In some of my recent discussions with policy-makers, network separation, i.e. the physical isolation of sensitive networks from the Internet, has been floated as an essential cybersecurity tool. Why? It promises the holy grail of security, i.e. 100% protection, because cyberattacks can’t cross the “air gap” to reach their target.
In my experience, however, network separation has its place in the governments’ cybersecurity toolkit but it also suffers from significant drawbacks. These include: costs of implementation and maintenance; diminished productivity; and, perhaps counterintuitively, degradation in some key aspects of security. Overall, network separation is out of step with a world where systems’ interconnectivity is underpinning innovation driven by cloud computing and the Internet of Things (IoT). I’m going to use this blog to look a little more closely at these issues.
Network separation is an established and recognized security practice in critical sectors, e.g. classified military networks or nuclear power plants. The potential consequences of these systems being compromised are sufficiently bad to justify any downsides that network separation might introduce. However, as governments consider implementing network separation more broadly, that cost/benefit calculation must change.
Looking at costs alone, creating separate networks means increased expenditure of limited resources and reduced economies of scale. An “air gap” demands creating a whole new network with standalone servers, routers, switches, management tools, etc. That network needs to be built to deliver the foreseeable peak demand, which might only occur every now and then. This largely unused capacity is effectively wasted, whereas a non-separated network could simply use temporary cloud resources to “scale up” when needed. Costs increase further because software maintenance cannot be done by a remote centralized hub, whilst physical maintenance is more time consuming.
Network separation can also harm efficiency, productivity and usability. An “air gap” creates barriers to the outside world, which most government workers need to best serve their constituencies. Having to turn attention and move information between different devices, some separated and some not, would be time consuming at best and confusing at worst. And many government services and systems that are meant to interact directly with citizens are likely to be slowed and made more cumbersome by separation protocols. The benefits of smart cities and smart nations will be significantly diminished if governments forsake cloud and IoT benefits in the name of network separation.
Finally, even network separation’s security benefits are not foolproof. For one thing, being disconnected from threats frequently means being disconnected from cybersecurity innovation, let alone mundane security tools such as patches. Moreover, the assumption of being safe on the other side of an “air gap” can mean staff and management take essential security basics for granted. Indeed, a poor cybersecurity culture within any organization means social engineering or human error can give malicious actors a way into a system, e.g. as employees circumvent cumbersome requirements by relying on their private (and often insecure) email.
Furthermore, the “air gap” itself can be circumvented. Just one connection with the outside world creates a single point of failure for malicious actors to exploit and even with no direct connection there are ways “in”. As Stuxnet showed, removable media such as USB drives can insert malware into physically separated hardware, whilst some forms of hacking are able to “jump” the “air-gap”, e.g. USBee (a “software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle”) and AirHopper (turns a computer’s video card into an FM transmitter to collect data from “air-gapped” devices).
For governments concerned about the growing scale, frequency, sophistication and impact of cyberattacks there can be legitimate reasons for adopting network separation. In limited sets of circumstances, e.g. protecting classified networks, it can be part of an appropriate, risk-management based cybersecurity response. That being said, it is essential for governments to understand the tradeoffs in cost, usability, and effectiveness that the approach introduces. Network separation is not and cannot be the right or the only answer to all of their cybersecurity concerns.