MIT Technology Review

Thursday, March 1, 2012

Defense Department Wants More Control over the Internet

The U.S. government says it must govern Internet technology more closely to protect against cyberattacks.

The U.S. Department of Defense may have funded the research that led to the Internet, but freewheeling innovation created the patchwork of privately owned technology that makes up the Internet today. Now the U.S. government is trying to wrest back some control, as it adjusts to an era when cyberattacks on U.S. corporations and government agencies are common.

At the RSA computer security conference yesterday, representatives of the White House, U.S. Department of Defense, and National Security Agency said that safeguarding U.S. interests required them to take a more active role in governing what has been a purely commercial, civilian resource. But some experts are concerned that the growing influence of defense and military organizations on the operation and future development of the Internet will compromise the freedom that has made it a success.

The DoD is being compelled to remove half a trillion from its budget in the next decade, but spending on cyber defense will increase, said deputy secretary of defense Ashton Carter in a keynote at the conference. "Ships, planes, ground forces, lots of other things are on the cutting room floor, not cyber," he said. "The investments are at the level of several billion, [and] we are continuing to increase our investments."

Comments made by colleagues of Carter later in the day made it clear that this cash will not just be used to strengthen government systems. The NSA and DoD intend to shape the way private companies build and use Internet infrastructure, and have corporations help them respond more actively to detect and clean up after an attack does take place.

"Our systems are dependent on security products and infrastructure from the private sector," said Debora Plunkett, director of the NSA's Information Assurance Directorate, which oversees cybersecurity for all national security systems. She said that the NSA wanted to encourage private companies to automate the tedious, manual, and often neglected basics of securing computer networks. "We need industry's help," she said. "We're spending too much time on network hygiene: missing patches, poor passwords, known vulnerabilities."

The kind of automation Plunkett wants to see would significantly change the way Internet infrastructure functions. It should be possible, she said, for a company or agency to quickly instruct pieces of network hardware to drop connections or isolate computer systems when an attack hits, something that goes against the tradition of Internet hardware being independent and not easily subject to centralized control. Well-funded startup company Nicira recently launched technology that might achieve some of that, and it is known to be working with U.S. intelligence agencies.

Plunkett also said that she hoped the NSA could develop and encourage use of technology that makes mobile devices more secure, inside and outside of government. "One of my biggest priorities is delivering secure smart phones and tablets," she said. Although government departments are—like many in the private sector—ditching their BlackBerrys for smart phones running Apple or Google software, the latter are considered to be relatively low security devices that can be weak points that allow in attackers.

Richard Hale, the Department of Defense's deputy chief information officer for cybersecurity, said that his department had begun sharing classified information about cyberdefense with 36 industrial companies deemed to be vital; in return, these companies are expected to share information about any attacks they experience.

Speaking alongside Hale and Plunkett, the Obama administration's Howard Schmidt said the days of the Internet developing organically and without a centralized imperative to build in security or control channels needed to end. "Let's not just roll it out like we used to do and then fix the problem," he said. "We really have to change that around, to give anybody trying to intrude into our systems a harder time. If we don't do this, we all suffer."

The Obama administration has tabled legislation that would give the Department of Homeland Security powers to actively monitor the systems of companies operating "critical" infrastructure; and already White House and Department of Homeland Security officials have begun a program of close supervision of companies that operate the U.S. power grid.

However, some politicians and government insiders are beginning to push for the DoD and the NSA to have a greater role. Senator John McCain (R-Arizona) told Congress this month (full statement) that only the NSA and the U.S. Cyber Command, both DoD organizations headed by General Keith Alexander, can protect the United States.

Michael Hayden, a former director of the NSA and CIA, said that many people agreed with McCain that the military, in particular the NSA, should be in charge. "The [NSA] represents too much capacity to be left on the sidelines of this issue." Like McCain, he said that the NSA should actively monitor the systems of companies operating crucial infrastructure and intervene if an attack were detected.

Ron Diebert, director of the Canada Centre for Global Security Studies and leader of the team that discovered the GhostNet cyber attack on the Dalai Lama and various embassies in China in 2009, expressed concern at the DoD's growing influence. Introducing more centralized control of Internet infrastructure would send the wrong message to countries like Russia and Syria, which are already using cyberattacks or censorship on their own citizens, he said, adding that the Internet could become fragmented and locked down rather than open.

Hayden agreed that there was a risk that the "Internet's main principles" could be damaged, but said waiting for nonmilitary parts of the government to develop the necessary expertise was too risky. "A reluctance to grapple with these issues will cede the field to others that intend to do us harm. Something catastrophic will happen and then we'll overreact."

Jim Dempsey, vice president for public policy at think tank the Center for Democracy & Technology, said militarizing the Internet would be a mistake. "How did we get to this point where the most effective resources to secure the Internet's centrality to our society are in a top-secret military agency? Saying there's only one place to go will pervert our technology and society."