The U.S. Department of Defense may have funded the research that led to the Internet, but freewheeling innovation created the patchwork of privately owned technology that makes up the Internet today. Now the U.S. government is trying to wrest back some control, as it adjusts to an era when cyberattacks on U.S. corporations and government agencies are common.
At the RSA computer security conference yesterday, representatives of the White House, U.S. Department of Defense, and National Security Agency said that safeguarding U.S. interests required them to take a more active role in governing what has been a purely commercial, civilian resource. But some experts are concerned that the growing influence of defense and military organizations on the operation and future development of the Internet will compromise the freedom that has made it a success.
The DoD is being compelled to remove half a trillion from its budget in the next decade, but spending on cyber defense will increase, said deputy secretary of defense Ashton Carter in a keynote at the conference. “Ships, planes, ground forces, lots of other things are on the cutting room floor, not cyber,” he said. “The investments are at the level of several billion, [and] we are continuing to increase our investments.”
Comments made by colleagues of Carter later in the day made it clear that this cash will not just be used to strengthen government systems. The NSA and DoD intend to shape the way private companies build and use Internet infrastructure, and have corporations help them respond more actively to detect and clean up after an attack does take place.
“Our systems are dependent on security products and infrastructure from the private sector,” said Debora Plunkett, director of the NSA’s Information Assurance Directorate, which oversees cybersecurity for all national security systems. She said that the NSA wanted to encourage private companies to automate the tedious, manual, and often neglected basics of securing computer networks. “We need industry’s help,” she said. “We’re spending too much time on network hygiene: missing patches, poor passwords, known vulnerabilities.”
The kind of automation Plunkett wants to see would significantly change the way Internet infrastructure functions. It should be possible, she said, for a company or agency to quickly instruct pieces of network hardware to drop connections or isolate computer systems when an attack hits, something that goes against the tradition of Internet hardware being independent and not easily subject to centralized control. Well-funded startup company Nicira recently launched technology that might achieve some of that, and it is known to be working with U.S. intelligence agencies.
Plunkett also said that she hoped the NSA could develop and encourage use of technology that makes mobile devices more secure, inside and outside of government. “One of my biggest priorities is delivering secure smart phones and tablets,” she said. Although government departments are—like many in the private sector—ditching their BlackBerrys for smart phones running Apple or Google software, the latter are considered to be relatively low security devices that can be weak points that allow in attackers.
When designing an embedded system choosing which tools to use often comes down to building a custom solution or buying off-the-shelf tools.