Ex-NSA Chief Supports Separate Secure Internet 214
Hugh Pickens writes "Nextgove reports that Michael Hayden, former director of both the NSA and the CIA, says the United States may seriously want to consider creating a new Internet infrastructure to reduce the threat of cyberattacks and several current federal officials, including U.S. Cyber Command chief Gen. Keith Alexander, also have floated the concept of a '.secure' network for critical services such as financial institutions, sensitive infrastructure, government contractors, and the government itself that would be walled off from the public web. Unlike .com, .xxx and other new domains now proliferating the Internet, .secure would require visitors to use certified credentials for entry and would do away with users' Fourth Amendment rights to privacy. 'I think what Keith is trying to suggest is that we need a more hardened enterprise structure for some activities and we need to go build it,' says Hayden. 'All those people who want to violate their privacy on Facebook — let them continue to play.' Clay Dillow writes that on the existing internet everyone does everything online anonymously, and while that's great for liberties, it's also dangerous when cyber criminals/foreign hackers are roaming the cyber countryside. Under the proposed .secure internet 'you may not be able to go to certain neighborhoods of the Web without showing your papers at a checkpoint — and perhaps subjecting yourself to one of those humiliating electronic pat-downs as well,' writes Dillow. 'Those who want to remain anonymous on the Web can still frolic about in the world of dot-com, but in the dot-secure realm you would have to prove you are you.'"
I decline your offer. here's mine. (Score:5, Interesting)
I thought about this a bit. this is MY proposal (from some random internet guy; but one who's been around, online, for quite a few decades).
what we need is true end-to-end encryption and that will get us all the 'secure' we need. it would not be a bad idea to insist that all non-encrypted protocols be aged out and replaced with SSL carried user-protocols (mail, file transfer, remote console, DNS, all the basics).
oh, there's one other tiny little detail. NO one can spy on the end-to-end connections. no MitM, no wiretaps, no opto-sniffing, no none of that [sic]. promise and ensure that all world citizens have protected (as in 'their rights, as human beings') end-to-end private communications. tapless and secure. to me, THIS means secure.
what they want is exactly the opposite. no encryption and nothing BUT tapping us (DPI, etc). they will know the identity of each networked station but this will not add to privacy OR security for anyone.
recognize this, people. do not give them this 'divided internet'! really bad idea. lets, instead, change the debate BACK to private communications and the right to not be listened to, monitored and surveiled.
Re:No Privacy == No Security (Score:5, Interesting)
Hasn't this guy learned anything from his time at the NSA?
There's a difference between privacy through anonymity and privacy in general. Presumably such a network would use well-designed cryptographic algorithms and protocols to exchange information. It could leverage existing technologies, such as SSL/TLS [wikipedia.org] or IPSec [wikipedia.org]. The data, in transit, would still be secure. The difference is twofold:
Honestly, this approach makes a lot of sense to me. Maintain the current anonymous Internet in its full glory. You would continue to use it for most things! However, if you want to bank, purchase, or administer, both you (the client) and the server site (Amazon, Bank of America, etc.) have the option to push that transaction onto an encrypted and attributable infrastructure.
Now, the same suite of Internet problems will still exist on the secure domain, but that extra de-anonymizing information goes a long way towards addressing them. If you are attacked by a bot on the secure network, you know who is infected. You can send them a notification and rapidly suspend or deny their secure network access. If someone is probing your site for vulnerabilities, you also know who it is, which may harm the white-hats (not that solutions couldn't be worked out), but will certainly hinder the black-hats. These are all good capabilities that I want my banking sites to have!
So do I want a completely-deanonymized Internet? Hell no. It'd be inefficient (traffic-wise) and it would cost me several critical rights. However, I would love to elevate all critical and financial assets to an elevated attributable domain. There is no good reason they should inherently have to accept anonymous traffic, nor should each of them be independently responsible for (in their own manner) establishing client identities.
Re:Not a separate "Internet" (Score:4, Interesting)
A .secure domain on the same physical net is one thing. However, what we really need are separate backbones designed from the ground up to carry traffic.
The US has NIPRNet and SIPRNet. Ideally, it would be nice to see banks and credit card processing places have a "BIPRNet" just so that machines from bank "A" can contact bank "B" via a secure link, preferably a separate physical wire than what the traffic from the outside runs on. This way, a blackhat would have to find a machine that sits on both networks, and go from there. If the network backbone is set up to allow communications only between machines that have a business need to see/connect to each other, it would make that backbone quite secure. Add an IDS/IPS system will make compromise even more difficult.
Same with SCADA stuff. It needs its own backbone, then hardened computers that relay the diagnostic info from the embedded controllers to where it needs to be. I've even used two machines that were connected to each other via a one way serial port (slow link, but it worked getting the small datasets across, and one tx/rx pair was disabled so data could only move from the inner network to the outer) to ensure that the inner embedded network would require physical access to be compromised.
Good internet security is not a matter of "can't". It is a matter of "won't".
Re:Actually (Score:4, Interesting)
What's funny about this is that we *already* have this setup. SIPRnet, JWICS, and other networks running on the Defense Information Systems Network (DISN) are already segregated from the public Internet by an air gap. This is actually required for any classified data. Information can sometimes enter a classified network from the outside world, but the mechanisms for doing so are extremely circumscribed and a massive amount of analysis has to go into making such systems "provably secure." In practice, NIPRnet and SIPRnet require different physical terminals. That's why we have things like the presidential Blackberry, which is essentially two Blackberries in the same case with a physical switch to swap between the unclassified and classified systems.
As for utilities and the like, sure, you have two options. One is to airgap the communications network, which is what I'd advise given the shoddy quality and poor security record of SCADA systems. The other is to use secure communications from the transport layer up and using defense in depth principles. Of course, that requires building security into the system from the ground up, and very few companies and people are willing to do that. In light of that, an airgapped network makes sense. If a truly independent network isn't needed, every backbone provider is more than happy to provide MPLS virtual networks for the right price.
In the end, though, I think the problem is that utilities don't want to spend the money on what they feel has no deterministic ROI (cf. trying to get a company to buy a disaster recovery system). This is rational self-interest, especially when you consider the explicit guarantee of insurance and the implicit guarantee of the government for critical infrastructure. The solutions are simple: enforce proper controls through regulation or nationalize the infrastructure so rational self-interest is removed.
Morons everywhere (Score:4, Interesting)
This is what happens when politicians who know nothing about security or network infustructure make high level design decisions.
Securing the wire always has and always will be a lost cause. Just click the little require secure connections only button in all of your operating system (IPSec) and you have yourself your secure private network.
There is no reason to segment traffic. On a large network you can expect someone on the network will eventually be compromised by an insider or determined advasary. Given this reality physically separate network must not be relied on to convey any security at any time.
All it means is you don't see a bunch of botnets launching blind attacks 24x7. It means important infustructure on a "secure" network becomes as complacent and vulnerable as the machines behind corporate firewalls. It is human nature. Without constant pressure it will happen. If you are tired of the random hits use IPv6.
Never trust the wire.. Just don't do it. It is always stupid and you will always be burned by it.
A few other points needing to be made:
If the content of your communication can not be private good luck with your "secure" network.
Federated authentication systems tend to induce weaknesses in server authentication. Imagine everyone on earth was using openid or had the same password file. You could login to any computer you wanted with your credentials.
This means:
The material which authenticates you as a person can not also be used to authenticate the service you are consuming as everyone has access to the authentication system. Even if your credentials are never exposed your authentication provides you with no assurances with regards the service you are consuming beyond an unbound trust anchor.
Re:Here's a novel idea (Score:5, Interesting)
Mulvenon, an executive at Defense Group Inc., a government contractor that provides agencies with intelligence analysis, has in mind a three-level network. "If you want to do banking, there's no anonymity," and users would need to enter true names and digital credentials to operate in the space, he said. The middle level, perhaps applicable to the .edu domain, would require fewer personal details from visitors.
"At the bottom, you can run around like a hobbit," he said. "How can you have a multilevel system that allows you to play up here and down there and doesn't compromise your ability to play?" is the challenge.
The article doesn't have any quotes from Alexander or Hayden, but it has some from others talking about the same plan. Despite the FUD that the proponents of this plan are spreading, this isn't about securing crucial industrial infrastructure. It's about creating a special ".secure" TLD that would somehow be outside the protections the Fourth Amendment grants on search and seizure with the stated goal of eliminating anonymity. So it's clearly not about "cyberattacks" either, as requiring credentials has nothing to do with DDOS.
So then what is this (not) new network? Given that it's being pushed by Michael "warrantless wiretaps" Hayden, the whole Fourth Amendment link starts to make sense. It's not about eliminating anonymity from secure transactions (it's not like credentials aren't already required for all this stuff. Hell, even World of Warcraft had 2 factor identification available), it's about bypassing your right to privacy. The government (and defense contractors like, oh I don't know, Defense Group Inc.) would be able to datamine all that juicy stuff they currently aren't allowed to touch because of those pesky "constitutional protections". China is the model here:
Nations with fewer civil liberty protections, including China, use "deep packet inspection" to search all Internet traffic for viruses -- as well as anti-government content, noted James Mulvenon, a China and cybersecurity specialist. Due to privacy laws, the United States cannot monitor private network traffic using this approach. Mulvenon questioned whether such restrictions give other nation states the upper hand in cyber defense.