The volume of IPv6 traffic, though still small, has grown steadily over the last year. Although most federal agencies missed the Sept. 30, 2012 deadline for enabling the new protocols on public facing Web sites, they are slowly adopting IPv6. Hurricane Electric, which bills itself as the world’s largest native IPv6 backbone, has announced that it has connected more than 2,000 IPv6 networks.
But the world still is waiting for a reason to make the move. To date, the main reason for transitioning to the new Internet Protocols is that you have to. The Office of Management and Budget told agencies in 2010 that they had to enable IPv6, and the pool of available IPv4 addresses is drying up. Anyone who wants large blocks of new addresses now must get them in IPv6.
So far, however, the new protocols are being used pretty much like the old ones. When will we see a killer app that will make people want to use IPv6, and what will it be?
There has been a lot of talk in the last decade about the improved security that can be achieved with IPv6, the new Internet of Things it will enable and the benefits of true end-to-end connectivity once everyone gets rid of Network Address Translation (NAT). A global organization such as the Defense Department stands to benefit from access to a nearly endless supply of IP endpoints that could be used to monitor, track and control millions of things anywhere in the world.
But despite changes such as the rapid growth of mobile devices, we still are using IP devices pretty much the same way we have for years. Screens are smaller, keyboards are virtual and there is some location-specific functionality, but a mobile device essentially is a little IPv4 PC.
Owen DeLong, IPv6 evangelist for Hurricane Electric, obviously is a fan of the new protocols. He thinks doing away with NAT will be a good thing. So what does he think the killer app for IPv6 will be? “None,” he says. People don’t feel they are missing anything with IPv4 now, and the benefits of a new set of Internet Protocols are too complex for today’s short attention spans. “It’s not something you can explain to the average user in a 10-word sound bite,” he said.
But the interesting thing about killer apps is that, like the Spanish Inquisition, no one expects them. They are unplanned and become part of our lives before we know it. Is the next one already out there?
Are there any innovative uses of IPv6 by your agency or office? Has anyone found a use for the protocols that enables some functionality that was not practical before? Do you have a problem that you think IPv6 can solve? Drop me a line at wjackson@gcn.com and tell me if the new protocols are being used, how they are being used, or how you would like them to be used. Maybe we can identify a driver for the move to IPv6.
Posted on Mar 14, 2013 at 2:07 PM9 comments
It is no surprise that the government faces serious challenges in protecting its information systems, both because agencies are high-profile, high-value targets and because agencies lack the speed and flexibility to effectively counter rapidly evolving threats.
“We have once again designated federal information security and cyber infrastructure protection as governmentwide high-risk areas,” Greg Wilshusen, director of information security issues for the Government Accountability Office, told a Senate panel at a recent hearing.
There are some promising developments in government cybersecurity. The Homeland Security Department, which has the nominal lead in protecting civilian agency systems, is taking the initiative to help develop tools and programs that could do a better job of monitoring, evaluating and mitigating risks. But those programs are being threatened by the unwillingness or inability of Congress to effectively fund government operations.
“Sequestration reductions will require us to scale back the development of critical capabilities for the defense of federal cyber networks,” DHS Secretary Janet Napolitano told legislators during the hearing.
Napolitano offered no specifics, but with across-the-board cuts mandated under sequestration it is inevitable that worthwhile programs will be hit just as hard as unnecessary ones.
Tools being developed or advanced by DHS include the Cyberscope automated FISMA reporting systems, which leverages commercial products that use the Security Content Automation Protocol from the National Institute of Science and Technology.
There also is the National Cybersecurity Protection System that includes the Einstein intrusion prevention system. The department’s Science and Technology Directorate cooperates in the development of secure Internet protocols, and Napolitano said that DHS was a leader in the development of the Domain Name System Security Extensions (DNSSEC).
The National Protection and Programs Directorate is developing a commercial Continuous Monitoring-as-a-Service capability to deploy sensors and feed cyber risk data to an automated, continuously-updated dashboard to help agencies see and respond to day-to-day threats.
It is not government’s job to create the technology needed to secure the nation’s cyber infrastructures, and government is unlikely to ever be as nimble and efficient as the private sector in developing security products. But government certainly has a role to play in fostering development of critical tools, especially those such as Cyberscope and SCAP that address government needs.
DHS programs and their results are open to criticism, but it is taking responsibility to help provide agencies with the tools they need to do their jobs. It would be a shame to arbitrarily slash efforts that could produce real benefits.
Posted on Mar 08, 2013 at 1:21 PM1 comments
An optimistic scorecard estimates that federal agencies will meet 95 percent of the administration’s high-priority cybersecurity goals by the end of fiscal 2014, but agencies still have a strong climb remaining in the face of increasing budget uncertainties.
Although the current budget sequester might not have a big impact on recent initiatives to secure critical infrastructure, where the government is playing an advisory role, cybersecurity operations within agencies are likely to take their share of the hit from the across-the-board cuts. How big those cuts will be remains to be seen, but when agencies are struggling just to keep up with a growing surge of cyber threats, it will not be easy to actually make improvements.
The Cross-Agency Priorities are an attempt to bring some order to federal cybersecurity efforts, incorporating milestones into Federal Information Security Management Act reporting metrics and identifying officials to be held accountable. The goals are strong authentication (the use of PIV Cards for physical and logical access control), the Trusted Internet Connections (TIC) program, and continuous monitoring of IT systems. Agency officials will work with interagency groups that include the President’s Management Council, the Performance Improvement Council and the Federal CIO Council.
Based on FISMA reporting for fiscal 2012, the administration estimates 95 percent success by the end of fiscal 2014. But as of the first quarter of fiscal 2013, only TIC consolidation was in the green, with an 84 percent completion rate. The strong authentication and continuous monitoring efforts both were in the red at 57 percent and 78 percent, respectively. The overall scores for the priorities actually dropped from 76.82 percent in the last quarter of fiscal 2012 to 75.87 percent in the first quarter of 2013, a drop ascribed in the report to “adjustments and improvements to measurement methodology.”
The effort to prioritize cybersecurity initiatives with milestones and deadlines is worthwhile. But considering how long the TIC, PIV and continuous monitoring initiatives have been in place, the race to the finish is looking more like a slog than a sprint.
Indiscriminate budget cuts are not going to help progress in an environment in which security officials have to run as fast as they can just to keep up. If Congress cannot match budget to operational priorities, don’t expect to see a lot of progress in the next two years.
Posted on Mar 07, 2013 at 11:08 AM0 comments
One topic that was notable by its absence at this week’s RSA Conference in San Francisco was the widespread economic and military espionage being conducted by China. It’s not that the subject wasn’t mentioned, but it was just background and not news. Everyone in the security community accepted long ago that the Chinese are going online to steal intellectual property and other sensitive data.
The current mantra in security is that it is “when” and not “if” your IT systems will be breached, and two paths to cybersecurity are emerging. Although many cybersecurity practitioners say, “forget the attacker and focus on the risk,” there also is a growing consensus that sophisticated cyber espionage must be met with political and economic responses.
In his opening keynote at the conference, RSA’s executive chairman Art Coviello called for the speedy adoption of next-generation intelligence-based cybersecurity that would leverage big data by extracting meaning from growing masses of unstructured data.
“Collectively, we’re not winning,” he said of the growing threat from rival nations. “But we haven’t lost yet, either.”
Although attributing attacks is important, it is not necessary in defending systems, he said. What is necessary is automation to monitor conditions and activity on systems, and standards to enable analysis and correlation of data to recognize and identify threats. The assumption that breaches will occur means that priorities must shift from stopping penetration at a perimeter to dealing with bad actors who already are on the inside. Vendors on the showroom floor at the conference already are integrating big data analysis in their security offerings to help do this.
On the other hand, there is awareness that technology alone will not solve the problem and that government must take a hand in responding to attacks from nation states, although not necessarily militarily. Attributing a given attack to a specific individual or organization is not necessary, proponents say. When a problem has been going on for years, “everybody knows” who is behind it and that is enough for the diplomats and policy makers to take action.
In the case of China, there is a global acceptance that the nation is engaged in cyber espionage. But some set of international norms for behavior in cyberspace is needed to enable this type of pressure. China does not have to admit that it has been hacking our computers in order for diplomatic pressure and economic sanctions to have an impact on its behavior. Warnings that its behavior is outside the pale could be effective, once that pale is established.
This type of pressure would not work at cyber speed and does not eliminate the need for IT security, warned Jim Lewis, cybersecurity program director at the Center for Strategic and International Studies. “You really have to keep drilling on them,” he said. “This is a process that will take several years of constant pressure.”
Unfortunately that process has not yet really begun. “Most of our policy is aimed at stopping penetration,” a battle that recent history has shown we cannot win, said Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit. Focusing on defenses from the inside and dealing with the economic drivers for cyber espionage will require policy makers to have a technical understanding that they now lack.
Making a beginning in cyber diplomacy will require replacing some wonks with geeks, Borg said. Some of the Silicon Valley types will have to trade their t-shirts and sneakers for wingtips and ties on Capitol Hill. “Cybersecurity professionals should seize cyber policy,” he said.
Posted on Mar 01, 2013 at 12:59 PM0 comments