Top-down cyber defense is an upside-down approach

By | January 19, 2012

Posted in: Network Security Trends

Wired’s Danger Room has reported ( that General Keith Alexander is throwing in the towel. In an address to the FBI-sponsored International Conference on Cyber Security he is quoted:

“15,000 enclaves: You can’t see ‘em all. You cannot defend them all,” Alexander recently told an FBI-sponsored gathering of law enforcement and cybersecurity professionals at New York’s Fordham University. “You’ve got to have an infrastructure that is defensible.”

It is a reality that you cannot achieve a defensible network with the typical process for fixing problems that the military and most government agencies use: A high-level officer or “Czar” is assigned. That person convenes a group to study the problem and make recommendations. By the time they are ready to report, the top person is ready to move on, his or her term has expired, or the situation has changed. So the process starts over.  Look at the multiple infrastructure security reviews that the office of the President has instituted. Presidents Clinton, Bush and Obama have each appointed a security czar, they have each called for top-level reviews.  Even the GOP candidates are calling for security reviews in the unlikely event one of them takes office in 2013.

In the meantime, threat actors have no such review process. They continue to develop advanced tools and methodologies and engage in more and more serious attacks.

In 2003, I had a chance to view the Pentagon’s networks first hand. There were 20 of them inside one building, each with its own administrators, often from different branches of the military, and often with conflicting purposes.  Classic controls like limiting insecure protocols (Telnet for one) were not even considered possible to enforce.  When suggested, even today, the response is “Oh you’re just trying shutting down port 23. You tell the Two-Star that you broke his application.”

General Alexander ( a Four Star) is indeed faced with an impossible task.  You cannot, from the top, dictate granular policy. Even the NSA and CyberCom do not have the personnel to audit and enforce those policies across 15,000 networks and a million nodes.

Change has to come from the bottom up.  How do you do that?  By assigning responsibility and real consequences for failure.

Take, for instance, the simplest and direst dictate to all military personnel from the inception of military commands: A soldier may never fall asleep while on guard duty.  Does the battalion leader personally patrol the check points to ensure that this dictate is maintained? No. The soldiers have this rule pounded into them from the day they are recruited, and they have all heard of the dire consequences of sleeping on the job.  It is their own responsibility, and they know it.

Today’s military has tens of thousands of people who never see a battlefield. They maintain IT systems. They must be impressed with the responsibility to maintain the security of those systems.  A successful hack of the systems they are responsible should come with dire consequences, demotion, berating, even court-martial.   Of course they must be supplied with the tools to monitor, configure and protect their IT assets.  They must be trained, and proper shifts must be provided since, indeed, security is a 24x7 responsibility.  Duty rosters cannot be 9-5.

If there are 15,000 separate digital enclaves, simply designate 15,000 people with primary responsibility for doing their jobs: protecting their territory.

No, General Alexander, you do not need to perform a top down review or build a “defensible infrastructure”, you need to ban Telnet from all government networks. Do that and another hundred best practices today and you will have fewer intrusion this week.

You May Also Be Interested In: