News Analysis: While it's true that a totally secure alternate Internet will protect against hackers and terrorists, by the time it's expanded to cover everybody it won't be secure for anybody.
Shawn Henry, FBI executive assistant director, suggested
conference in Baltimore that a second, secure Internet be created to protect
critical infrastructure against increasingly sophisticated attacks, he made a
good point. A separate secure network could help reduce serious attacks.
However, he's wrong when he suggests that this might
somehow insulate this infrastructure
from attacks. All it means is they
will come from a different direction.
are several holes in Henry's plan. First of all, to
create a secure network
you can only allow secure organizations to connect
to it. But Henry wants this network to be used by power plants, banks, and
other companies and organizations where an attack could seriously damage the
national interest. This might be a good idea, but you would have to keep the
power plants and banks from using it.
big problem in creating such a secure version of the Internet is that it's open
to organizations that have no security capability of their own in the case of
power plants or no effective network security in the case of banks.
now, power stations hire people who are supposed to be very good at running
power plants. There isn't and never has been any significant effort to
implement the necessary security infrastructure and required practices and
training used by (for example) the FBI.
means that you'd have workers with no security clearance, no background check
that relates to data security and no training in security with access to the
supposedly secure network. How long do you think it might be before someone who
works for a power company decides to fiddle with the secure network? Maybe a
institutions are supposed to have at least some level of security, but do they
really? Let's see if we can
count the number of data breaches
that have happened to such institutions
in the last 10 years or even in just the past 12 months. Can't count that high?
Neither can I.
problem with creating a secure network such as the one Henry envisions is that
every part of it needs to be secure. It doesn't help if the network itself is
secure if the institutions attached to it are insecure. Even if these
institutions are extremely careful, a leak is bound to happen, probably sooner rather
other suggestion at the conference was that sensitive systems be taken
completely off the Internet. This is the approach used by the Iranian
government to protect the computers that controlled its uranium centrifuges.
There was absolutely no connection between the computers that controlled the
machines and the outside world. But then came Stuxnet. Someone should ask the
Iranians how well that separation worked for them.