Rattle wrote:

President Bush has promised a frugal budget proposal next month, but one big-ticket item is stirring controversy: an estimated $6 billion to build a secretive system protecting U.S. communication networks from attacks by terrorists, spies and hackers.

Could it be related to this?

Rattle quoted WSJ:

President Bush has promised a frugal budget proposal next month, but one big-ticket item is stirring controversy: an estimated $6 billion to build a secretive system protecting U.S. communication networks from attacks by terrorists, spies and hackers.

Then Decius asked:

Could it be related to this?

And by that you mean The Spymaster, which I recommended earlier this month. The article recommended by Rattle is here in full text. Significantly, the figure cited above is only the starting point:

The administration’s plan is to reduce points of access between the Internet and the government and to use sensors to detect intrusions displaying potentially nefarious patterns, said former top intelligence officials. The program would first be used on government networks and then adapted to private networks. Former officials said the final price tag is approaching an estimated $30 billion over seven years, including a 2009 infusion of around $6 billion, though those numbers could change significantly as the plan develops.

This Chertoff quote is either amusing or disturbing, depending on your perspective:

"There is a lot of thought being given to: How do you organize this in a way that protects an incredibly valuable asset in the United States but does it in a way that doesn’t alarm reasonable people, and I underline reasonable people, in terms of civil liberties?"

Finally:

The CIA and the Pentagon didn’t want other agencies mucking about ...

This tussle is referred to at the end of the Washington Post coverage just now recommended here.

What's silly here is that no one is talking about ROC curves. How can you even propose to monitor the open Internet? The human resources involved would be outrageous, no? Not quite as bad as having human telephone switch operators, but as presented, this proposal simply doesn't scale, and as such is not credible. The stated intention to "protect US networks from hackers" is not credible, because the proposed task cannot be resourced. How much can they really accomplish, anyway? Consider the following:

Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection

All currently available network intrusion detection (ID) systems rely upon a mechanism of data collection -- passive protocol analysis -- which is fundamentally flawed.

Maybe they intend to install normalizers at every access router in the US?

Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics

A fundamental problem for network intrusion detection systems is the ability of a skilled attacker to evade detection by exploiting ambiguities in the traffic stream as seen by the monitor. We discuss the viability of addressing this problem by introducing a new network forwarding element called a traffic normalizer. The normalizer sits directly in the path of traffic into a site and patches up the packet stream to eliminate potential ambiguities before the traffic is seen by the monitor, removing evasion opportunities.

Of course even then you face The Eavesdropper's Dilemma.

noteworthy wrote:
This Chertoff quote is either amusing or disturbing, depending on your perspective:

"There is a lot of thought being given to: How do you organize this in a way that protects an incredibly valuable asset in the United States but does it in a way that doesn’t alarm reasonable people, and I underline reasonable people, in terms of civil liberties?"

Presumably, the ACLU was being "unreasonable" when they asked that a few checks and balances be added to the Patriot Act, but on the other hand, the Administration was being perfectly "reasonable" when they concluded that the FISA doesn't apply to them and they should just ignore it outright. One wonders why they even bother to mention Civil Liberties. If there is some constraint upon executive power that these people accept beyond term limits and the continued operation of elections, I have absolutely no idea what it is.

Having said that, I certainly don't see a Civil Liberties problem with the government monitoring traffic sent to the government. The government certainly ought to be able to read things that people send it. Perhaps there might be some workplace privacy concerns for government employees in all of this but even that is a bit of a stretch.

But, then I didn't raise the Civil Liberties concerns. They did, and in an intentially condescending way. Perhaps they raise Civil Liberties specifically as a means of scoring retorical points against their enemy in a context that no one is seriously concerned about.

In other words, their choice of wording is childish and partisan.

Now, if they wish to extend this monitoring to include the greater Internet, then perhaps I do have a problem. But there is no need. The ISPs ought to be doing that, and not the Government. The Government need not control the IPS systems that protect American consumers. They need only provide tax incentives such that those IPS systems are finally deployed, as they should have been years ago.

How can you even propose to monitor the open Internet? The human resources involved would be outrageous, no?

No. All of these Internet access points are already monitored. This is mostly a centralization of control, along with deployment of additional systems. The $6 billion here likely saves money elsewhere.

The first IPS paper you quoted was 10 years old, btw. Interesting in its time, certainly, but its not as if modern systems are vulnerable to those attacks. The matter of evasion is a general problem that will continue to produce techniques and counter techniques, but I've got 1.3 billion dollars that says IPS is not an utter waste of time, as you seem to imply.

Rattle quoted WSJ:

President Bush has promised a frugal budget proposal next month, but one big-ticket item is stirring controversy: an estimated $6 billion to build a secretive system protecting U.S. communication networks from attacks by terrorists, spies and hackers.

Decius wrote:

Now, if they wish to extend this monitoring to include the greater Internet, then perhaps I do have a problem. But there is no need. The ISPs ought to be doing that, and not the Government. The Government need not control the IPS systems that protect American consumers. They need only provide tax incentives such that those IPS systems are finally deployed, as they should have been years ago.

DNI certainly intends to include the greater Internet. They seem willing to start off with the government systems. But McConnell also said that "95% of the problem lies with the private sector." The implication with this entire initiative is that the private sector isn't competent to handle this on its own, but the government is. One wonders about both halves of that view.

All of these Internet access points are already monitored. This is mostly a centralization of control, along with deployment of additional systems. The $6 billion here likely saves money elsewhere. The matter of evasion is a general problem that will continue to produce techniques and counter techniques, but I've got 1.3 billion dollars that says IPS is not an utter waste of time, as you seem to imply.

Please step away from the $6B -- the correct figure is 30 billion USD over seven years. You are just quoting the first year's expenditures.

I am aware of the publication dates on the papers I cited, and the intent was only to point to the general problem, not to make a specific claim about a specific product. I did not mean to imply that IPS is "an utter waste of time", only that a federally operated, highly centralized operation was not scalable and in any case would be duplicated by the customers who take their industrial security seriously. Nevertheless (at risk of being considered provocative) I can see why a vendor would salivate at the prospect of such a windfall, especially if, as a market leader, they would expect to win the competition for such services. How much better to sell 30B in systems and services at one fell swoop, instead of going about all onesy-twosy for years on end!

I refuse to believe that access points are already being "monitored" to the level envisioned by this proposal. If that were the case, this proposal would be moot. The problem is not so much about the installation of IPS sensors; that is straightforward enough. I can believe that the sensors are already in place. At Internet scale you may be able to spot roving packs of ruffians making messes of things, and you could shut them down / turn them off. But if they can do this, why do we still see million-strong botnets attacking with impunity?

Global-scale monitoring centers are not going to spot sophisticated spies using zero-day attacks to engage in highly targeted industrial espionage against lone machines. They will not detect attacks by trusted insiders, because there is no Internet traffic to be monitored.

There is an end-to-end argument to be made here. Your average consumer might be helped, but I can't imagine Citibank leaving it to the gratis "monitoring" services of their myriad ISPs around the world to protect their infrastructure.

noteworthy wrote:
DNI certainly intends to include the greater Internet. They seem willing to start off with the government systems. But McConnell also said that "95% of the problem lies with the private sector." The implication with this entire initiative is that the private sector isn't competent to handle this on its own, but the government is.

Its really hard to square that perspective with Republican rhetoric about how the Government isn't competent to do anything. I'm being a bit histrionic, but clearly, "socialized" managed security services will seriously diminish or eliminate the existing competitive market for these services. If its not OK for healthcare how could it be a good idea for firewalls? The Internet doesn't even kill people!

Furthermore, if we have to have the discussion, there are obviously serious civil liberties concerns with having the federal government impose a monitoring system on all private networks that examines domestic traffic without a warrant. Clearly these people believe that the word "reasonable" in the 4th amendment means anything that they want it to mean, and while there is a perscription for what is required to obtain a warrant, warrants themselves need never actually be required. This view is extremely radical and is unlikely to withstand judicial review. You won't even be able to appoint conservative lawyers who will accept it.

Both of these problems are elminiated by simply making this a private sector endevour motivated with the right economic incentives.

federally operated, highly centralized operation was not scalable

I don't agree with this. There are a number of companies who provide managed security services for thousands of customers from centralized NOCS, customers who include Fortune 500 companies who have extremely complicated infrastructures. I think its practical, particularly if you have billions at your disposal.

and in any case would be duplicated by the customers who take their industrial security seriously.

Unless they feel like the government is doing an adequate job cleaning their pipes. If the state posted armed guards in front of your Bank would you hire your own guards too on the presumption that the ones the state hired are incompetant? I think its unlikely that their level of incompetance would allow enough fraud to justify hiring private equivelents.

Nevertheless (at risk of being considered provocative) I can see why a vendor would salivate at the prospect of such a windfall, especially if, as a market leader, they would expect to win the competition for such services. How much better to sell 30B in systems and services at one fell swoop, instead of going about all onesy-twosy for years on end!

And what of the vendors who loose? Is this to be a one size fits all solution, wherein the government selects a single... [ Read More (0.2k in body) ]

Decius wrote:
Both of these problems are elminiated by simply making this a private sector endevour motivated with the right economic incentives.

Which is what?

I agree with your initial surmising, but the fact that the President's hand is being forced on this indicates two things:

as you suggest, this is another lever in expanding surveillance powers by the state. My theory on this is that the end goal is "peace & security" through monitoring and tracking outcomes. Most crime is committed because there's simply a lack of expanded oversight and enforcement. All cops can't be everywhere all the time. This is a HUGE HUGE HUGE societal shift. (Just think the massive cycle that will be caused when speed limits are controlled through vehicle monitoring rather than police enforcement, bloating or killing the legalized extortion of writing tickets, completely rearranging the way police departments are funded, equipped, and deployed. And that's just one example!) There's no two ways about it. You either have more security or more privacy. The infantile methods of bringing about these infrastructures will not include the appropriate checks and balances and trust structures to ensure that they are not abused. THAT IS THE POINT!

Secondly, it points to the fact that cyber crime has now risen to be so prolific and systemic that it is threatening the very nature of our market driven economy. If there's no trust that assets are protected in our virtual world, then it undermines the entire system. For the last 10 years, this has been a cost of doing business. Identity theft? Simply raise our margins and fees to sweep the costs under the rug. But those costs are rising faster than organic margin growth and there's a ceiling on how much growth you need to continue to hide it. (There is a similar problem in health care with bad debt. It is a HUGE secret that will ultimately reveal itself in the next 12-24 months). You may not be able to get the Feds to centralize security, but you can be damn sure there is going to be some further regulation and licensing of what minimum standards are expected to protect data assets. Get ready for it.

Yes, it doesn't escape me that there's solutions to both problems which are readily available, but anyone who's spent five minutes in the technology industry knows that the most elegant solution rarely wins.

Ultimately, society is going to collide with the aftermath of the information revolution, which is, when everyone has access to all the information, then the truth becomes apparent. Our society is not built on truth. In fact, most of it is built on the evasion or arbitrage of truth.

flynn23 wrote:

Decius wrote:
Both of these problems are elminiated by simply making this a private sector endevour motivated with the right economic incentives.

Which is what?

I don't know the answer to that question.

There's no two ways about it. You either have more security or more privacy. The infantile methods of bringing about these infrastructures will not include the appropriate checks and balances and trust structures to ensure that they are not abused. THAT IS THE POINT!

So then they don't actually create security. Sometimes the criminals wear badges. If you don't have checks and balances, you've given up your privacy for nothing.

Secondly, it points to the fact that cyber crime has now risen to be so prolific and systemic that it is threatening the very nature of our market driven economy.

I don't think this is really about economic crime. I think they have a systemic problem with state sponsored Internet based intelligence collection and they are worried its going to turn into denial of service attacks. This is the Government getting religion about a "cyber pearl harbor" because its actually a substantive risk now.

(There is a similar problem in health care with bad debt. It is a HUGE secret that will ultimately reveal itself in the next 12-24 months).

Jesus, did you just predict another large scale economic contraction?

Ultimately, society is going to collide with the aftermath of the information revolution, which is, when everyone has access to all the information, then the truth becomes apparent. Our society is not built on truth. In fact, most of it is built on the evasion or arbitrage of truth.

Thats a very thought provoking observation.

If it's not OK for health care, how could it be a good idea for firewalls? The Internet doesn't even kill people!

The two are not unrelated. If I may be a bit dramatic for a moment:

In the Litvinenko affair, a man traveled from Moscow to poison his victim. He did this not because it was a practical necessity, but because he wanted his victim to know who killed him.

In an alternate scenario, the attacker might have just changed one of his prescriptions, surreptitiously -- an electronic attack with fatal consequences. (I readily admit that the details of such an attack would be quite subtle and target-specific. More plausible, perhaps, would be attacks on the integrity of medical records, or simply on insurance rolls.)

... problems are eliminated by simply making this a private sector endeavor motivated with the right economic incentives.

I certainly agree that security is about incentives; I have made that clear by my repeated citation of Ross Anderson's work on the subject. I intend(ed) to mention incentives over on the black box economy thread.

There are a number of companies who provide managed security services for thousands of customers from centralized NOCS, customers who include Fortune 500 companies who have extremely complicated infrastructures. I think its practical, particularly if you have billions at your disposal.

I have visited several such facilities. I accept that they will help you keep your Bind and Sendmail up to date, and they will detect and block people who port-scan your address space. I do not believe they are conducting counterespionage and I do not believe their customers expect that of them.

If the state posted armed guards in front of your Bank would you hire your own guards too on the presumption that the ones the state hired are incompetent? I think its unlikely that their level of incompetence would allow enough fraud to justify hiring private equivalents.

I would not expect these armed guards to prevent another Enron.