FBI Wishes for a Network Security Utopia That Can Never Exist

News Analysis: While it's true that a totally secure alternate Internet will protect against hackers and terrorists, by the time it's expanded to cover everybody it won't be secure for anybody.

When Shawn Henry, FBI executive assistant director, suggested during a conference in Baltimore that a second, secure Internet be created to protect critical infrastructure against increasingly sophisticated attacks, he made a good point. A separate secure network could help reduce serious attacks. However, he's wrong when he suggests that this might somehow insulate this infrastructure from attacks. All it means is they will come from a different direction.

There are several holes in Henry's plan. First of all, to create a secure network you can only allow secure organizations to connect to it. But Henry wants this network to be used by power plants, banks, and other companies and organizations where an attack could seriously damage the national interest. This might be a good idea, but you would have to keep the power plants and banks from using it.

The big problem in creating such a secure version of the Internet is that it's open to organizations that have no security capability of their own in the case of power plants or no effective network security in the case of banks.

Right now, power stations hire people who are supposed to be very good at running power plants. There isn't and never has been any significant effort to implement the necessary security infrastructure and required practices and training used by (for example) the FBI.

This means that you'd have workers with no security clearance, no background check that relates to data security and no training in security with access to the supposedly secure network. How long do you think it might be before someone who works for a power company decides to fiddle with the secure network? Maybe a week?

Financial institutions are supposed to have at least some level of security, but do they really? Let's see if we can count the number of data breaches that have happened to such institutions in the last 10 years or even in just the past 12 months. Can't count that high? Neither can I.

The problem with creating a secure network such as the one Henry envisions is that every part of it needs to be secure. It doesn't help if the network itself is secure if the institutions attached to it are insecure. Even if these institutions are extremely careful, a leak is bound to happen, probably sooner rather than later.

Henry's other suggestion at the conference was that sensitive systems be taken completely off the Internet. This is the approach used by the Iranian government to protect the computers that controlled its uranium centrifuges. There was absolutely no connection between the computers that controlled the machines and the outside world. But then came Stuxnet. Someone should ask the Iranians how well that separation worked for them.