OK.. change "HQ computer" to "www.ANYTHINGBIG.com", and change "enemy" to "random hacker in another country". There's boxes that *have* to be visible to the world because they provide service and connectivity to the outside world - and you can't even hand-wave "put them in a DMZ" because then you still need that address mask to tell if the other end of the connection is coming from outside, another DMZ machine, or an internal machine.
Yes. but more than that. We talk of the internet itself. The US strategy may amount to an US DMZ or a chain of DMZ. I do not think there are any objection to that. Except that it underlines that we are not in an open worldwide network anymore, or at least not at the same layer.
This has a first direct implication which is the impossibility to accept anything unique and common to systems which wants to be unique by themselves. One has to find other solutions. No master / slave, not peer to peer.
One good example is the DNS. TTLD Managers are authoritative (like running their own DMZ). Yet ICANN wants to be authoritative (hence the problems it faces). Question: is there a way to make authoritative indepedent systems to share into an unique common system?
This leads to an anlyze of the authority and shows that the American language misses the word (hence the commonly shared images and understanding, capacity to discuss it) we found in Europe as "conceration" (French/Eurospeak). This means that authority is not delegated (as DNS says), nor shared (as in a democracy) but retained by each participant (making consensus the only decision process - as at the IETF, ITU, do ). One may name this polycracy. Currently the European problem in accepting 10 new countries is to regress from polycratic decision process to democratic votes. This creates sngle point of failures: the group or the unique country (on 25) making the majority and rises the difficulty (polycratic consensus had solved): the quality of the voter. Some times Luxembourg has not the same weight than Germany or France.
This is the same with networks. Most of the propositions I hear here are not acceptable on the long range because they are ideas to develop something, not to better serve a group. Engineers see a network as connected machines. Developpers as communicating applications. Users see them as groups of people.
When you think about reducing risks to the people (not only haked machined or DoSed network), you must thnk global (in the Engilsh/French meaning: i.e. all the parts of the concerned whole - not as a single/simpliistic whole - as "put the militaries behind a DMZ"). So you must look as the point of failure of each element (hardware, software and brainware) and then of the system.
To take your example or mine. The hacker is going to intrude the computer. The foreigners are going to intrude the networks. All this is going to make the nation (its computers through its networks) unstablized. If you take the barycenter of all the single points of failure, you will discover that in most of the cases:
- in Peace time it is the Parliament. Because major decisions are taken there. Example the anti spam law, right now, in the USA which is a major threat on many countries economomy in legalizing bandwith consuming mailing. And you use a Police to protect the Parliament.This is not the case we consider.
- in time of crisis, it is one single person (too fast to ask for a law). And the real decision maker is the person next to him. This is why military HQs are potentially everywhere. They are where a decision is required, in front of a weakness, at a critical time. Army is the tool to land the decision make at the single point of failure to reduce it.
jfc