He assessed the process of connecting systems of national significance to the internet as a recipe for disaster, and he was right: the internet is insecure. And yet we use it today for everything from social media, shopping and banking through to education and, in the near future, eHealth.
The last of these, edging towards becoming reality in Australia, simply should not proceed within the current system.
The rate of cyber-crime on defence, government, business and residential systems is increasing and little can be done to stop it. Why? Because the digital network was not designed with security in mind.
The Australian government recently announced the 2009 review of government security and infrastructure will be implemented and the current 124 individual internet gateways (the place where multiple networks interconnect to exchange traffic) will be reduced to eight – the minimum number needed for operational efficiency and reliability.
The idea is to concentrate spending on a reduced number of gateways with the aim of improving security and, with new equipment, improve operations.
The government’s actions are a step forward, but they don’t tackle the root cause of the security problem – the insecure internet. And what about all the other users of the internet, business and residential customers included?
Most cannot afford the many multiple millions of dollars government is now spending on new gateways – gateways that ultimately cannot and should not be relied upon to secure systems and infrastructure of national importance.
General Keith Alexander, director of the US National Security Agency and head of the US Pentagon’s Cyber Command, recently used a speech in Baltimore to call for the Pentagon and intelligence agencies to step up efforts to secure networks and systems.
General Alexander also called for more government coordination with private companies to improve public network security.
In a key observation, he said that when a computer network is infected someone should be able to disconnect it.
The internet as a runaway vehicle
Criminal organisations have already made billions and appear to be re-investing to develop new and more sophisticated scams.
Another way of looking at the internet is to consider the analogy of the car in the 20th century.
There can be no doubt the 20th century was the century of the car. We all wanted one, speed was encouraged and by 1970 there were 3,600 road deaths annually in Australia.
The number of permanent and disabling injuries associated with road trauma had reached a peak.
Government had to act and did so. Seat belts and lower speed limits were introduced and car companies were forced to redesign with safety as a priority.
The same point in history is now upon us for the internet. The government must act to reduce cyber-crime and to secure the key systems and infrastructure.
As already mentioned, the Australian government must not launch its eHealth systems until security can be guaranteed. If necessary, eHealth should only be utilised on a separate network – the start of a secure network for key national systems and infrastructure, as described by Shawn Henry.
One of the most important services on the internet today is still one of the most insecure: email. The fastest way for a criminal organisation to breach security is through the use of email.
It is fundamental that SMTPSec (the use of SSL certificates for SMTP server to SMTP server communications) and SMTPS (the use of SSL certificates for SMTP server to client communications) be implemented immediately.
New legislation is needed that sets out a path towards Australia having two separate networks. One would remain the public internet and the other would be a secure network for key national systems and infrastructure.
Authority to disconnect parts of the network and to disconnect countries from the Australian network should be detailed. Protocols need to be put in place for these actions to occur and it must be decided who will carry out the actions.
Legislation should set out a timeline and framework whereby equipment and systems suppliers will be required to improve their products with safety and security in mind.
Certain well-known security flaws in the way computers are made and sold must be identified in the legislation and made illegal. One example is that operating systems can be sold without adequate integrated anti-virus and anti-malware capability. To return to our analogy, that would be like selling a car without seat belts today.
All computers connected to the internet should be registered and the computer operating system should report the computers state including the health of the anti-virus and anti-malware checks.
Do you see the parallel with cars? Car registration is now mandatory for any vehicle utilising public roads. Car roadworthy checks are carried out annually or in some states randomly and whenever a vehicle is sold.
Australia is taking a positive lead by working with other nations to identify and try to solve some of the issues with the internet. But the pace of this world-wide effort is glacial and more needs to be done.