Saturday, September 25, 2010

Five Reasons "dot-secure" Will Fail

Thom Shanker reported in Cyberwar Chief Calls for Secure Computer Network the following this week:

The new commander of the military’s cyberwarfare operations is advocating the creation of a separate, secure computer network to protect civilian government agencies and critical industries like the nation’s power grid against attacks mounted over the Internet.

The officer, Gen. Keith B. Alexander, suggested that such a heavily restricted network would allow the government to impose greater protections for the nation’s vital, official on-line operations. General Alexander labeled the new network “a secure zone, a protected zone.” Others have nicknamed it “dot-secure.”

It would provide to essential networks like those that tie together the banking, aviation, and public utility systems the kind of protection that the military has built around secret military and diplomatic communications networks — although even these are not completely invulnerable.


I'd like to share five reason why I think this approach will fail.

  1. "dot-secure" becomes new target number one. I can't think of an easier way to help an adversary target the most critical information and capabilities on industry computers. If you're going to attack a company with hundreds of thousands of users and computers, it can be tough to decide where to focus attention. Multiply that target set across dozens or hundreds of companies and the adversary's problems also multiply. Now, suppose those companies put their most sensitive, important data on "dot-secure." Now all the adversary has to do is penetrate that network and take everything.

  2. "Separation" is a fool's goal. Didn't we just read about Operation Buckshot Yankee, where malware jumped between networks of different classification levels? I guarantee users will want and need to transfer information between their normal company Internet-connected computers and "dot-secure." As long as those vectors exist, there is no "separation."

  3. The network will be too big to keep "secure." Organizations build networks because there is value in exchanging information. In fact, the larger the network, the more valuable it becomes. So, what organizations will be allowed to connect to "dot-secure"? It will surely be more than the small handful that have a prayer of successfully defending themselves from APT and similar threats. That means weaker organizations will participate, and they will be compromised. As the network grows, it will get weaker and weaker.

  4. How can "dot-secure" be any more successful than SIPRNet? I don't expect "dot-secure" to be as well-protected as SIPRNet. (And calling SIPRNet "well-protected" is probably causing some people to laugh.) Trying to get a SIPRNet terminal deployed is very expensive, and I don't expect DoD to make the same demands upon organizations as those required to host SIPRNet terminals. Many people consider SIPRNet compromised (I'm repeating public rumors, not confirming -- I have no direct knowledge), so why would "dot-secure" be any more successful?

  5. "dot-secure" is another technical "solution" to a non-technical problem. I am dismayed to see DoD, of all places, taking a vulnerability-centric approach to an inherently threat-centric problem. It's clear that DoD is much more proficient in offense and that the "defense" part of the Department's name is increasingly misplaced. (I prefer the original "Department of War" anyway. Let's not fool ourselves!) How many hundreds of millions, or billions of dollars of taxpayer money could be wasted on "dot-secure," only to see DoD report to the Secretary or the President in 5 or 8 years that the network is also thoroughly compromised. Oops!


I think it would be far cheaper, and more effective, to engage the diplomatic and economic instruments of power to convince threats that they should keep their military and state hands out of American private enterprise.

14 comments:

Keydet89 said...

Richard,

I totally agree with you, particularly with respect to #5.

"...allow the government to impose greater protections..."

Oh, no you didn't! ;-)

Anonymous said...

'"Separation" is a fool's goal' .. really?? Them there are fighting words. I know you are a major advocate of threat based security, but limiting system's communications to the minimum amount necessary sounds an awful like fundamental good practice to me. Giving one example where separation didn't completely work (do you have any metrics on whether it helped to reduce the impact?) doesn't mean you should completely write a control off, surely?

Bob

rigtenzin said...

Bob has a good point. Richard, please respond.

Rob

Anonymous said...

Money better spent convincing "military and state hands?" Unfortunately, threats do not necessarily come from countries with an organized army, or diplomats...remember 9/11?

Laurent D said...

Step 1: Buy/Hack/Use a company that is already in the dot secure to acces other companies in the same zone.

Step 2: Hack

Step 3: ???

Step 4: Profit

Anonymous said...

I think item #3 is the biggest issue. We can already see a problem with scope in the excerpt you included which goes from power grid to banking, aviation, etc. And that's not even to start digging into what capabilities they want to build into this...which itself certainly won't be pretty. We'll go from "simple" networking requirements to piling on everything anyone can think of. It just won't ever get going. Everyone will be interested in building it perfect the first time, which can't happen, rather than a long-term evolution.

What about a bank that ends up being owned by someone else we maybe shouldn't trust? You pretty quickly need the same amount of protection inside this secure area as you do in the general Internet.

This sounds like a path backwards from the trend of interconnectivity.

-LonerVamp

Anonymous said...

Please respond to Bob's comment about separation. Separation is a fundamental security control that is a part of defense in depth.

Dan said...

I have to agree with Bob, separation is NOT a "fool's goal". Air-gaps provide actual security - they are one of the few things that do. If air-gaps are being foiled by the lazy and/or incompetent - that is a totally different issue. We'd be better off with more air-gaps not less. (Why exactly are civilian power control networks connected to the Internet?)

If we built a "dot-secure" why would we be hooking all of these disparate organizations to it? Does the DoD really need to share a secure link to the civilian power infrastructure? Does the DoEd need to talk to the military on a secure network with any frequency? The value of a network does not always increase as the numbers of participants increases. Sometimes the value of a network is dependent on it NOT being ubiquitous.

It's appropriate that this presentation was given at the cryptologic museum - because the thinking behind it certainly belongs in a museum.

Dan said...

>How many hundreds of millions, or billions of dollars of taxpayer money could be wasted on "dot-secure," only to see DoD report to the Secretary or the President in 5 or 8 years that the network is also thoroughly compromised. Oops!

You know... Something about this scheme reminds me of this: http://www.youtube.com/watch?v=T2PdyxMtiYM

"If we built this large wooden badger..."

Indeed.

Richard Bejtlich said...

I called separation a fool's goal because, while it's a nice idea, it will totally fail. It will be as real and effective as the "air gaps" between industrial control systems and the Internet. Oh wait...

Anonymous said...

Mr. Bejtlich,

As a Reuters reporter on deadline, I'd like to speak to you by telephone if possible regarding your interesting dot secure points. It's for a piece on this subject.

Please ping me if you have a free moment: jim.wolf at thomsonreuters.com
Thank you very much in advance,

Michael Cloppert said...

All,

I left a long comment describing why I feel isolation is an effective control, but this was indeed a fool's errand. Apparently it was too long for the form and I lost it all - ha!

I reproduced my thoughs in my blog here. I welcome any comments, feel free to leave them here in Richard's blog, or in mine (or both).

Mike

Anonymous said...

Would a MAJOR communications company by considered part of the critical infrastructure that would have to be protected on this secure network? What about all their customers, many of which would not be considered part of critical industries, would they also be brought under this secure network? What communications would be regulated/controlled/monitored within this secure network?

Anonymous said...

This is exactly right. It'll start out secure and a month later someone will have connected something. This happens all the time - people are in a hurry, or they need to recharge a mobile device and plug it in, or they add COTS. I'm surprised the idea is still around.