Proposed secure network for critical infrastructure draws fire

Ambitious vision impractical, critics say

The leader of the U.S. Cyber Command wants to develop a secure computer network to defend civilian government agencies and critical civilian infrastructure and industries.

Gen. Keith Alexander, who has dual responsibilities as commander of the Cyber Command and director of the National Security Agency, testified Sept. 23 before the House Armed Services Committee about the new command’s role in defending federal and commercial networks. He suggested the creation of a restricted network that would allow the government to provide greater protection to vital online operations and critical infrastructure — such as financial networks, commercial aviation systems and the national power grid — from Internet-based attacks.

The New York Times reported that the proposed network, which Alexander referred to as “a secure zone, a protected zone,” would provide essential civilian government and commercial networks with protection similar to secret military and diplomatic communications networks. However, he did not say where the boundaries between this new secure network and the Internet would be or how appropriate user access would be granted. He added that the White House is working on a policy review to determine the best approach and whether it will require Congress to grant new powers.

But Alexander's proposal skimps on specifics, said Martin Libicki, a senior management scientist at Rand Corp.

“Security costs money," he said.

Any person or agency interested in buying security systems must first analyze the value they're going to get for the cost, he said. "I’m impressed by the lack of hard economic analysis I see on this stuff,” he added.

Libicki said the key problem with cybersecurity is that it is an engineering issue. When someone talks about cyber issues to Congress or any other audience, they are discussing engineering issues that often go over the heads of the audience — and sometimes, even of the speakers.

“It’s an engineering issue where you don’t have the intuition of the physical world,” he said. “So you either end up losing Congress or you end up oversimplifying matters.”

Another issue is secrecy. Someone involved in intelligence or defense, as Alexander is, is constrained from painting the full picture by the need to keep some things concealed.

“You thought it was tough to understand before,” Libicki said. “Wait until I only tell you half of what you need to know, and then it becomes even harder.”

But he said the two key steps for establishing cybersecurity are determining what to protect and whom to trust. “People spend ungodly large sums of money fixing computer systems when they haven’t asked themselves the first two questions because that’s difficult," he added.

A report in the Washington Post noted that any solutions presented by the Obama administration to protect the private sector will have to involve companies.

“If we’re going to defend networks that are owned and operated in part by industry, the solution can’t be a government-only solution,” Alexander said. “It has to be joint. How do you do that? That’s the key issue.”

He added, “There’s a real probability that in the future this country will get hit with a destructive attack, and we need to be ready for it.”

But providing adequate levels of security for such a new network would likely require the creation of a multi-agency team that would include the FBI, Homeland Security Department and Defense Department. Each agency has its own authorities, and determining how such a group would work together would be a challenge.

Some critics believe such a massive defensive infrastructure would be impractical. Joe Weiss, an expert on securing control systems in critical industries, told the Washington Post, “It would be very difficult to try to interconnect all these different companies including the government. This isn’t just one entity where you walk a wire around Potomac Electric. You have all the neighboring utilities that you need to connect to. You would also have all the other major industrial operations — and with Smart Grid, conceptually, every homeowner. This is not simple.”

inside gcn

  • russian email hack (Bakhtiar Zein/Shutterstock.com)

    Mueller indictment details hacks on state election systems

Reader Comments

Mon, Sep 27, 2010

Suggest we all look into home power systems! How will the Government screw up the power grid is anyone's guess!

Mon, Sep 27, 2010

A civilian equivilent of SIPRNET would be a useful thing, but it is unlikely many private concerns will join up if the government is driving the train. Their track record for setting up secure and cost-effective networks is less than stellar. It will likely have to grow the same way the original internet did- a few point-to-point backbones between the major players, and then let others join only after their infrastructure and security practices pass muster. KEEPING this semi-private network secure will be the hard part- users will try to just keep on adding endpoints and functions. It has to be kept small.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group