Information Assurance: National Security’s New Front Line

Nowadays, few would ever consider using the Internet “unprotected” without a reliable anti-virus software and firewall solution installed on their PC networks. Yet most people, including government operatives, are visiting Web sites equally unprotected in other ways, and exposing their IP addresses and network identifies to the organizations that run them.

An agency’s IP address is one clue cyber criminals can use to identify the confidential online activity of undercover agents, researchers, investigators and analysts. Someone visiting the Web can unintentionally disclose their operating system, browser version, physical address and other sensitive information. Adversaries can use this information to uncover a government organization’s confidential plans and jeopardize their entire operation. Additionally, once an enemy knows your IP address, they can start scanning and attacking your network directly, endangering your data and infrastructure.

The impacts are substantial
Once an IP address is exposed, Web site administrators can automatically block an agency’s access to specific pages on a site, redirect them to a cloaked Web site that displays false information, attract that visitor to a “honey pot” page, monitor to gain intelligence or directly and maliciously harm the network. Tactics like this could mean exposing a cover, losing millions of dollars or even risking the lives of government agents. More aggressive enemies even automatically counter attack to create a denial of service, or damage or infiltrate government infrastructure.

The threat is by no means hypothetical. Many Web sites currently publish active government IP addresses so administrators can easily identify when an agency is visiting their domain. Exposed agencies include the FBI, Department of Homeland Security, National Security Agency, Drug Enforcement Administration and the Department of State. It’s one key reason why the Bush administration is proposing to allocate $6 billion in the 2009 budget for a cyber security effort.

Deploying information assurance systems
These types of growing online threats and attacks now shed light on the need to implement improved Information Assurance practices. These initiatives protect outbound connections to the Internet in order to ensure access to open source information, guarantee the integrity of the information gathered and protect against confidential leakage or counter-intelligence from adversaries.

One set of Information Assurance technologies that agencies can deploy today is non-attribution solutions. These types of systems provide many layers of capabilities that even today’s most sophisticated analytic tools will be unable to thwart. The better platforms include the following elements:

• Frequent Rotation of IP Addresses: The solution creates an unrecognizable pattern of Web surfing activity by frequently changing the originator’s IP address.
• IP Address Diversity: IP addresses used for rotation are drawn from a highly diverse population and come from many different network blocks.
• Provider Diversity: IP addresses come from different Internet Service Providers, so as not to give away a pattern in and of itself.
• Geographic Proximity: Internet activity appears to come from areas other than those closely associated with U.S Intelligence operations, such as Northern Virginia or Maryland.
• Assurance of Non-Retention of Records: Records of user activity are not retained or, at the very least, make them difficult to produce.

Additionally, comprehensive non-attribution solutions also support remote users as well as e-mail and online chat applications. There are also times when such systems also protect IP addresses that are used for “scraping and harvesting,” time-consuming search activities that use a significant portion of a Web site or server’s bandwidth.

What to look for in a non-attribution solution
There are plenty of solutions touting non-attribution benefits specifically for government organizations. But buyer beware – not all systems are the same. Any procurement officer must look for certain criteria before purchasing, including:

• Years in Operation/Development: Is the provider an established entity, or a “Johnny-come-lately?”
• Denial of Service/Intrusion Protection: Are the provider’s systems and infrastructures hardened against Internet threats?
• Social Engineering Safeguards: Does the provider have security measures in place to ensure the contacts visible are completely unaware of the provider’s involvement or the identity of the customer?
• Internal Compromise: Can the provider prevent its own employees from knowing the identities and activities of its customers?
• Timeliness: Is the solution off-the-shelf and turnkey for rapid deployment and utilization?
• Single Network Limitations: Will the provider be able to acquire network space from many independent ISPs from around the globe?

Never get complacent
The ease of accessing information on the Web and attacking the networks of where such data resides has created a false sense of security that can be exploited by insurgent organizations and criminals using new and powerful tools at their disposal. The only way for government agencies to circumvent this threat is to completely protect user identities through anonymous Web surfing systems, making this a new requirement while online.