Thursday, July 15, 2010

Defending the Presently Indefensible

DoD’s 7 million machines linked through 15,000 networks are exposed to unauthorized probes more than 6 million times a day according to Gen. Keith Alexander.

It is only a matter of time that another version similar to the Conflicker computer worm will sneak into the DoD. It will be looking for gaps in firewalls and for computers with weak passwords or without the latest security updates. There will be always some computers that will be compromised and then commanded remotely to propagate malware. A more virulent form of attack on DoD computers are “bots”, which are hard to detect robotic software that now occupies ten thousands of computers parked on the Internet. “Bots” can be directed by their controllers to execute subversive missions that could impair DoD war fighting operations. Bots self-propagate once they have gained network access.

Gen. Alexander advocates the establishment of a “situational awareness” as the first step in countering threats to the DoD network.  Accordingly, DoD must posses a “common operating picture” of its network.  These are good ideas but leave open the question how to proceed with implementation. What is the cyber defense program schedule? How can the DoD afford creating 99.9999% reliable security perimeters? How will the Cyber Command reallocate security funding that now consume over 10% of IT spending while not delivering demonstrable security?

Advocating network consolidation appears to be an obvious remedy. However, that is hard to execute in short order, especially if funds are limited and the intensity of assaults is rising faster than the ability to mount defenses. DoD networks are wedged into legacy applications, which are controlled by hundreds of local bureaucracies and by thousands of contractors. Budget-squeezed network operators do not have the funds to invest, on thousands of separate applications, the defenses against in increasingly aggressive attackers.

The ideal solution is to expose the DoD to the Internet deploying only a small number of extremely well defended perimeters. To generate the cash savings that would fund such an investments would require the virtualization of all computer services. That would require the disentangling of application software from their respective CPUs, data and communications in order to form separate pools of well-protected resources.

It is hard to see how DoD could commit itself to the pursuit of a centrally managed program for the achievement of virtualized systems under the technical and financial guidance of the Cyber Command. The creation of a unified DoD network will require changes in the organization of IT resources.

Although DoD will be ultimately driven to adopting a similar solution for security and financial reasons, in the immediate future the best option is to start “herding” major DoD applications in the desired direction through encapsulation of legacy system into a private cloud.

SUMMARY

Separately managed 15,000 networks that connect over seven million computers are indefensible.  Though the Cyber Command may proceed to improve security by means of only policy and standards, there are insufficient people and funding to safeguard DoD networks by such methods.

The Cyber Command must immerse itself into the operational control of unified DoD networks.   The objective of creating shared pools of resources that can be protected in a secure cloud may be distant. Nevertheless, a start toward the desired direction can be made now through rapid encapsulation of legacy applications into a version of the cloud that performs as infrastructure-as-a-service.

No comments:

Post a Comment

For comments please e-mail paul@strassmann.com