By C. Todd Lopez
TAMPA, Fla. (Aug. 03, 2010) -- Protection of the nation's computer networks requires focus on four key areas, said the director of the National Security Agency.
During the first day of the 2010 Armed Forces Communications and Electronics Association's "LandWarNet" conference, Aug. 3, in Tampa, Fla., Gen. Keith B. Alexander, commander, U.S. Cyber Command and director of the National Security Agency, discussed both threats to the DOD computer network and suggestions on how to secure it.
Dynamic protection of the network, the general said, involves a four-pronged approach to protecting a network with as many as 7 million attached computers.
1: Hunt for malicious ware
First among those aspects, he said, is defending the network in the same way the Army might protect an area of land it has captured on the ground.
"Inside our networks, just like we would do in physical combat, we have to have folks that are hunting inside our networks," he said. "Give the system administrators, our network operators, weapons to hunt inside our networks for malicious software and malicious actors, to destroy them."
2: Protect network borders
At the edges of the network, where users interface with network capabilities, there needs to be systems in places that can provide real-time notification of malicious activity to those that are charged with protecting it, he said.
"We have to have an interactive device at the boundary," he said. "And that interactive device capability has to be able to talk to those network hunters inside our network and our foreign intelligence capabilities and law enforcement and others outside our network."
3: Partner with stakeholders
Also key to protecting the network, he said, is to have strong partnerships with stakeholders in the network. That includes allies and other government agencies.
"We have to, with our allies, be able to see what is going on with the global network so we can provide real-time indications and warning to our defensive capabilities."
4: Establish ROE
Finally, he said, those protecting the network need to be able to defend it when threats arise. That means they are equipped with rules of engagement to allow them to know what they are allowed to do, both defensively and offensively, without having to endure costly efforts to propose plans for defense and to seek approval for actions they should take.
"We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us," he said. "You need autonomous decision logic that's based on the rule of law, the legal framework, to let network defenders know what they are allowed to do in the network's defense."
The general spoke to what was claimed as a record audience of attendees at this year's LandWarnet conference. An estimated 9,000 Soldiers and information technology experts from the private sector are in attendance at the three-day event.
Know the threat
The general spoke at length about the threats to military networks. He said the threat environment today affects more than 7million computers on more than 1,500 individual DOD networks.
"On any given day, our networks are probed over 250,000 times an hour," he said. That comes to about six million times a day. Additionally, over 140 foreign intelligence organizations are actively attempting to penetrate U.S. computer networks. And according to a figure by the network security company, Symantec, the cost of cybercrimes have exceeded $1 trillion, he added.
Threats to the network have evolved, he said, from exploitative threats, to disruptive threats, to destructive threats.
Using networks to take money or information, for instance, is exploitative. To deny service to networks is disruptive. In 2007, for instance, the national networks in Estonia were nearly shut down by distributed denial of service attacks, suspected to be the doing of unhappy Estonians of Russian descent voicing outrage at the removal of a bronze statue of a World War II Soviet soldier.
Destructive threats evolving
It is destructive attacks against networks, said Alexander, that have him concerned the most.
"It's only a small step to go from disrupting to destroying parts of the network," he said. "If you think about our nation, our financial systems, our power grids -- all of that resides on the network. Our government, our defense department, our intelligence community, all reside on the network. All of them are vulnerable to an attack like that. Shutting down that network would cripple our financial system."
One such destructive threat he warned of, and asked industry for assistance on, is the potential of "kill switches" in computer hardware.
"Hardware kill switches in many of these computers are now something that anybody could put in," he said. "It's very difficult to detect. Those kill switches, or logic bombs in your network, are some of the things that we are going to have to figure out for the Defense Department, our government."
In systems the military buys from contractors, for instance, there are sometimes hundreds or thousands of microchips. Those chips are now often built by third-party manufacturers. It is difficult for the military or even for contractors who build systems, to determine everything such a microchip can do. It is possible, for example, for such a microchip to be built with backdoor logic that can cause it to fail at a specific time -- a kill switch -- which ultimately affects the system it resides in.
Visibility of the entire network is also a problem. Today, Alexander said, the DOD cannot see the entire network. It is not enough, he said, to know there's antivirus software residing on the end-user's computer system -- at its best, antivirus and other methods in place today can only provide about 80 percent protection.
"What are you going to do for the rest of that, where adversaries are operating," he asked. "If you can't see them all, how do you react to somebody that's trying to get into one of them? How do you know where they are? We don't have situational awareness of our networks -- real time, situational awareness, and the ability to take action."
What is critical, he said, is that the entire network is visible to monitor what is going on and where. The DOD needs a common operating environment to create a baseline of what is normal, he said, to get that edge-to-edge visibility.
U.S. must take lead
Alexander also said that it was the United States that invented the Internet, and that the United States must lead the charge to protect it.
"How are we going to operate and defend that Internet," he asked. "We're the folks that started it, we ought to get down to securing it."
Securing the Internet, he said, requires great minds. It also requires a partnership, within government, to include the Department of Defense, the intelligence community and the Department of Homeland Security, for instance. It also requires partnerships with America's allies, and with industry.