Could the Private Sector Build Its Own Classified Information Sharing Network?
I’ve been advocating for the creation of a classified network for critical infrastructure for a while now. In July, I wrote a piece on the topic and helped write a paper for Intelligence and National Security Alliance on the idea.
As I have talked about it in various forums, a common suggestion has been that the private sector should create the network on its own. “Don’t wait for the government,” was the recommendation of one government official.
More on:
A lot of people think that is a good idea, including multiple vendors who believe they have the tools already. One aspiring entrepreneur wants to build the network from scratch and sell access to it on a subscription.
There is no shortage of tools for sharing unclassified information. And while I understand the arguments in favor of creating a closed network for unclassified information sharing, history suggests that no one would use it. Lest this history lesson be lost, let me now recount the tale of the Critical Infrastructure Warning Information Network (CIWIN).
During my short, happy tour at the cyber section of the National Security Council, a director from the resilience directorate popped into our office. He had emergency communications in his portfolio and he wanted to know if we had a CIWIN terminal. If we did, he wanted to know if we used it. Nobody had any idea what a CIWIN terminal was.
Except one person: Howard Schmidt. The late great Howard Schmidt had been serving as deputy cyber coordinator when CIWIN was setup in the early 2000s. He explained what CIWIN stood for. “Talk to Dick (ed. Richard Clarke, former special advisor to the president on cybersecurity),” he said. “It was his idea.”
Cybersecurity being a small world, I called Dick, who also happens to be my co-author. I told him the Department of Homeland Security (DHS) wanted to cancel CIWIN. “Are they insane?” He threw in an expletive in there for good measure.
More on:
I explained the department’s logic for canceling it. Budgets were tight. Sequestration was going on. And nobody was using it.
“Use it? You’re not supposed to use it, except when the %#$@!* internet goes down.”
Although the network’s name suggested that it was for sharing information, the real purpose was to provide a coordination mechanism between internet providers should something go awry on the public internet. “Talk to Marc,” he said. “He set it up for me. See if he thinks they still need it.”
Marc Sachs was someone I’d learned to keep on speed dial. He had formerly worked in the George W. Bush administration and was then at Verizon. After speaking to him and a few other carriers it became clear that despite what DHS said, the carriers were not convinced that the internet was sufficiently robust as to not need a backup mechanism should it ever go down.
I met with AT&T, who ran the network. They made clear that the $6 million annual contract was chump change to them. They also ran through the merits of the system. It was a closed loop that required specialized hardware and software to access.
As an MPLS network, CIWIN was immune to distributed denial of service (DDOS) attacks and was not dependent on the public domain name system to operate. Should the mother of all DDOS attacks take aim at the root or simply flood the internet, CIWIN would still function. It seemed worth the relatively small cost.
DHS canceled it anyway. In the end, it was probably the right decision. With no daily communication taking place over the network, the likelihood that it would work when needed was low.
The story of CIWIN convinced me that a network like it could be valuable but that it would need to be for both coordination and for information sharing.
For the network to be used for information sharing, it would need to handle classified information. Human nature is such that no one is going to be bothered communicating on a secure network if they can legally use the public internet.
That’s the reason why any effort to construct such a network privately will likely fail. Without the policy, systems and laws built up around classification, people will simply default to email and other compromised channels.
Getting a classified information sharing network going would require a sustained push from the Trump administration, and I am skeptical they will act. Let’s hope the bean counters at DHS were right and the carriers have got this whole internet thing down to a point where the idea of a network collapse is no longer a risk. After all, it’s been almost a year since the Mirai botnet kicked a country off the internet.