Previous month:
September 2011
Next month:
November 2011

October 2011

Is a separate highly secure Internet needed?

According to a Yahoo! News article, an FBI official has suggested that "one way to protect critical utility and financial systems would be to set up a separate, highly secure Internet." FBI executive assistant director Shawn Henry refines this notion by explaining that security threats against critical infrastructure cannot be solved by throwing more technology at the problem and adds that eliminating anonymity  is also an important consideration. Gen. Keith Alexander, director of the National Security Agency weighs in, calling for Pentagon and Intelligence agencies to improve security. Alexander adds that "when a computer network is infected, someone should be able to disconnect it".

6114164192_4bf69f20a5_t
Photo source

A colleague on a security mailing list stimulated a lively discussion by asking whether it's possible to build such a network, tempting the list members with that all-powerful aphrodisiac - unlimited funding - and the equally compelling incentive, "and your life depends on solving the problem."

My answer (somewhat refined from my post) is 

Not with current, commercially available technology, software and user behavior.

The Myth of Unlimited Resources

Even with limitless funding, and even if you were to start from scratch, adopting all the trusted computing and networking paradigms we have considered in various forums over the years, I am still skeptical that you would accomplish what you seek.  While commercial vendors and government approved contractors may cringe at the thought of turning down the challenge of exhausting limitless funding, Henry is correct when he says "We can't tech our way out of the cyberthreat". But suggesting that rooting out anonymity and insisting on having the ability to decouple burning cars from the train are essentially "tech" responses.

Limiteless funding is a siren's call. By combining this with a missive as visceral as  "your life depends on finding a solution", you may rally the troops but you are very likely to fail because you have omitted a fundamental consideration

2224457461_3f0392fee7_m

Photo by spikenzie

We can't secure the human OS

We have very little knowledge for how to secure the human OS. Until you can secure the human OS, you cannot expect to dramatically reduce the threat landscape.

The solution to  scuring the human OS doesn't involve carving out separate secure networks - and there would eventually be many, not just one. For example, you could significantly reduce the likelihood of falling victim to a compromise of your online banking if you were to use a live (bootable) CD, enable a network adapter, launch a browser, and only connect to your bank. For some banks, you'd even be challenged to establish your machine ID each session. Some folks would be happy to do this (I do...) but the solution does not scale to large populations of impatient users.

Be certain you can secure the human OS and that you take that security model to scale or you are simply reinventing the wheel.


USB Home Malware Test Kit

Leveraging on the success of the USB Home Pregnancy Test Kit, Malweradicator, a new player in the antivirus market, has adapted this "make it better by throwing hardware at the problem" strategy and has developed a USB Home Malware Test Kit. 

USBHomeMalwareTest1
A company spokesperson claims the Malweradicator is OS-agnostic and is capable of detecting infections on systems running Windows, Linux, and Mac OS. Future releases will include iOS, Android, and other tablet OSs. The company has yet to formally announce availability for the product. Parties close to Malweradicator hint that a 1 April 2012 release date is likely.