Bush adviser backs ‘Net security

The U.S. government should fund and test Internet Engineering Task Force developments and initiatives to improve the security of Internet communication, including extensions to the Border Gateway Protocol, according to a presidential adviser on Internet

The U.S. government should fund and test Internet Engineering Task Force developments and initiatives to improve the security of Internet communication, including extensions to the Border Gateway Protocol, according to a presidential adviser on Internet security.

Internet protocols such BGP and DNS can be targets of intentional malicious activity or sources of instability that compromise the security and reliability of the Internet, says Richard Clarke, special adviser to the president for cyberspace security. There have been recent instances of malicious activity – the Oct. 21 distributed denial-of-service attacks on 13 Internet root servers – and Clarke says BGP frequently “flops” massive routing tables between ISPs, creating pockets of instability.

“We’re proposing that there be an increased role for the federal government in terms of funding research, in terms of being an early adopter when there are successful new things and in terms of helping to create test beds,” Clarke says. “The U.S. government should be doing more, not in terms of regulating, mandating or dictating, but in terms of facilitating the work of people like the IETF.”

But governmental funding of IETF work is tricky because the IETF and the Internet are worldwide organizations and entities, Clarke says. Ownership is therefore ambiguous, as is the source of research and development funding, he says.

“Issues of BGP, secure BGP and secure DNS have been kicking around in the security group and the protocol groups in the IETF for a long time,” he says. “But nothing much has happened, and that’s in part because who owns the Internet? The world does, so that everyone owns it in common. No one feels responsible for funding this work.”

Clarke says the U.S. government has been in discussion with Jeff Schiller, security area director for the IETF, about funding and testing. Clarke says Schiller is receptive but sensitive to the possibility that the federal government would dominate the IETF’s work, Clarke says.

“We’re not interested in dominating; we’re not interested in regulating,” Clarke says. “But we are interested in facilitating their work. What [Schiller] said is that they certainly could use assistance in funding R&D, funding test beds, that would make it possible for them to make decisions or [request for comment] conclusions more rapidly than they have been.”

Under consideration is the creation of a “civilian DARPA” in the Homeland Security Department to solicit the participation of the private sector in Internet security and stability R&D, Clarke says. DARPA – the Defense Advanced Research Projects Agency, the R&D arm of the U.S. Department of Defense – funded early development of the Internet in the 1970s.

The government is discussing joint funding and research with the European National Security Agency, a department of the European Union, Clarke says.

“The real issue is getting somebody – the U.S. government is the logical candidate – to worry about these underlying protocols and support the work of the experts,” Clarke says. “Not impose our solutions, but first of all say to the expert community, ‘We think there are problems here. Do you?'”

Clarke says there are two kinds of problems with BGP: One is instability, which arises mostly from human error; the other is security.

“Right now, [BGP] doesn’t use authentication or encryption,” Clarke says. “That poses a potential vulnerability, which people have been aware of and talking about for years but no one has done anything to fix yet. So there are two problems.They’re related, and we’re interested in solutions that facilitate both of them.”

Clarke feels these solutions can be bolted onto the existing BGP protocol rather than requiring the development of a new peering protocol for the Internet.

Clarke says the IETF is likely to require “a few million dollars” annually from the federal government to fund R&D of Internet security and stability initiatives. Test beds also would need to assimilate a large-scale system.