Is an 'alternate Internet' the only refuge from mounting threats?
Connecting state and local government leaders
An FBI official suggests that a separate domain that would allow attribution of activities could provide a level of security that has not been attained on the Internet.
The rapid adoption of mobile computing is creating vulnerabilities and threats faster than they are being addressed, a panel of industry and government experts said on May 18.
“Mobile is hot, and it will remain hot,” said John Landwehr, Adobe Systems’ senior director of security solutions and strategy.
Landwehr said that mobile, wireless access to the Internet is likely to surpass wired access as early as the end of this year, and most of mobile devices do not have the same level of security as laptop and desktop PCs. “That is going to cause the security landscape to shift very quickly,” he said.
Those statements, made at the FCW Federal Executive Briefing on risk mitigation, were not surprising, but a solution proposed by Steven Chabinsky, deputy assistant director of the FBI’s Cyber Division, was potentially controversial. He suggested that what is needed is an alternate network architecture that provides greater visibility and less privacy.
Related stories:
Mobile computing ripe for 'catastrophic malware disaster,' report states
Cyber thieves stealing fewer records – why is that bad news?
Chabinsky said the problem today is that the Internet is using a single set of rules in which requirements for privacy and anonymity trump assurance and attribution. This is fine for protecting civil liberties but inadequate for running processes with conflicting security needs. On some systems, such as those using sensitive information or controlling physical processes in critical infrastructure, it is more important to know exactly who is on a network and to be able to see exactly what they are doing.
The concept of separating networks for greater security is not a new. For decades, Supervisory Control and Data Acquisition (SCADA) systems were protected by the fact that they were usually proprietary systems not connected with the Internet or other networks, and difficult to breach or compromise. When legacy SCADA systems began to be replaced with standards-based networking equipment connected to the enterprise network and the Internet for greater convenience, they became more vulnerable.
Chabinsky stopped short of suggesting a separate Internet or proposing a specific architecture, but said that a separate domain that would allow attribution of activities could provide a level of security that has not been attained on the Internet despite advances in government and private-sector cooperation.
One of the growing threats identified by Chabinsky is the market for expertise and logistics resources that criminal organizations are developing. This know-how now is being used primarily for theft and fraud in the pursuit of profits. But the same skills could be peddled to nation states or terrorist organizations for use in espionage, terrorism and cyberwarfare, he warned.
“Terrorist organizations are showing an interest in cyber,” he said. Although they have not yet displayed the skills needed to launch significant cyber attacks, “they are not idiots,” he said. “Don’t sell them short.”
Chabinsky also warned that a rush to cloud computing could add an additional layer of vulnerability for enterprises.
“There is no such thing as safe and secure cloud computing, because there is no such thing as safe and secure computing,” he said.
With most current cloud service contracts, the service provider assumes no liabilities and makes no guarantees about the security of the systems and data, but the customer who has responsibility for security does not have control over or visibility into the infrastructure.
Mark Belk, director of federal cybersecurity for Juniper Networks, said that the growing use of personal mobile devices in the enterprise is creating problems because such devices typically are not locked down or managed by the enterprise. To respond to this trend, security needs to be pushed down to the application and content layers, with tools to analyze behavior and identify and flag anomalous activities, he said.