Can the Air Force Change the Internet Rules of Engagement?

By Larry Seltzer  |  Posted 2008-11-04 Print this article Print

The Air Force may want to stuff the Internet security genie back in the bottle, but it's too late for that. If the U.S. military wants a network where attackers don't roam free, it'll have to make its own.

It's ironic, as Wired says, that the U.S. military finds its networks under constant attack through the Internet. The U.S. military was instrumental in creating the Internet, and many of the key mistakes were made back then.

Now the Air Force Research Laboratory has announced its "Integrated Cyber Defense" program, an attempt to fix the problems. "The 'laws' of cyberspace can be rewritten, and therefore the domain can be modified at any level to favor defensive forces," proclaims the AFRL's announcement of the program.

Of course, it's too late to fix them. The mistakes, including many key protocol weaknesses, are part of the framework of the Internet. The military can change its own rules; implement a parallel network with different rules perhaps, or perhaps a virtual network on top of the Internet; but it can't change the rules for everyone else.

I toyed with this idea many years ago, particularly with respect to e-mail. E-mail is an instructive example; SMTP is perhaps the most important application protocol on the Internet and we have known for many, many years that making it authenticated in some fashion would give us tools to fight spam and other e-mail abuse.

Attempts to improve SMTP in this way have, for the most part, failed. Why? Because it's too late. You can't force people to adopt the changes and you have to continue service to those who won't adopt them. And, to be fair, there are some legitimate disputes about the best way to implement changes. But if it were possible to force a real change, a consensus would be found on what it should be.

And that's just e-mail. Look at some of the other, more basic changes for the Internet that are going nowhere, DNSSEC and IPv6 being at the top of the list. One senses, when reading the AFRL document, that IPv6 and DNSSEC would be minor changes in its scheme. The AFRL's goals include:

  • Threat traceback and attribution (to include determination of intent)
  • Threat geolocation
  • Measurement and control of adversary perception of Air Force network capabilities
Such capabilities are not present in current Internet protocols. As they say in the Air Force, Aim High.

The Air Force is also interested in designing ways to avoid attack rather than defending against it, much as spread spectrum used to be a stealth communication technique. I'm not impressed: The services have to be accessible to someone in order to be useful, and the rules for accessing them will be the key to finding ways to attack them.

I'm being a bit cruel and dismissive, but there may be value in starting out with a vision of where you'd want to be without at first constraining yourself. And many of the aims in the document are not as pie-in-the-sky as others. It's the pie that makes the document read so fancifully. I certainly hope nobody there really thinks the AFRL can change every insecure system out there or, in the alternative, cut them off.

What's even stranger than the technically infeasible goals is the notion that we can change the rules at this point to change the situation on the ground, as it were. The fact is that attackers have the initiative in the Internet and nothing that is practically conceivable will change that. The fact is also that anonymity, officially or through subterfuge (as with bots), is also the rule on the Internet, and nothing is going to change that.

Yes, it's a depressing world view for warriors on the Internet. No good soldier wants to spend all his or her time on defense. But the Internet is not a secured area; far from it. If they want a network where attackers don't rule they'll need to start a new one. That at least is a defensible position.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel