2010-10-01

Why there shouldn't be a dot-secure

A few days ago, Cyberwar Chief Gen. Alexander proposed building a separate, secure network for the nation's critical infrastructure. By now, this has been widely derided by many security specialists, but I wanted to throw my hat in the ring with a few comments.

Separation is an effective control in theory. One chronic problem our industry suffers is "ivory tower" syndrome, with decisions divorced from reality. This is an example.

SIPRnet is an example of where separation has effectively mitigated risk. The DoD's network is largely isolated, and as a result, has mitigated risk that internet-connected networks experience. Notice how I said "mitigated," not "prevented." Security is about risk management, not risk elimination.

The problem with separation comes in the form of exceptions and enforcement. The more exceptions, and and less enforcement, the less effective the separation, and the less risk mitigation. The diminishing role of firewalls as an effective security device is a stark example of this.

Think of this in terms of "meatspace": the Great Wall of China, the Berlin wall, the Maginot line - all were colossal failures for their stated goals. Additionally, the massive investment of resources for construction and maintenance detracted from other more effective strategies, amplifying their detrimental impact. Yet island nations such as Britain, which has had a complete water barrier, has enjoyed the security benefits of this isolation throughout its history.

The general's proposal is a fool's errand. I would say the same about an isolation regime only for the defense industrial base and the DoD, given the interconnectedness and overlap of those networks. What he proposes is a geometrically larger problem, with corresponding increases in the need for exception and difficulty of enforcement. The exceptional cost of such an approach could not possibly justify the resultant risk mitigation IMO. That amount of money would go much further in mitigating risk by investing in broadly-adopted and linked authentication mechanisms, secure DNS, counterintelligence, and cross-industry threat focused network defense.

No comments: