Saturday, May 29, 2010

More Evidence Military Will Eventually Defend Civilian Networks

In my Predictions for 2008 I wrote Expect greater military involvement in defending private sector networks. About one year ago I wrote NSA to "Screen" .gov Now, I Predict .com Later. Now thanks to a new article by Noah Shachtman titled Cyber Command: We Don’t Wanna Defend the Internet (We Just Might Have To) we read the following:

At a gathering this week of top cybersecurity officials and defense contractors, the Pentagon’s number two floated the idea that the Defense Department might start a protective program for civilian networks...

“I think it’s gonna have to be voluntary,” he added. “People could opt into protection – or choose to stay out. Individual users may well choose to stay out. But in terms of protecting the nation’s security, it’s not the individual users [that matter most]. I mean, they have to worry about their individual [data], their credit rating, and all that. But it’s the vulnerability of certain critical infrastructure – power, transportation, finance. This starts to give you an angle at doing that.”

How? Kim Zetter's article Pentagon: Let Us Secure Your Network or Face the ‘Wild Wild West’ Internet Alone explains:

Defense Deputy Secretary William Lynn III, speaking at the Strategic Command Cyber Symposium in Nebraska, said we need to think imaginatively about how to use the National Security Agency’s Einstein monitoring systems on critical private-sector networks — such as those in the financial, utility and communication industries — in order to protect us.

“Operators of critical infrastructure could opt in to a government-sponsored security regime,” Lynn said. Otherwise, “individual users who do not want to enroll could stay in the wild wild west of the unprotected internet.”

I've written about Einstein before. However, I am dismayed to continue reading commentary like the following by Secretary Lynn:

“You’re starting to anticipate intrusions, anticipate threat signatures, and try and preventing things from getting to the firewalls rather than just stopping at the firewalls.”

Please. I've been hearing these sorts of ideas since the late 1990s, and no one can do it. As long as the adversary maintains the initiative and operational security, no defender is going to "anticipate intrusions," or "anticipate threat signatures."

Still, I expect Einstein to start appearing on private networks, probably in 2011. I doubt when it happens anyone will be able to talk about it, due to some kind of legal construct the government will devise and CIOs will adhere to.


Atul Agarwal said...

I am unsure how it will help. I am unsure of the Govt's ability to protect networks.

Haven't read complete article, but without co-operation of private players, op. Einstein might not be that effective after all.

"Government-sponsored security regime" might put a false sense of security and worsen things.

Anyways, depends on how implementation will be.

PS: If something like this was going to happen in India, we'd be doomed..

Felix_Dzerzhinsky said...

The Department of Defense can't even protect their own computers. We're supposed to rely on them?

Just a sample:

Anonymous said...

Protect...well maybe. But definitely the intel types will enjoy having sensors in more locations. In some ways this could be good, since folk of that ilk genuinely do really want to help protect us, but I'm uncomfortable with what this means for liberty and privacy generally.

Paul Mudgett said...

If the government assumes responsibility for protection in the private sector, do they also assume the liability for compromise in that arena? Doubt it.

CyberG said...

Honestly I think this is a good thing, but not as good as what they might make it out to be. Of course the three letter agencies will love the data feeds and the budget increases that go along with it. However, the key benefit would be that breach notification should occur in weeks/months, instead of months/years. As a .com, I would force a binding agreement that the monitoring agency must inform of a breach with in X amount of hours and not let if continue so they can monitor and track hop points. That decision should be made by the private entity. To provide some real value, they should consider a federated blocking model so that malicious domains/IPs are quickly blocked across the monitored networks. This achieves the benefit of being apart of a bigger group of monitored networks.

Anonymous said...

Felix has it right.. the DoD gets graded "D" or "F" every year by GAO on their IT security.

Richard Bejtlich said...

FISMA "grades" do not describe real security...