The Air Force may want to stuff the Internet security genie back in the bottle, but it's too late for that. If the U.S. military wants a network where attackers don't roam free, it'll have to make its own.
It's ironic, as Wired says,
that the U.S.
military finds its networks under constant attack through the Internet. The U.S.
military was instrumental in creating the Internet, and many of the key
mistakes were made back then.
Now the Air Force Research Laboratory has announced its "Integrated
program, an attempt to fix the problems. "The
'laws' of cyberspace can be rewritten, and therefore the domain can be modified
at any level to favor defensive forces," proclaims the
AFRL's announcement of the program.
Of course, it's too late to fix them. The mistakes, including many key
protocol weaknesses, are part of the framework of the Internet. The military
can change its own rules; implement a parallel network with different rules
perhaps, or perhaps a virtual network on top of the Internet; but it can't
change the rules for everyone else.
toyed with this idea many years ago,
particularly with respect to e-mail.
E-mail is an instructive example; SMTP is perhaps the most important
application protocol on the Internet and we have known for many, many years
that making it authenticated in some fashion would give us tools to fight spam
and other e-mail abuse.
Attempts to improve SMTP in this way have, for the most part, failed. Why?
Because it's too late. You can't force people to adopt the changes and you have
to continue service to those who won't adopt them. And, to be fair, there are
some legitimate disputes about the best way to implement changes. But if it
were possible to force a real change, a consensus would be found on what it
And that's just e-mail. Look at some of the other, more basic changes for
the Internet that are going nowhere, DNSSEC and IPv6 being at the top of the
list. One senses, when reading the AFRL document, that IPv6 and DNSSEC would be
minor changes in its scheme. The AFRL's goals include:
- Threat traceback and
attribution (to include determination of intent)
- Threat geolocation
- Measurement and control of
adversary perception of Air Force network capabilities
Such capabilities are not present in current Internet
protocols. As they say in the Air Force, Aim High.
The Air Force is also interested in designing ways to avoid attack rather
than defending against it, much as spread spectrum used to be a stealth
communication technique. I'm not impressed: The services have to be accessible
to someone in order to be useful, and the rules for accessing them will be the
key to finding ways to attack them.
I'm being a bit cruel and dismissive, but there may be value in starting out
with a vision of where you'd want to be without at first constraining yourself.
And many of the aims in the document are not as pie-in-the-sky as others. It's
the pie that makes the document read so fancifully. I certainly hope nobody
there really thinks the AFRL can change every insecure system out there or, in
the alternative, cut them off.
What's even stranger than the technically infeasible goals is the notion
that we can change the rules at this point to change the situation on the
ground, as it were. The fact is that attackers have the initiative in the
Internet and nothing that is practically conceivable will change that. The fact
is also that anonymity, officially or through subterfuge (as with bots), is
also the rule on the Internet, and nothing is going to change that.
Yes, it's a depressing world view for warriors on the Internet. No good soldier
wants to spend all his or her time on defense. But the Internet is not a
secured area; far from it. If they want a network where attackers don't rule
they'll need to start a new one. That at least is a defensible position.
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take
a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.