Critical infrastructureSecure network for critical infrastructure idea draws fire

Published 27 September 2010

The Obama administration wants to develop a secure computer network to defend civilian government agencies and critical civilian infrastructure and industries; the restricted network would allow the government to provide greater protection to vital online operations and critical infrastructure — such as financial networks, commercial aviation systems, and the national power grid — from Internet-based attacks; critics say this ambitious idea is impractical

The leader of the U.S. Cyber Command wants to develop a secure computer network to defend civilian government agencies and critical civilian infrastructure and industries.

Gen. Keith Alexander, who has dual responsibilities as commander of the Cyber Command and director of the National Security Agency (NSA), testified on 23 September before the House Armed Services Committee about the new command’s role in defending federal and commercial networks. He suggested the creation of a restricted network that would allow the government to provide greater protection to vital online operations and critical infrastructure — such as financial networks, commercial aviation systems, and the national power grid — from Internet-based attacks.

The New York Times reported that the proposed network, which Alexander referred to as “a secure zone, a protected zone,” would provide essential civilian government and commercial networks with protection similar to secret military and diplomatic communications networks. He did not say, however, where the boundaries between this new secure network and the Internet would be or how appropriate user access would be granted. He added that the White House is working on a policy review to determine the best approach and whether it will require Congress to grant new powers.

Henry Kenyon quotes Martin Libicki, a senior management scientist at Rand Corp., to say that Alexander’s proposal skimps on specifics. “Security costs money,” he said.

Any person or agency interested in buying security systems must first analyze the value they are going to get for the cost, Libicki said. “I’m impressed by the lack of hard economic analysis I see on this stuff,” he added.

Libicki said the key problem with cybersecurity is that it is an engineering issue. When someone talks about cyber issues to Congress or any other audience, they are discussing engineering issues that often go over the heads of the audience — and sometimes, even of the speakers. “It’s an engineering issue where you don’t have the intuition of the physical world,” he said. “So you either end up losing Congress or you end up oversimplifying matters.”

Another issue is secrecy. Someone involved in intelligence or defense, as Alexander is, is constrained from painting the full picture by the need to keep some things concealed. “You thought it was tough to understand before,” Libicki said. “Wait until I only tell you half of what you need to know, and then it becomes even harder.”

He said, though, that the two key steps for establishing cybersecurity are determining what to protect and whom to trust. “People spend ungodly large sums of money fixing computer systems when they haven’t asked themselves the first two questions because that’s difficult,” he added.

A report in the Washington Post noted that any solutions presented by the Obama administration to protect the private sector will have to involve companies.

“If we’re going to defend networks that are owned and operated in part by industry, the solution can’t be a government-only solution,” Alexander said. “It has to be joint. How do you do that? That’s the key issue.”

He added, “There’s a real probability that in the future this country will get hit with a destructive attack, and we need to be ready for it.”

Kenyon writes in Defense Systems that providing adequate levels of security for such a new network would likely require the creation of a multi-agency team that would include the FBI, DHS, and Defense Department. Each agency has its own authorities, and determining how such a group would work together would be a challenge.

Some critics believe such a massive defensive infrastructure would be impractical. Joe Weiss, an expert on securing control systems in critical industries, told the Washington Post, “It would be very difficult to try to interconnect all these different companies including the government. This isn’t just one entity where you walk a wire around Potomac Electric. You have all the neighboring utilities that you need to connect to. You would also have all the other major industrial operations — and with Smart Grid, conceptually, every homeowner. This is not simple.”