Boil it all down and last week's Black Hat conference in
Las Vegas discussed just two things - identity and privacy in
cyberspace. Both are at risk as the internet enters a period of
massive expansion.
IT managers need to deal with these issues in the light of the
increasing volume and subtlety of attacks by ill-intentioned
people.
Identity and privacy are two sides of the same coin. For the
internet to work, everything connected to it requires a unique
identifier, known as an internet address or uniform resource
locator (URL). This allows network routers, which act as
postmasters, to direct messages to the right address.
The internet was designed to be flexible. This makes it possible
for people to pretend to own someone else's address and thus to
divert traffic elsewhere, or even to take over the address.
In addition, many people want to hide their identities and
activities on the internet for both legitimate and illegitimate
reasons.
Bob Lentz, the US Department of Defense's chief security
officer, says the internet is now a "global commons". This means
everyone has a right to access and share in the benefits it can
bring.
But it is a fragile ecosystem, he says. Far too many are abusing
the right. This abuse includes hacking, criminal acts and
borderline legal acts, such as spamming.
Lentz says it is impossible for the Department of Defense, which
paid for the original development of the internet, to take back
control, clean it up and lock it down to make it safe.
Instead, he proposes a six step plan to increase the resilience
of the network. This, he says, will allow people to use the
internet safely despite the hazards.
| The US Department of Defense's chief security officer has set
out a six-step plan to improve the resilience of the internet and
make it safe to use despite the hazards posed by spammers, web site
hackers, identity thieves, spies and other criminals. |
|---|
| 1. To strengthen the network's physical and logical
underpinnings so that commercial off the shelf applications could
run safely |
| 2. To ensure that software and systems were written and ran
securely |
| 3. To reduce the "attack surface", meaning leaving fewer
opportunities to compromise network elements and
applications |
| 4. To reduce anonymity (but not necessarily the privacy) of
network elements, including users, so that bad behaviour could be
isolated and removed |
| 5. To build security into the network from scratch |
| 6. To build ad hoc IT architectures that could serve their
purpose and disappear as soon as their mission was
over. |
IT managers' role is essentially to practice safe computing. Use
firewalls, anti-virus and intrusion detection systems. Use the
latest software patches. Make sure that networks are properly
configured. Delete or change default passwords. Identify properly
everyone, and increasingly everything, to the network. Define their
resulting privileges. Monitor them for transgressions. Revoke their
privileges instantly when they are no longer needed.
This will become even more critical as the internet migrates
from the IPv4 addressing scheme to the IPv6 scheme. IPv6 will
create a possible 2 to the power 128 IP addresses.
Many of the new addresses will identify machines such as CCTV
cameras, mobile phones, package labels, even GPS-tagged cows and
killer whales, as machine-to-machine communication moves from
closed proprietary networks onto the internet.
Many things will need only temporary addresses. This will create
a headache for the people who have to ensure that they are taken
out of circulation at the right time and that, despite the huge
number of available URLs, that they can be reused and still keep
their uniqueness.
The organisation that has to do this and so protect the owners'
right to their unique addresses is the Internet Corporation for
Assigned Names and Numbers (Icann).
Icann works through licensed national domain name registrars.
They are responsible for keeping the register of who owns which
domain names, now 200 million, and their associated URLs. The
national registrars also resolve disputes and run the domain name
servers, the internet's post offices. Nominet is the UK's domain
name registrar.
This set-up has worked for 40 years. There are proposals to
change it. They would see control of the domain registries and
possibly its technical development centralised.
Rod Beckstrom, the new head of Icann, argues that the internet
is already too big for centralised control. "If you chop off a
spider's leg, the spider loses the leg entirely," he says. "But if
you chop off a starfish's leg, it grows a new one, and the chopped
off leg grows into a new starfish."
The proposals would hand control to a central body such as the
International Telecommunications Union. The ITU has little
experience in resolving business issues quickly. This would lead to
delays in resolving disputes over who owns a domain name or a URL.
It would also create a vast new bureaucracy and raise costs.
Icann uses the starfish model, which the Department of Defense's
Lentz approves of, because it provides resilience against a
catastrophic central failure. IT managers should therefore resist
efforts to centralise control of the internet.
Nominet is presently
consulting on the future of the domain name business in the UK.
It is looking for comment from CIOs and IT managers that will help
it shape the future of the internet here and elsewhere.