The risks of social computing can be addressed in systems' architecture.
The total population on the Internet is 1.6 billion. The majority of users engage in social computing, where numerous online services offer opportunities for sharing information. There are currently 156 social computing sites, but that number is growing to meet increasingly diverse interests. Sites with more than 15 million registered users include Digg, FriendFinder, Facebook, Flixster, Flickr, Friendster, Habbo, LinkedIn, MyLife, MySpace, Orkut, Plaxo, Twitter, YouTube, UStream and Wiki. These services had a total membership of 1.4 billion as of last fall.
Military and civilian personnel now are relying on social media for personal communications as well as for sharing information that covers social and military topics. The problem with these services lies in their vulnerability to security breaches. Social networks rely exclusively on the public Internet, which was conceived 40 years ago as a nonsecure network for academics. The Defense Department can do nothing about the vulnerabilities inherent in using the Internet except to employ elaborate and costly protective overlays that guard more than half a billion daily transactions. Every social network exposes the department to hostile attacks that can be used as conduits for toxic software capable of infecting every computer device.
When the U.S. Marine Corps confronted the prospect of persistent cyber corruption via social media, its only recourse was to prohibit its use. Though such resolute action is commendable, such an injunction is unenforceable. Meanwhile, all other Defense Department components remain aware of the risks of continuing with the rising dependence on social computing. Studies have been launched even though there is universal acknowledgement that the dependence on social computing cannot be stopped.
Defense policy makers now have three options. The first would be to accept all of the risks endemic to social computing by hoping that prophylactic measures such as virus protection software and firewalls will limit the damage. Such expectations are unrealistic. The increasing capabilities of attackers cannot be overcome. Enemies will continue tracking social communications to extract intelligence about operations.
The second choice would be for the Defense Department to avoid the risks of social computing except where it can be practiced on isolated computers that use circuits dedicated for access to the public Internet. This solution is workable but expensive and hard to manage, especially on ships or on the battlefield. This approach does not address the problems of intelligence leakage. It also will deprive the department of the value that social computing brings to the contemporary military culture.
The last option is to alter the current designs of systems so that social computing becomes a controlled and integral part of all communications. This option can be secure, enforceable and less expensive provided the Defense Department is ready to change the architecture of its systems.
Hypothetical cases potentially illustrate the benefits of adopting a revised approach to social computing using technical means for achieving information security.
In a theoretical social computing base case, a soldier walks up to any thin or zero client, anywhere in the world, and logs in using a Common Access Card (CAC) for certified authentication. The thin client does not have a disk drive and uses only a browser to communicate with the servers that house the virtual desktops. A zero client does not have a microprocessor, disk drive, software or drivers, and it cannot be patched. It is therefore totally secure, since it acts only as a frame buffer.
The thin and zero clients obtain menus of virtual desktops from virtual servers on redundant data centers with zero downtime and with Google-like latency. These menus include access to social computing.
The soldier can connect the memory card from a digital camera to a universal serial bus (USB) port on the thin client, but the port is only active when the personal Internet desktop is open. The soldier can use such access to upload personal photos or movies to social networks. Whenever the user switches to a secure virtual desktop, the USB port is deactivated. The net result is that each soldier owns a fully portable as well as a totally isolated open access virtual computer for personal use.
The hosting of servers that support social networking should be a service that is built into the Defense Department's Global Information Grid (GIG). A library of standardized templates then is accessible. These templates are reset at the beginning of each session to preserve security.
Every communication from a virtual client must include a personal certificate of authenticity from the CAC and must pass through security gateways, which log transactions into permanent and de-duplicated storage. Suspect records then are available for forensic examination by security personnel using business intelligence software. All transactions, particularly those from Internet connections, will be inspected automatically at a Network Control Center (NCC) by a battery of semantic filters that scan for possible violations. Any compromises of security restrictions or any detected anomaly in text is flagged while communications are cut off.
Virtual desktops can be transferred between desktops, laptops or smart phones or between one data center and another at a different location. When a virtual desktop is transferred, an expiration time limit is issued that allows the virtual desktop to be used offline, such as in the case of air travel or combat missions. If the time limit expires, the virtual desktop is scrambled. While a virtual desktop is checked out, it is periodically synchronized with the copy on the server so it can be completely recovered in case of loss.
Migration to the social computing base case will take many years to accomplish. Applications as well as computers are already in place and must continue with legacy programs until they can be fitted into the new architecture. Meanwhile, the safeguarding of connections to the public Internet requires protective measures. This cannot be delayed and therefore desktop virtualization must proceed immediately.
Potential cost reductions should steer the priority with which the migration of legacy systems is planned. The largest payback comes from the conversion and consolidation of servers into redundant "private clouds." Whether that is accomplished through government-owned facilities or by renting the cloud infrastructures on a per-transaction basis from several cloud vendors is a matter of the speed at which cost reductions can be delivered. Such choices also will require an ability to relocate the virtual servers across the clouds for the interoperable pooling of assets to ensure fallback for failure-proof continuity of operations.
The placement of all social applications into dedicated Internet servers consolidates desktops from legacy computers. Bug fixes, software updates and virus protection now can be administered in a uniform manner throughout the network. Centralization of controls makes possible the mechanisms through which communications to and from social networks are performed. It reduces the cost of client upgrades because social applications will be sharing much more economical pools of processing, disk storage, communication and energy consumption services. After a person's Internet connection is placed under the control of a hypervisor, it can be relocated regardless of where a person is located geographically or organizationally.
The placement of social computing under the direct control of a hypervisor (a "bare metal connection") will dispense with the dependency on proprietary versions of operating systems (OSs). Social computing then can rely on a fraction of the OS code, thus reducing licensing costs as well as eliminating labor-intensive support. After all social applications are placed on a consolidated virtual computer, they can be further hardened against tampering. The National Security Agency has shown that the bloated OSs, which must support an excessive number of features and functions, are the largest targets for software attacks.
During the transition from a legacy environment, the secure hypervisor will permit the running of virtual computers on a local desktop or laptop. The hypervisor will maintain digital signatures for the virtual window that had access to social computing. If a virtual desktop is modified without authorization, it is shut down immediately.
There is nothing to prevent warfighters from engaging in social computing on public networks using their own computers while paying for their own access privileges. Personal privacy allows that; however, cumbersome regulatory, legal and other restrictions limit such uses. As costs of client devices drop, the warfighters' personal social computing will come to rely on network connections purchased from commercial information services providers. In such cases messages will have to carry an address that is different from .mil. Such connectivity will be prohibited at sensitive military sites, and therefore social computing will have to rely exclusively on circuits provided by the Defense Department.
The department has the unquestionable authority to control all Internet transactions that originate from every .mil Internet protocol address. A recent pronouncement from the Office of the Secretary of Defense that the department intends to pursue a "balanced" approach to social computing is inconclusive. It leaves huge gaps for tens of thousands of transactions a day that can bypass all protective measures.
The Defense Department must take decisive remedial steps to achieve positive controls over all social computing transactions originating from the toxic Internet. The risks are too great to accept insufficient safeguards.
Paul A. Strassmann is distinguished professor of information science at George Mason University and the former director of defense information for the Office of the Secretary of Defense.