Should Obama Control the Internet?

[Headless Thompson Gunner]

I had a chance to meet Gen. Elder of the Air Force Cyber Command.  I have no doubts that we need a cyber command and that Gen Elder and the Air Force are the right people to run it.  I have no doubts that this cyber command should protect all DoD infrastructure, as well as monitor (if not actually protect) all private communications infrastructure within the US.

About the only thing wrong with the Air Force Cyber Command is its hokey name.

I think our country really needs to take heed of what the Russians did to Estonia.  We absolutely cannot afford to have something like that happen to the US.

This new law being proposed does not sound like the right way to do things, though.  As the saying goes, with computer security the devil is always in the details. 

[Perd Hapley]

Of course Obama should control the internets.  Remember, dereggulation made the economy suck.  If we cling to this notion that the internets can regulate itself, Bush/Cheney/McCain/Palin/Jindal/Satan will make it sucks to.

[Gewehr98]

Yeah, they could've come up with a better name, at least.   

[RevDisk]

I had a chance to meet Gen. Elder of the Air Force Cyber Command.  I have no doubts that we need a cyber command and that Gen Elder and the Air Force are the right people to run it.  I have no doubts that this cyber command should protect all DoD infrastructure, as well as monitor (if not actually protect) all private communications infrastructure within the US.

Dunno Gen Elder, but Gen. Lord (CO of the 24th Air Force, aka Cyber Command Provisional) is a good guy.  Don't know much about his history or his abilities as an officer, but he seemed very straightforward about the issues facing his NAF.  He used the China attacks on US networks as an example of the fact of how hindered ANY notional IEW unit would face.  China is an important trade ally, and the US military can't exactly declare war on them even if they are being attacked by them.  He acknowledged that it will be very difficult to draw in non-military talent.  (ie, most US hackers and IEW experts won't want to wear an USAF uniform or take a drastic paycut)

To directly quote him when he was asked why the AF was trying to do this instead of DISA or the NSA (the people already doing the work the USAF wants to duplicate) as many folks have pointed out, "Our first priority is to work with DoD to defend AF military resources, but many of those resources rely on civilian entities, so we obviously have a keen interest in protecting those items as well."   I think it was his way of saying without a lot of money, there's no way he could protect the entire DoD in place of the established groups already doing so. 

As for the 24th Air Force monitoring, let alone protecting, the entire private infrastructure?  They'd need to be ten times as large as DISA to do so.  Not to meantion, repeal a lot of laws on the book and gut parts of the US Constitution.  Not gonna happen.

[tyme]

Rather than tasking one or several government entities with the security of critical infrastructure, why not simply create one that does nothing but pentest critical infrastructure, without giving them operational authority over the networks they're testing?  There would need to be an efficient means of communicating vulnerabilities, and depending on the severity, the NSA/DISA/AF might be allowed to intervene provisionally to patch or mitigate a new vulnerability.  But I suspect that's already the case.

I very much share revdisk's reservations about any one entity being able to control all critical infrastructure.

If the worry is that critical infrastructure is vulnerable, the answer is not to give Obama or the AF operational control over it all.  The answer is to test it more, and to have better procedures for dealing with security problems.

[Headless Thompson Gunner]

To hear Lt Gen Elder talk, it sounds like the AF doesn't want to operate any infrastructure.  They simply want the US to have the capability to observe, defend, and attack within this peculiar domain.  (So do I...)

As relates to information and communication infrastructure, they simply want to be able to monitor the infrastructure, so that they know where and when attacks are occurring, and so that the appropriate responses can be initiated.

The analogy they used is that of highways.  They don't care who built our roads or who maintains our roads or who secures them.  They do want someone to have the ability to see when the Red Army is rolling any tank divisions down our roads, and to have some means to defend and counterattack on the roadways.

Again, I'm not sure the legsislative bill described in the article has anything to do with this.  It probably doesn't.

DISA is good, but their job description and expertise isn't applicable here.  NSA, too, is valuable but ancillary.

[RevDisk]

Rather than tasking one or several government entities with the security of critical infrastructure, why not simply create one that does nothing but pentest critical infrastructure, without giving them operational authority over the networks they're testing?  There would need to be an efficient means of communicating vulnerabilities, and depending on the severity, the NSA/DISA/AF might be allowed to intervene provisionally to patch or mitigate a new vulnerability.  But I suspect that's already the case.

You'd still need the voluntary agreement of the owners of the non-government infrastructure.   But yea, a central pen-tester or advice giving entity would be nice.  You are right that NSA and DISA already do this (see above links), but not in any comprehensive manner.  The NSA often technical review on erm...  critical software.   There's no official and public guidelines, but it's always done with the owner's permission.  Granted, I would think any software manufacturer would be deliriously happy to get a software review by someone as technically advanced, well staffed and generally knowledgable as the NSA.  To get it at no cost would be the icing on the cake. 


One example is _NSAKEY built into all versions of Windows.  Microsoft generated a digital signature to sign cryptographic modules.  That's good.  On the other hand, during the tech review, NSA mentioned it was unwise to have a single source for the key (which they did on the first key).  The theory is that whoever generated the initial key knows the entire key, thus can be forced to give it up.  If you're making a key for something that you really don't want anyone to ever break, you don't want anyone really knowing the entire key.  If no one knows the key, there is no physical way for that key to get compromised by a single source.  The trick is using secret splitting, which splits the inputs for generating the digital signature into several pieces with no single person or group knowing the entire key.  So they included a second sig into a part of Windows, this time a split key generated sig.

Naturally people assigned all amounts of tin foil hattery to that episode, but it was pretty straightforward tech review. 

DISA is good, but their job description and expertise isn't applicable here.  NSA, too, is valuable but ancillary.

I'd agree if you were saying that DISA isn't good for this task because they're used to owning the hardware and not advising from the sidelines.  I still think they'd be good at advising very large enterprises, because that's what they do.   On a tech level, there's very little difference between a government or private enterprise network.  Both use mostly the same products.  Oh sure, config and policies are different, but the underlying tech isn't.

[Headless Thompson Gunner]

This isn't a problem of securing a few networks or generating some strong crypto algorithms.  This is about recognizing that data systems represent tangible, national-security-scale infrastructure on the same order as bridges and factories and cities and whatnot.  It's about recognizing that these asset exist within a domain that is entirely new to the military.  Any nation that wishes to have an effective national defense is going to need to know how to operate within this domain. 

This is why I was so pleased to hear LtGen Elder give his presentation.  He's the first prominent military man I've seen who understands this issue in the right light.  He seems to grok that some sort of cyber command (for lack of a better term) is as vital as an army, navy, and air force.  A nation will need to fight on land, sea, and in the air in order to defend itself.  It will also need to fight on the cyber plane.  Just ask Estonia and Georgia.

DISA and NSA do not know how to fight within this new domain.  They each have a piece of the puzzle, but they aren't anywhere near sufficient for this problem.

[Perd Hapley]

I still say Obama SHOULD control the internet.  His Merciful Suaveness controls all other things; tides, crops, economic realities...

[Gewehr98]

DISA and NSA are not warfighters. 

They never have been, and they never will be.

Cyber Command is a step in the right direction, if we want to defend against hostile foreign attacks and fight back with some measure of success.

It will require the joint cooperation of all the agencies named in this thread to provide a useful, multi-layered capability.

I know that hurts some people's feelings, and they may even feel like their toes are being stepped on, but Information Warfare is nothing to be discounted in this day and age.