Why the FBI’s 'new Internet' is a dumb idea The FBI’s Shawn Henry says the world needs a second Internet for critical systems – apparently never having been told what a “private network” is when you don’t prefix it with the word “virtual” – and the idea is taking off in other quarters. Here’s why it’s a dumb idea: it won’t work. It’s not just that the easiest defenses …
... that you don't prevent bank robberies by building special roads to the bank. Dedicated network? Er, wasn't that where all those Wikileaks cables came from?
Maybe the G-men need to read End-To-End Arguments in System Design, J.H. Saltzer, D.P.Reed, D.D.Clark, ACM TOCS, Vol 2, Number 4, November 1984, pp 277-288.
The recent case of US drone control systems being infected by a virus:
http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/
These systems were not connected to the internet (probably not on a network of any kind), the assumed path of infection being via USB drives being used to transfer updated maps etc. to the control systems.
The systems ARE connected to the Internet and were compromised by someone on the inside playing a Facebook game.
If they weren't connected to the Internet, it would be completely irrelevant if they were compromised by USB sticks because nobody would be able to retrieve data or take control of systems.
Only villains are going to go to the bother of faking macs, the Feds don't care about them, their entire reason d'être is to instill fear into the general populace so governments can more easily control them, and as for why they don't read... anything, they're programmed on a need to know basis.
As for building new internets - like the natural world, the Internet can survive nukes or inbound asteroids, but it's got no hopes against man.
To serve man. 'It's a cook book, A COOK BOOK!'
Sort of an interesting idea. However what could be a really good idea is to talk to a real actuary, and see what they think. Actuaries certainly work in risk, but they are to a large extent statisticians. Without a statistical basis for risk assessment it becomes a different problem.
This is the issue with quantifying internet security. There isn't the equivalent of the underwriters laboratory that certifies materials and components, and there aren't standards bodies that build standards built upon centuries of experience. Worse, there is no way of quantifying the effects of a security breach ahead of time. There are no easy risk/cost curves. There are huge discontinuities in the problem. This isn't likely to be a place where actuaries play. But a professional actuary might well differ with me. Hearing from one would be interesting.
When I worked with SAC communications we had redundancy upon redundancy upon redundancy.
This reminds me of that; We had two sets of land lines connecting all sites. NO line went the same route or through the same equipment. On several occasions we found telcos routing the redundant lines through the same switch and had to demand a change for security reasons. This made for a very robust system and it was only the first tier of at least three... Shouldn't detail the others.
The point is that if enough money was spent to build an independent network it would be so complex that security would still be a huge issue due to the complexity.
So FAIL.
The problem is almost ENTIRELY technical. Stuxnet targeted 4 ZERO DAY VULNERABILITIES. It doesn't matter what "behaviors" are when systems are as absurdly vulnerable as all of them are. Creating networks that are not connected to the Internet in any capacity would entirely solve the problem. Only someone physically entering your facility, physically accessing your computers, and downloading information to a portable media device, would compromise your data. And that is a physical security issue - not a technical one.
Yes, behavior is the number one problem. That said it's a self correcting one that does not need an additional "tax" to be levied.
As each of these companies runs afoul of various hackers they will fix their own systems. However, other, arguably more intelligent, business owners will learn from others mistakes and be proactive.
Let the smart companies figure this out and the dumb ones o away.
There ALREADY IS A "SECOND INTERNET"!!
Hell, there are at least two, the Joint Worldwide Intelligence Communications System (JWICS for short, which Justice probably isn't allowed to use) that is not connected to the wider Internet. And the National Security Agency Network, which may (or may not) be connected to JWICS but also is not connected to any wider network. There are probably also more networks than that which are totally private.
The WikiLeaks stuff was all SECRET, you can route SECRET data over a system thats connected to the wider internet. With TOP SECRET information it cannot be, it has to be routed over JWICS or NSANET (depending on if its over a COMINT distribution or not) uses a dedicated network separate from the rest of the SIPRnet, NIPRnet and Internet.
Basically the FBI proposes to duplicate one of DISA's better efforts for the Intelligence Community. And they're going to get away with it because they'll scream "Think of the Children!!" and other such claptrap. They'll half-bake it, it'll half work, and when it gets breached it'll make all of us who are really in the community look like unprofessional dolts that work for Justice.
But we're all on the same team now, y'know. Which basically means they do whatever they want, and we'll get blamed for it when they screw up.
"It seems like everybody’s forgotten that Stuxnet wasn’t an Internet-borne attack. It was carried on a USB key: the kind of attack vector that will still exist on Henry’s proposed secure Internet."
In the stuxnet example, "sneakernet" is definitely part of TehIntraWebTubes[tm].
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
