetoric, you'd never guess.)

Complete nonsense, of course, supported by nothing other than your personal ideological biases.

When Hayden says that "users" 4th-amendment rights would be abrogated, he isn't thinking of all the users, not the big ones.

He's speaking about anonymity, dumbass. There would be no anonymity on the secure part of the net, by design. How exactly do "The Big Ones" get around that, and why would they want to? Have you put any thought into this?

Some reasonable steps

[Animats]

Anonymous individuals aren't the problem. Anonymous businesses are the problem. Most of the troubles we have on the Internet come from web sites which purport to be from some legitimate business, but aren't. Malware, spam, etc. all eventually involve some online business.

This is a consequence of ICANN's squishy-soft regulation of registrars and weak enforcement of WHOIS data quality rules. More recently, corrupt CAs have become a problem. The companies that collect money registering the identify of web sites are failing in their responsibilities.

All we need on the client side is good ISP ingress filtering, so that corrupted clients can't use an IP address other than their own. (All you can do with a fake IP address is send junk, since you don't get any of the replies.) Then, DDoS attacks can be tracked and blocked.

Re:Well, not ALL users rights would be abrogated

[spire3661]

You do a lot of name calling and tongue lashing, but not a whole lot of analysis or rebuttal. Most of your post is simple trolling and selective reading. How about you provide a reasoned argument.

Re:No Privacy == No Security

[LordLimecat]

You can go anywhere in the country without papers. You could, right now, get on a bus and travel 3 states over, then jump on a train and go somewhere.

You cannot, however, enter the pentagon without authorization, and Im not sure when the last time you could was. Nor can you enter a private building where management has decided to hire security and implement metal detectors, without authorization.

And how exactly is 'showing your papers' supposed to make those buildings secure?

Im not a security expert, but I would surmise (knowing some people in that field) that the government has a list of people that it wants to keep close tabs on. For example, if you had escaped from a prison, I imagine that it would be rather difficult to get into a secured location-- you would have to get in without giving your ID, which rather complicates getting in when the elevators are locked down. There is also some screening that takes place in order to get an ID; and if something DOES go down, they have a better idea of who you are.

Regardless, my threshold of "starting to worry about police state" is when they start trying to stick cameras all over DC, or having permenant police checkpoints. Metal detectors and security guards in international trade buildings doesnt really trip my "big government paranoia" alarm.

Re:Ssssshhhh stop making sense, please !

[SnapShot]

The War on Hacking is the War on Drugs for the 21st Century. A never ending siphon of money into the hands of a few well-connected companies and politicians. There will be some collateral damage, of course, but it will be deemed to be worth it by those who matter. Actually, the collateral damage (loss of privacy, a "locked down" internet) will be considered a feature not a bug.