Former Director of Defense Information Paul Strassmann questions how DOD's new directive, permitting NIPRNet access to the Internet, will work without more explicit security direction.
The social media policy just approved by Deputy Defense Secretary William Lynn, states that the NIPRNet – the military's unclassified but sensitive IP network-- should be configured to provide secure access to the Internet. That is not actionable unless the directive can also give an indication of how to obtain such configuration in the future.
The new policy leaves the question how to make NIPRNet work securely with the fundamentally flawed Internet without a practical resolution.
Lure of social media
The social media offers features to Defense Department personnel that are otherwise not available by using DOD’s own resources. People like social media because they can easily obtain quality services, at hardly any cost, that DOD has neglected to provide. The online services DOD offers are hard to use, difficult to access as well as disjointed communications means.
DOD operates more than 500 major networks plus innumerable local network connections. It connects more than 5 million desktops, laptops and smart phones. A large share of these networks is switched over the public Internet, where every router and every switch are potential entry points for an attack.
Each of the DOD networks has different configuration and inconsistent firewalls. Each has inconsistent virus protection means. There are at least 10,000 high turnover administrators trying to defend more than 4,000 major applications and innumerable points of entry with patches, software updates and fault fixes. The defenders use inconsistent, incomplete and insufficiently supported management methods.
Given this fractured environment as well as the enormously large attack surface offered to millions of potential intruders, DOD cannot secure the existing NIPRNet to accept risk-free secure communications passed through the Internet. NIPRNet cannot be trusted to convey more than a billion/month messages from YouTube, Facebook, MySpace, Twitter, Google Apps, etc. without a zero-day attack eventually breaching through.
The proposed social networking policy continues to leave DOD vulnerable to a wide range of attacks. All it takes is a few botnets a day to bore through an unwatched port to potentially discredit reliance on the NIPRNet.
The new policy should also outline solutions for reducing the attack surfaces through desktop and server virtualization. As first priority this would place secure “zero clients” desktops in protected private clouds operated by DOD so that Internet access can be safeguarded. That will be especially important as people access more data to protected networks through mobile clients.
DOD must offer collaboration services so that people do not have to resort to social media to satisfy their needs. For instance, the widely advertised use of Facebook by Adm. Mike Mullen could have been delivered through a DOD operated portal offering comparable features and accomplish that without the exposure that a Facebook message will also slip in malware. It is regrettable that Mullen must use Facebook as the only easy to use, as well as universal connection, to 5 million military, civilian and reserve personnel because the existing communication means are broken, disconnected and not interoperable. DOD, with information technology spending that is ten times greater than the largest commercial IT budget, should offer Mullen a better way to communicate.
There are large savings available from simplifying the DOD’s fractured infrastructure, which currently consumes almost a half of the total IT budget. There is more than enough money to fund a much cheaper and more secure cloud-computing computing environment that connects everyone, securely.
There is more than enough money to offer to DOD personnel services that satisfy the need for social communications without exposing ourselves to the toxic Internet that is now and will remain always insecure as well as a source of uncontrollable perils.