The Defense Department’s networks, as currently configured, are “not defensible,” according to the general in charge of protecting those networks. And if there’s a major electronic attack on this country, there may not be much he and his men can legally do to stop it in advance.
Gen. Keith Alexander, head of both the secretive National Security Agency and the military’s new U.S. Cyber Command, has tens of thousands of hackers, cryptologists, and system administrators serving under him. But at the moment, their ability to protect the Defense Department’s information infrastructure — let alone the broader civilian internet — is limited. The Pentagon’s patchwork quilt of 15,000 different networks is too haphazard to safeguard.
Take last year’s infection of drone cockpits at Creech Air Force Base in Nevada. Air Force network operators only learned about the virus weeks afterward — by reading about it on this website.
“15,000 enclaves: You can’t seem ‘em all. You cannot defend them all,” Alexander told an FBI-sponsored gathering of law enforcement and cybersecurity professionals at New York’s Fordham University. “You’ve got to have an infrastructure that is defensible.”
Cybersecurity has become a top priority in the Pentagon — one of the few areas of the Defense Department set to increase during a time of budget cutbacks. For Alexander, one of the top cybersecurity priorities is to drastically consolidate the number of military networks, data centers, and help desks into a more manageable number — 3,000, instead of 15,000. Meanwhile, he wants the Defense Department to move towards cloud computing, which he contends is both cheaper and easier to protect.
“We know where we are today is not defensible,” he said. “We are pushing very hard for both the Defense Department and the intelligence community to move down this road. The National Security Agency’s going there first. We’re doing this first to show – if it’s good for us, it’ll be good for others.”
Alexander didn’t give many details about his vision of a military cloud – only that such a system would contain both unclassified, secret, and top secret information. But it’s worth noting that the Pentagon’s cutting-edge research outfit, Darpa, thinks its a problem hard enough to devote their 1,000-pound brains to solving.
The drive for simpler, easier-to-defense systems is a little easier to quantify. The NSA has already trimmed 40% of its data centers and cut the number of 900 help desks down to 450. The idea is eventually have just two help desks and 20 data centers. Alexander figures he can save up to 30% of his IT budget by 2016 this way.
Alexander has a fair amount of leeway in what he does with the NSA’s technical architecture — he’s in charge of the place, after all. But Alexander has other duties, including helping to protect civilian networks in case of a catastrophic cyber attack: a son of Stuxnet, say, designed to disrupt Wall Street instead of Iran’s nuclear facilities. In the past, Alexander has said he doesn’t have the authority to ward off such a strike. On Thursday, the general noted that those policy decisions have “not yet been arbitrated — who has responsibility where.”
But, he added, the NSA (or Cyber Command) couldn’t simply swoop in at the last moment. At some level, Alexander’s men would have to be empowered to keep watch over certain key public and private nodes.
“What we can tell them technically is: in order to stop it, you have to see it in real time, and you have to have those authorities. Those are the conditions that we’ve put on the table,” Alexander said. “Now how and what the Congress chooses, that’ll be a policy decision.”
Before leaving the sunken dais in the law school auditorium, Alexander took a final question: How can tell you when you’re safe ofrom network threats?
“Well,” he answered, “I don’t think we’re safe right now.”
By Noah Shachtman
January 12, 2012