The new commander of the military’s cyberwarfare operations is advocating the creation of a separate, secure computer network to protect civilian government agencies and critical industries like the nation’s power grid against attacks mounted over the Internet.
The officer, Gen. Keith B. Alexander, suggested that such a heavily restricted network would allow the government to impose greater protections for the nation’s vital, official on-line operations. General Alexander labeled the new network “a secure zone, a protected zone.” Others have nicknamed it “dot-secure.”
It would provide to essential networks like those that tie together the banking, aviation, and public utility systems the kind of protection that the military has built around secret military and diplomatic communications networks — although even these are not completely invulnerable.
I'd like to share five reason why I think this approach will fail.
- "dot-secure" becomes new target number one. I can't think of an easier way to help an adversary target the most critical information and capabilities on industry computers. If you're going to attack a company with hundreds of thousands of users and computers, it can be tough to decide where to focus attention. Multiply that target set across dozens or hundreds of companies and the adversary's problems also multiply. Now, suppose those companies put their most sensitive, important data on "dot-secure." Now all the adversary has to do is penetrate that network and take everything.
- "Separation" is a fool's goal. Didn't we just read about Operation Buckshot Yankee, where malware jumped between networks of different classification levels? I guarantee users will want and need to transfer information between their normal company Internet-connected computers and "dot-secure." As long as those vectors exist, there is no "separation."
- The network will be too big to keep "secure." Organizations build networks because there is value in exchanging information. In fact, the larger the network, the more valuable it becomes. So, what organizations will be allowed to connect to "dot-secure"? It will surely be more than the small handful that have a prayer of successfully defending themselves from APT and similar threats. That means weaker organizations will participate, and they will be compromised. As the network grows, it will get weaker and weaker.
- How can "dot-secure" be any more successful than SIPRNet? I don't expect "dot-secure" to be as well-protected as SIPRNet. (And calling SIPRNet "well-protected" is probably causing some people to laugh.) Trying to get a SIPRNet terminal deployed is very expensive, and I don't expect DoD to make the same demands upon organizations as those required to host SIPRNet terminals. Many people consider SIPRNet compromised (I'm repeating public rumors, not confirming -- I have no direct knowledge), so why would "dot-secure" be any more successful?
- "dot-secure" is another technical "solution" to a non-technical problem. I am dismayed to see DoD, of all places, taking a vulnerability-centric approach to an inherently threat-centric problem. It's clear that DoD is much more proficient in offense and that the "defense" part of the Department's name is increasingly misplaced. (I prefer the original "Department of War" anyway. Let's not fool ourselves!) How many hundreds of millions, or billions of dollars of taxpayer money could be wasted on "dot-secure," only to see DoD report to the Secretary or the President in 5 or 8 years that the network is also thoroughly compromised. Oops!
I think it would be far cheaper, and more effective, to engage the diplomatic and economic instruments of power to convince threats that they should keep their military and state hands out of American private enterprise.