28 July 1998
Source: Richard Lardner, Defense Information and
Electronics Report
Source: Defense Information and Electronics Report
Issue: Volume 3, No. 28
The explosion of the commercial information security business has presented
the federal government with major opportunities as well as some real problems.
On the one hand, the large numbers of readily available infosec products
has created a buyer's market. On the other hand, federal buyers must beware.
That is, how can government customers be sure what they're getting will perform
as advertised?
Mike Jacobs, the National Security Agency's deputy director of information
systems security, has a plan to begin solving this problem, and it starts
with the recently created National Information Assurance Partnership. The
NIAP, a joint NSA/National Institute of Standards and Technology effort,
will oversee the accreditation of commercial laboratories that will evaluate
the quality of U.S.-made security products.
The NIAP, however, is but one component of a sturdy framework envisioned
by Jacobs, a framework that will provide government managers with the policies
and guidelines they need to make informed infosec purchasing decisions.
"The market is extraordinarily dynamic right now; there are many, many companies
out there competing for pieces of the router market, pieces of the operating
system market, pieces of the desktop security market, all offering security
features of a variety of types," Jacobs told Defense Information and Electronics
Report during a June 24 interview.
"The biggest difficulty we have is looking at all of those ranges of products.
So our strategy says we've got to have some way of taking commercial products
and working them off through an acceptable process that will provide, for
government use, products that meet certain standards."
NIAP labs will use the international Common Criteria security standards,
which will replace DOD's Trusted Computer System Evaluation Criteria. Ideally,
at some point in the future Jacobs envisions a system wherein government
managers would require that all security-related commercial products they
buy conform to these new standards.
"Therefore, if you as vendor want to sell desktop security systems to me
as a government agency . . . my policy says I will only accept for use in
this agency desktop security systems that meet [certain] Common Criteria
[evaluation assurance levels]," Jacobs said.
"The customer chooses what his security requirements are. That would then
obligate you as the vendor to put your product through one of the laboratories.
The laboratories' responsibility is to evaluate your product against your
vendor claims and the Common Criteria. The equation is going to say whether
or not you satisfy that level or don't. If you do, the product goes on the
list. Then [I] as a purchaser can go to that list and say I need a desktop
security feature, a firewall, a router, or whatever: Here's what's been through
the NIAP process, and is commercially available for me to acquire," he
said.
"I can go out and acquire that, and it satisfies the policy objectives of
the agency in question, it satisfies the overall government objectives to
have reasonable standards for security devices used within the government,"
added Jacobs, a 34-year NSA veteran. "And it seems to me it also satisfies
the commercial market's desires to have access to the government market,
but in a reasonable way.
"If we allowed unconstrained acquisition of anything that's out there, there's
no assurance that vendor A's product is going to provide the security I need.
There is a need to assure some discipline in our thinking when we're going
through an acquisition process. There is a need to assure some discipline
in our thinking as we decide what our security profile needs to be. And all
that together, with the foundation provided by the NIAP, is a starting
point."
During the hour-long interview, Jacobs also discussed the potential for
commercial infosec products to be used to protect classified government
information. Typically, NSA requires that government solutions be used to
guard secret data. But Jacobs said times are changing.
"I don't think there's a line in concrete at this point in time," he said.
"I think our basic strategy is -- in working with the private sector and
those developing commercial products -- to raise the bar, if you will, of
those commercial products."
It is likely there are some commercial products that, if approved through
the NIAP process, could be used in networks that process classified information,
Jacobs said. "That's possible. But we won't know that until we've seen it.
Right now we haven't seen it."
As an example, Jacobs noted that commercial firewalls would not be used between
classified and non-classified networks. But, said Jacobs, "let's take that
same firewall and look at in a totally classified network . . . where you
want to separate certain components within the classified network. Your entire
enclave is system high, and your connections are also at the same classification.
That product may be useable in that configuration.
"It's no longer simple enough to say 'Here's a device that will protect your
communications.' In the days when I had point-to-point or netted communications
. . . it really didn't matter what path I took because it was encrypted at
my end and you were decrypting at your end, we had protection. Those days
are gone," Jacobs said.
"I'm sitting on a network that is essentially global, it's divided by communities
of interest, it's divided by classification in the case of the government.
I've got to have other types of features I can put into that system to provide
overall security. So I'm not just going to give you a device. What we need
to be capable of giving you as a government user is an overall system profile,"
he said.
"You tell me what your system looks like and what you require of it in the
way of protection. I assess what components you've got. Now commercial products
come in through the NIAP process, that's going to solve part of your problem.
Government solutions will solve other parts of the problem.
"So I need to be capable of looking at your system at a system level, and
[then] give you the best products available to satisfy each of the [applications]
within your network system that requires security features."
Richard Clarke, the president's senior director and national coordinator
for security, critical infrastructure and counter-terrorism, said this week
that a system similar to the one described by Jacobs would go a long way
toward convincing the private sector to work more closely with government
in developing ways to protect the nation's information infrastructure. The
data sharing process called for in the NIAP, Clarke believes, would lay the
groundwork for the public-private partnership called for by presidential
decision directive 63.
Source: Defense Information and Electronics Report
Issue: Volume 3, No. 28
© Inside Washington Publishers