Can the Air Force Change the Internet Rules of Engagement?

The Air Force may want to stuff the Internet security genie back in the bottle, but it's too late for that. If the U.S. military wants a network where attackers don't roam free, it'll have to make its own.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

It's ironic, as Wired says, that the U.S. military finds its networks under constant attack through the Internet. The U.S. military was instrumental in creating the Internet, and many of the key mistakes were made back then.

Now the Air Force Research Laboratory has announced its "Integrated Cyber Defense" program, an attempt to fix the problems. "The 'laws' of cyberspace can be rewritten, and therefore the domain can be modified at any level to favor defensive forces," proclaims the AFRL's announcement of the program.

Of course, it's too late to fix them. The mistakes, including many key protocol weaknesses, are part of the framework of the Internet. The military can change its own rules; implement a parallel network with different rules perhaps, or perhaps a virtual network on top of the Internet; but it can't change the rules for everyone else.

I toyed with this idea many years ago, particularly with respect to e-mail. E-mail is an instructive example; SMTP is perhaps the most important application protocol on the Internet and we have known for many, many years that making it authenticated in some fashion would give us tools to fight spam and other e-mail abuse.

Attempts to improve SMTP in this way have, for the most part, failed. Why? Because it's too late. You can't force people to adopt the changes and you have to continue service to those who won't adopt them. And, to be fair, there are some legitimate disputes about the best way to implement changes. But if it were possible to force a real change, a consensus would be found on what it should be.

And that's just e-mail. Look at some of the other, more basic changes for the Internet that are going nowhere, DNSSEC and IPv6 being at the top of the list. One senses, when reading the AFRL document, that IPv6 and DNSSEC would be minor changes in its scheme. The AFRL's goals include:

  • Threat traceback and attribution (to include determination of intent)
  • Threat geolocation
  • Measurement and control of adversary perception of Air Force network capabilities

Such capabilities are not present in current Internet protocols. As they say in the Air Force, Aim High.

The Air Force is also interested in designing ways to avoid attack rather than defending against it, much as spread spectrum used to be a stealth communication technique. I'm not impressed: The services have to be accessible to someone in order to be useful, and the rules for accessing them will be the key to finding ways to attack them.

I'm being a bit cruel and dismissive, but there may be value in starting out with a vision of where you'd want to be without at first constraining yourself. And many of the aims in the document are not as pie-in-the-sky as others. It's the pie that makes the document read so fancifully. I certainly hope nobody there really thinks the AFRL can change every insecure system out there or, in the alternative, cut them off.

What's even stranger than the technically infeasible goals is the notion that we can change the rules at this point to change the situation on the ground, as it were. The fact is that attackers have the initiative in the Internet and nothing that is practically conceivable will change that. The fact is also that anonymity, officially or through subterfuge (as with bots), is also the rule on the Internet, and nothing is going to change that.

Yes, it's a depressing world view for warriors on the Internet. No good soldier wants to spend all his or her time on defense. But the Internet is not a secured area; far from it. If they want a network where attackers don't rule they'll need to start a new one. That at least is a defensible position.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.