WASHINGTON–The U.S. government has a lot of money. Not as much as it used to have, of course, but still, it has a lot. It also has a lot of computers and servers and routers and other things that move and store data. In fact, they have so many that they don’t really know what all of them are doing at any given time. That’s turning into a fairly thorny security problem for some of the country’s more vital networks, and even the most well-funded agencies are having a hard time addressing it.
Washington, more than just about any other city in the U.S.–aside from maybe Orlando and Hershey, Pa.–is a company town, and as the government goes, so goes the mood of the citizens. The federal government’s budget problems are hitting this city hard, and it’s a constant topic of conversation among people both inside and outside the government. The country is trying to cut hundreds of billions or possibly a trillion dollars from the budget in the next few years, and that’s not good news for anyone here. And it’s an especially painful prospect for the folks charged with securing and defending the government’s networks, because they’re having a difficult enough time of it as it is.
One of the more common problems network security staffs have is trying to get a good view of what’s actually happening on their networks. They get bits here and pieces there, but a complete picture can be difficult to come by. As it turns out, the CIA has the same problem. The agency, whose mission is to know what’s going on around the world at any given moment, doesn’t have any secret recipe or black box giving its security personnel deep insights into network activity. It’s struggling, just like everyone else is.
“One of the big challenges we have is the lack of interoperability between security products. We spend a lot of time integrating tools, looking for changes in firmware and software, and all of the vendors are all over the map when it comes to some of these things, like what they call the insider threat,” Robert Bigman, chief of the Information Assurance group at the CIA, said during a panel discussion at the SINET Innovation Showcase here Wednesday. “We have no idea what’s going on on some of our networks, not because we’re not trying, but because we don’t have the tools to do it.”
That’s a statement that could have come from a network security specialist or IT manager in any sufficiently large enterprise in any industry. Networks have a way of expanding and morphing and growing appendages, and as they do, it becomes increasingly difficult to keep a handle on each device and user and what’s happening on each segment of the network. This is a problem on even moderately large enterprise networks, and it’s an exponentially larger problem on the massive, distributed networks run by the government and military.
To give it some perspective, Richard Hale, deputy CIO for identity and information assurance at the Department of Defense, said during the panel discussion that his department has seven million devices with IP addresses on its networks. That’s a network with the device population of the city of Bangkok. Trying to keep a consistent picture of a network that size–or of the unknown size of the CIA’s– is no one’s idea of a good time. These networks are under constant attack, and given the mission of the agencies using them, there are no minor compromises. Any intrusion could turn into a major event.
Nevertheless, these agencies are defending their networks with essentially the same tools and tactics as everyone else, and from the sound of things in Washington, they’re looking for help, just like everyone else is. The current generation of defenses and techniques just isn’t cutting it. Perhaps that’s why many of the speakers here were advocating a return to some older ideas, but with a bit of a modern twist. Bigman and Hale both talked about the need for a new secure operating system, starting from the ground up and designing the OS with security in mind from the beginning. And Gen. Keith Alexander, director of the NSA and commander of the U.S. Cyber Command, said that his group is looking at ways to put a kind of protective bubble around sensitive government and critical infrastructure networks. It’s a variation on the old idea of having separate networks for separate tasks, which the government already has for some classified functions.
“How do we protect government and critical infrastructure? Technically, we know we can improve security with this model,” Alexander said of the idea, which he termed “Protected Space”.
How that space is protected is the question, as is how long it would take attackers to figure out a way in. Judging by current events, likely not all that long.