Lessons, does anyone ever learn?
jtodd at loligo.com
Wed Feb 17 22:14:24 UTC 1999
As a footnote referencing the budget request Sean lists below, take a
look at http://www.ciao.gov/roadmap-c.pdf for specific information
and http://www.ciao.gov/roadmap-main.pdf (table 2.3) for a general
summary. These references are from the July 1998 Critical
Infrastructure Assurance Office's summary of "Information and
It's old data for some of you, but still worthwhile as a refresher
since the gummin't takes a while to throw some money and monkey
wrenches at these reports...
So: Regardless of how often they regurgitate the same discoveries, we
know that the government doesn't trust current development and risk
assessment of "the network" (be that network the current Internet or
some IP based network of the not-so-distant past.) For those of us
in the US that have to contend with the results any US-based
legislation, what does it mean? Will we have to build our IP
networks according to a certain planbook? Will we be required to
allow inspections to confirm compliance? Will international
providers of traffic need to comply with US-specific guidelines
before being allowed to "import" their packets?
I'll throw my opinion of "No" on the table and see if anyone
disagrees. I really see no way to implement meaningful risk
assessment and coordinated security controls across such an already
huge number and variety of private networks. These risk assessment
studies that CIAO is doing are interesting, but what can be the end
result of so much expense and examination? Not a lot that will
directly change the higher-layer protocols (eg: layer 2/3 and up)
that are currently being used, at least not without a lot of
burdensome legislation that might stifle the industry. I think such
a burden will be enough to scare legislators away from passage of
Should this discussion really go on com-priv? (or as the case may be
in this throwback to governmental control of the network: "priv-com"
At 2:26 PM -0600 2/17/99, Sean Donelan wrote:
> Under the heading, the more things change, the more the stay the same...
> I found this interesting paragraph in a government sponsored research
> report. To make it more interesting, I'm not going to tell you the
> date of the report, or the network the authors were talking about.
> Since the US Government paid for the work, copyright isn't a concern,
> now if that ain't a hint, I don't know what is :-)
> "Among them they noted that while worst case analysis had been done, the
> particular scenario had not been studied. The also suggest operators
> did not have all the data they needed to make proper decisions.
> notable was that no one could see the big picture across the entire
> system. The authors suggest that there is substantial improvement
> needed to the modeling process. For example, models used for planning
> are different than models used for online monitoring and control. Finally,
> there are thousands of system components, and as many problems waiting
> to occur.
> Based on these observations the authors suggest the following:
> - Online dynamic security assessment tools, and security indices.
> - Wide area communication network and system monitoring process.
> - National standards for operations and engineering.
> - Improved system planning and risk assessment methods.
> - Standard system planning and operating data models.
> - Validated data in simulation models.
> - Wide area measurement and controls."
> Since there is currently a $2.8billion budget request pending before
> Congress to fund critical infrastructure protection, do you sometimes
> get the feeling some researchers just cut & paste their old analysis
> into whatever today's hot topic is?
> Sean Donelan, Data Research Associates, Inc, St. Louis, MO
> Affiliation given for identification not representation
More information about the NANOG