I have been working with Mike Daniels on a new book about Network Solutions and the commercialization of the Internet. Our research has included interviewing many of the people who were instrumental in the development and commercialization of the Internet — from its beginnings within ARPA, up to the point that SAIC sold Network Solutions to VeriSign.

One of the topics that comes up over and over is Internet security, and the potential threat to our national security. It was therefore with much interest that I followed Defense Secretary Gates’ announcement last week of a new Cyber Defense Command within the Pentagon.

This is good news, as the new command will presumably centralize much of our nation’s efforts to defend against attacks on our critical information technology systems as a part of the U.S. Strategic Command in Omaha. This command is currently responsible for commanding operations in nuclear and computer warfare. The goal is to get the Cyber Defense Command up and running within a year and a half.

The commander will be the current director of the National Security Agency, Lt. Gen. Keith Alexander. According to Verisign, the company — which is the keeper of the Internet’s A server — is hit by more than 2 million hacker attacks a day. Cybercriminals and terrorists — some sanctioned by foreign governments — are on the rise. I think the new Cyber Defense Command will have its hands full.

I recently learned that Russia has proposed a new international treaty for cybersecurity. I was not surprised, however, to learn that the U.S. and Russia have different priorities when it comes to drafting the proposed treaty.

While the Russian administration argues that there should be an international treaty for cyberspace, much like previous treaties for the use of chemical weapons, the Obama administration has stated that such a treaty is unnecessary. Obama’s approach would be to improve cooperation among international law enforcement organizations.

I do not know exactly what a cyberspace treaty would cover and how it would be verified and enforced. According to one article I read about this topic, Russia proposes to ban countries from secretly embedding malicious codes or circuitry that could be later activated from afar in the event of war.

In my opinion, rogue nations would be unlikely to sign onto the treaty, and even those countries that did sign the treaty could likely launch cyberattacks in ways that could not be easily detected. I am curious why Russia is pushing for the treaty, especially since the country has been implicated in highly disruptive cyberattacks on Estonia and Georgia.

Is it possible the Russians hope to disarm their potential adversaries, while reserving the right to engage in cyberwar for themselves? For some reason, I am reminded of an old story about a large, wooden Trojan horse.

– Bob


16 Responses to “Securing the Internet”

  1. 1 Bob Wertheim

    Bob: I think your assessment of these challenges to national security is spot on. The new cyber warfare mission for the US Strategic Command is reflected in the tasking of the Strategic Advisory Group, of which I believe you are still a member. These are mostly in the “too hard” category for this ancient mariner but you should consider coming to the next plenary of the SAG and lend us a hand.

  2. 2 Dick Shearer

    Bob;
    The Russians will adhere to the new treaty in the same way that they did with the treaty on biological warfare.
    {Set the Trojan Horse on fire – outside the city walls!}
    RTS.

  3. 3 Blake Escudier

    Bob,
    I would also assume that the Russians would like to have the ability to “somewhat” legally charge people with criminal activity inside their own country. The idea of a treaty allows justification for taking action against people and countries. And it would protect their own people doing such work in foreign countries.

    I would think a recently evolving powerful position within most Embassy staff is the CTO – which can always be claimed as helping the countries economic development for technology. The new cover for spying.

    Another area to discuss would be a country’s ability to negate electronic communication – this has come to light with the media reports that Iran shut down internet access prior to elections.

    If a country can lock down their own internet – why can’t a foreign country do it to them as well? Of couse this brings up the question – can it be done?

    Whenever the US develops a new government program designed for protection – pretty much means the US has developed a program to do the same to others. ( If I can hit you – it means I had better prepare myself from being hit back)

    From drums and smoke signals to global warfare.

  4. 4 Paul A. Strassmann

    Dear Dr. Beyster:

    You are correct that the new CYBERCOM will centralize much of our DOD’s (not national) efforts to defend against attacks on defense information technologies.

    What is perhaps not sufficiently appreciated is the magnitude of the task to be accomplished. DOD’s 15,000 networks are fractured and insufficiently protected.

    Perhaps you may wish to have a look at a paper on
    http://www.strassmann.com/pubs/dod/cybersecurity-draft-v1.pdf
    for a glimpse of what needs to be done.

    Remaining with best (and fondest) regards,

    Paul

  5. 5 Dr. Beyster

    Blake: I read your blog posting with interest. The Russians have probably the most highly perfected cybersecurity system in the world. This stems from their old Communist background, paranoia, and concern. The Brits of course are probably very conscious of cybersecurity since they have been burned by internal spies within their intelligence structure on several occasions. The success of a country’s ability to attack another country’s information infrastructure will depend on how much effort the country attacked has put into information security. Most countries have probably not done very much and are perfect targets for an information attack. Many countries have the capability now to attack the information grid of other countries. The nature of these attacks is becoming more and more sophisticated, and this is of concern both to the military and to the commercial world. Much needs to be done to improve our detection and remediation techniques on a continuing basis. — Bob

  6. 6 Dr. Beyster

    Dick: Thank you for the entry in my blog. The Russians appear to be interested in promoting a new treaty with the US in the area of cybersecurity. It is my understanding that the US is not interested in such as treaty at the moment — why I don’t know. The statement from Washington is that we have put in place sufficient law enforcement mechanisms to mitigate the impact of cyber attack. Does your information differ from mine, and if so, could you tell me in what ways? — Bob

  7. 7 Dr. Beyster

    Bob: Thank you for your blog entry and your reassurance that I have not totally lost contact with the real world on my evaluation of the challenges to national security. It’s a disappointment to me that people like you who are well informed feel that the remedy to cyber attacks are possibly too hard to implement. I shouldn’t say this, but I will certainly consider a visit to the next SAG plenary. I need to know when it is. Betty wants to get together with you sometime for a quiet dinner. Keep that in mind. I’d like to come too. — Bob

  8. 8 Blake

    Bob,
    More of the same – who hit the US over the 4th weekend – and China shuts down a remote area to prevent the social networking – used to gather people together for protesting. Would the US ever do this to prevent the same – or does freedom of speech trump?

    In 2004 I had proposed to US Rep. Zoe Lofgren to help set up an internet security incubator in Silicon Valley. At the time the US Govt was more concerned with major security issues and was working with the likes of MIT/Carnegie Mellen etc. The San Jose Business Development was on its own. The purpose was to allow ground up development of security systems through entrepreneurship – we had Intuit and Symantec interested since they have a large small/mid business market. Of course all things come down to where’s the money coming from – and that stopped the idea. Heck we even had a facility – a hospital that closed because they couldn’t make cost effective repairs for earthquake prevention. Would have been interesting.

    Blake

  9. 9 Bob Wertheim

    Bob:

    The next SAG Plenary is scheduled for 28-30 October 09. It would be great to get together with Betty (and you!) for a quiet dinner before then.

    Bob

  10. 10 Dr. Beyster

    Paul: Thanks for sending me your paper — I’ll look forward to reading it. You were one of the first to flag the cybersecurity problem and you did a lot to help SAIC play a role in solving it. Again, I thank you for that. — Bob

  11. 11 Wesley

    The russian example reminds me of an old oil man’s tale about the US sabotaging the trans-siberian oil lines with computer code way back in the old times. As the story goes, the russians were spying on us trying to get their hands on the computer codes to control large oil pipe networks. The US found out and made a trojan-type code and let them steal it. After operating some time the code switched over and made an overpressurized point in the piping and kaboom!! Apparently the explosion was seen from satellite footage and measured with our nuclear weapons testing seismic instrumentation. It supposedly flattened out a large piece of land and created some fierce forrest fires.

    This cyber security issue is going to go extreme in the nuclear industry. I think it could put a major burden on the utilities to be compliant. It raises endless questions. Will making a programming error be considered a potential act of terrorism?

    I am just smelling another boondoggle for money made out of needless and unrealistic fears. It is impossible to fully secure anything, especially the WWW, so why bother trying to do it . . . so people can make money off of “securing” it. Ultimately for nuclear energy it means more expensive energy and in the trickle down screw-the-little-man-onomics, the rate payer bears the burden. We all will pay more per month so that some OPs guy can surf the web while he is at work.

  12. 12 steve billinghurst

    Bob,
    could you please write a story about JRB associates? My boss was Jim Paine. The project was EPA Chemical Countermeasures. Paine is an expert on under ice oil spills. I left in 1985. I was a temp.

  13. 13 Dr. Beyster

    Steve: JRB Associates was merged with SAI sometime in the 1970s. My recollection is that the activities of what is left of the organization are limited to the Cancer Institute contract, which we won within JRB Associates and then transferred to SAI. JRB Associates was originally meant to be our first attempt at working with commercial customers, and it was therefore set up as an independent organization separate from SAI. However, most of JRB Associates’ business turned out to be with the government and it eventually made no sense to keep it as a separate entity. It was merged into SAI when we learned how to handle multiple rate structures where I believe it became what was known as Company 2. — Bob

  14. 14 Dr. Beyster

    Wesley: I enjoyed reading your tale of the sabotage of the trans-Siberian oil line. I had not heard that story before and do not know if it is true or not. The cybersecurity issue is real I think and the implications for the nuclear power industry in particular from computer-based attacks and sabotage could be quite a problem. I also believe people will make a lot of money trying to reduce the threat. Hopefully they will be successful. If we are able to avert an attack on one of our nuclear power facilities or a key part of our electrical power transmission network, then all the money we paid will have been worth it. Someone will have to pay the bill for this protection, either the rate payer or the government. There haven’t been any recent successful attacks against large targets that I’m aware of, though there have been numerous unsuccessful attacks. To date, security has been sufficient to avert disaster. — Bob

  15. 15 Dr. Beyster

    Bob: Thanks for the blog message. I don’t know if I’m up to attending the SAG meeting, but I will consider it. I have spoken to Betty and we agree that we should get together for dinner with you soon. Maybe you and Betty can talk about this sometime. I’ll tell her and the two of you can take a look at a mutually satisfactory rendezvous point and time. — Bob

  16. 16 Dr. Beyster

    Blake: I doubt if the U.S. government would ever shut down all or part of the Internet — it might be hard to do even if they wanted to. Nice try on setting up a security incubator in the Silicon Valley — it seems like a good idea to me. Too bad you were unable to secure the funding you needed to move it forward. — Bob

Leave a Reply





Add to Google Homepage or Google Feed Reader
What is RSS?
Receive email alerts

September 2014
M T W T F S S
« Aug    
1234567
891011121314
15161718192021
22232425262728
2930  


Recent Posts


Recent Comments

  • Dr. Beyster: Jim: Thank you for the birthday wishes — it was good to hear from you. — Bob
  • Dr. Beyster: Ron: Your story about the Grand Canyon and the lone telephone on a pole made me laugh. Thank you for...
  • Ron Parkinson: Bob, reminders of your birthday reached us a bit late here in Cuenca, but Jolene and I want to...
  • Jim Barber: Bob, Happy Birthday! All the best to you and your family. Jim Barber
  • Dr. Beyster: Eugene: Thank you very much for the 90th birthday wishes — it’s good to hear from you. I...