"Star Wars" doomed to fail?

Administration's plan to increase network security likened to unwieldy 80s era Star Wars defense initiative.

On Thursday, security experts likened a plan by the Clinton Administration to increase the network security of critical pieces of U.S. infrastructure to the moth-balled Strategic Defense Initiative of the 1980s -- well-meaning, but far too complex to implement.

"For all the good intentions, the government is putting its stamp on technology that's impossible to implement on a large scale today," said Rebecca Bace, president of network security firm Infidel Inc.

While other security experts have given the thumbs up to the goals of the so-called National Plan for Information Systems Protection, not one believes that a nationwide computer intrusion detection system is feasible.

Other aspects of the plan -- including educating and recruiting network security specialists and identifying and fixing security holes in systems -- were generally well received.

Lofty goals
During a Q & A session on Wednesday, National Security Advisor Samuel Berger stressed the importance of a comprehensive plan to protect critical parts of the national infrastructure from attack.

"It's extremely important to the American people that their IRS information, that the ability to run an air traffic control system, that the Social Security system -- that all of these computer systems be safe and secure," he said, "and that is what this plan seeks to do through a number of initiatives, including this detection system."

The ideas promoted by the proposal are not new. Drafts of the national plan have been circulating around government and industry offices for several months now, according to one source, who asked not to be identified.

Furthermore, Jeffrey Hunker, the senior director for critical infrastructure at the National Security Counsel, outlined ten steps to better security seemingly espoused by the plan during appearances at conferences as early as late last year.

Privacy pushback
While many of the plan's details were already known, a Wednesday New York Times report raised privacy issues when it incorrectly identified the Federal Bureau of Investigation as the supervising agency of the intrusion detection network part of the plan.

Called the Federal Intrusion Detection Network, or FIDNET, the program will actually be overseen by the interagency General Services Administration. In the event of a damaging intrusion, the National Infrastructure Protection Center would be called in to analyze the data and hunt for the culprit, stated several pages of the draft put online by the Center for Democracy and Technology on Wednesday.

Security experts agree that privacy advocates are right to question the government motives.

"The government is essentially saying, 'Why don't you route all traffic information through us and we'll let you know when something is wrong,'" said Steve Cook, vice president of sales and marketing for secure network software provider C2Net Software Inc. "I've seen enough of that sort of argument in the encryption space to know that it's generally some sort of smoke screen."

The proposal, to be released in September, and comments by the NSC's Berger indicate that private industry would not be monitored by FIDNet -- one fear of the pro-privacy community.

However, the report stressed the importance of protecting privately-owned industries critical to the infrastructure of the U.S., such as banking, power and communications. "For this Plan to succeed," stated the report, "Government and the private sector must work together in a partnership unlike any we have seen before. Only with the fullest participation of our private companies and Government Agencies can we achieve the high standard of information assurance we require."

Certain failure?
Yet, even with industry's aid, a nationwide intrusion detection network is unlikely to succeed, said security experts.

"It smacks a bit of Star Wars," said George Jalatis, director of security architecture services for Secure Computing Corp. "They are taking things that we can do on a small scale and trying to implement it on a very large scale."

Even if the system worked, Jalatis pointed out several ways of defeating it. "The system would not likely be able to detect new attacks or slow, subtle attacks," he said. "And, a fast attack -- it would be over before the system even recognized it."

The plan would be an expensive failure as well. The Clinton Administration hopes to appropriate $1.5 billion in 2000 for information systems protection -- a 40 percent increase over this year's allotted amount. Most of that increase would seemingly be spent on implementing the new national plan.

Weld Pond, a hacker with the white-hat security group L0pht Heavy Industries, believes the government could better help by establishing security standards that industry could follow.

"The real solution ... is standards for secure software that are real and standards for securing systems that are verifiable," he said. "With these things in place, there is no need for a nationwide snooping system which comes close to treading on privacy rights."


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All