Trade-offs characterize security solutions in the dynamic networked era.
Balancing function against security may prove to be the tightrope act that determines the future of information assurance. Government and commercial experts are weighing the convenience and capabilities of new technologies against their vulnerability to the burgeoning threat from all corners of cyberspace.
Complicating these experts’ efforts is the proliferation of security products in a field that only now is developing firm commercial standards. Many network managers are not trained to incorporate security as a basic element defining their system operations. And, above all looms the multitude of threats from hackers to foreign military cybersaboteurs.
“Never in my 37 years in this business have I seen the interest and awareness level as high as it is today,” declares Michael J. Jacobs, director, Information Assurance Directorate, National Security Agency (NSA). “The recognition of what often had been viewed as the purview of intelligence and military folks—a black art—has all of a sudden burst into the public consciousness in a way that is both alarming and gratifying. It’s frightening because the ability of the system to respond to that growing demand simply is not there yet, either in the commercial sector or the government.”
Technology driven by the emergence of the Internet is generating the customer demand, he states. This Internet technology explosion brought so much functionality so quickly that, from a security perspective, both the government and the commercial sector are lagging in the struggle to keep pace.
“In virtually every sector of the economy, there are probes occurring from people in the so-called hacker community,” Jacobs charges. “The Internet is a 500-million-person party line.”
Jacobs offers that the biggest challenge facing the NSA, as well as any large organization, is to maintain a safe and secure environment in a networked world. With the NSA serving as a provider of technology and solutions to the government national security community, the agency must deal with this network security challenge both as a supplier and a customer.
“This involves getting these widely proliferating commercial technologies that have a very rapid rollover into a position where they can provide the customer with adequate security,” he declares.
This situation contrasts with the NSA’s past efforts in which it would examine a department’s or agency’s government-designed communications and information management systems. Many of these systems were unique to a particular government organization, and the NSA would work with the system’s designer or developer to produce a cryptographic security solution—the black box that would be installed within the system to provide “a virtual guarantee” of security, Jacobs notes. This box’s development and integration would encompass a long period of time, and it would stay in use for as long as 20 years.
Now, customers may be using technology that the NSA does not own. The agency does not have easy access to a system’s designer; the system may be a customization of a commercial system; and NSA experts may not be able to easily grasp the intricacies of both the hardware and the software. This complexity and variety coupled with an ever-changing environment makes “any declarations about security” even more difficult to obtain than in the past, Jacobs allows.
The information security threat picture remains fairly broad. At one end is the international hacker community, many members of which simply seek the challenge of overcoming security products as they hit the market. Avenues of entry also may include connections that should not have been made by well-intentioned system administrators, or ports that were left open on otherwise robust firewalls. The typical calling card is a defaced World Wide Web page.
This type of hacker activity is generating a substantial amount of important data for users, Jacobs notes. Users are learning that the technology has many weaknesses that can be exploited to the user’s detriment.
Other hackers may have more malicious motives. They may be targeting specific companies or organizations to cause embarrassment or even denial of service. These activities can prevent the victim from engaging in normal online business for hours or even days. “While individually these are not terribly significant, collectively they are becoming a serious problem,” Jacobs warns. “This is true not just for the government but also for the general user community.” Millions of probes occur annually, and some lead to successful attacks.
However, a vast network is being deployed to create the capabilities necessary to blunt these types of hacker activities, Jacobs discloses. It is both “expensive and manpower intensive,” he adds. This network includes intrusion detection systems and internal computer emergency response teams.
At the other end of the information security threat are foreign intelligence services. These cyberattackers may be engaging in the same activities as the common hackers, but they are not announcing their presence, let alone their successes. Instead of targeting for vandalism, these foreign intelligence experts are conducting extensive studies of information networks and systems surreptitiously. As a result, there is no empirical data that specifies how open the government may be to repeated and successful foreign intelligence service attacks. “They are going to work very hard to stay below your threshold of detection, and you may never know they are there,” Jacobs allows. “It’s happening, but we’re not seeing it.”
Above all, Jacobs offers, the greatest challenge facing security experts is the knowledgeable insider. A disgruntled employee with knowledge of a system can bring it to a crashing halt. Jacobs relates that many examples exist in which employees left digital time bombs to bring down systems long after the employees’ departures. Other disgruntled insiders may rig systems to quietly divert small sums of money autonomously into personal accounts, which will add up to a large total over time.
Threats also can menace a system when its owners and operators incorporate untested software and hardware. Unverified product claims can prove costly to the user, especially when “the demand curve is up relative to the awareness curve” on new technologies, Jacobs reiterates.
The NSA’s general security strategy comprises five basic elements, according to Jacobs. First is maintaining a state of awareness that involves consistent understanding of the nature of the threat, the risks in the operating environment and the vulnerabilities. Accordingly, solid education and training programs are a must, both within agencies and across the spectrum of academia. These programs will train individuals and help develop the skills necessary for managing information systems with security in mind. About 23 schools in the United States have been certified as NSA centers of academic excellence in information security education, and some of these offer doctorates in this discipline.
The second strategy involves the agency continuing its longtime activity of developing and fielding government cryptographic systems. It will remain a source of strong cryptography for use both within the national security community and elsewhere in government, Jacobs maintains.
A relatively new activity is working with the security vendor community to evolve effective, security-enabled commercial technology. A key component of this effort is the National Information Assurance Partnership, or NIAP (see box below).
A fourth strategy element entails the design, development and operation of a robust security, or key, management infrastructure. This would include the design and development of keying material generation and distribution capabilities as well as signature capabilities for public key infrastructure (PKI) systems. Describing this as the glue that holds all the other security pieces together, Jacobs notes that even the best cryptographic systems require a trusted source for the periodically changing keying material.
The final strategy is to create a defensive information operations capability that provides products for network security as well as maintains an awareness and oversight of ongoing activities within national security networks. Properly established, this capability would permit detection of an attack while it is underway. It also would enable appropriate reaction and response to the attack. “This is a new mission area,” Jacobs emphasizes, “but the 500-million-person party line creates a different set of different situations.” The emerging operational component pulls in information from all the military services to make sense of what is taking place on networks for possible deployment of countermeasures.
Achieving information security today depends heavily on the human element, and Jacobs worries that the United States may not have a sufficient number of properly trained people to manage system security. These experts must be able to determine when a system is threatened or under attack, and they must be able to react and respond accordingly. “The cadre of people we need to do that job is terribly limited today,” he warns. “Without people to administer and manage [security], it will not happen.”
The personnel shortage in the information technology sector may be several hundred thousand people, Jacobs offers. Each of these positions should have some security component inherent in it, especially for system administrators and network managers. “It’s pretty bad, and the turnover also is pretty difficult,” he warns. The shortage may be alleviated somewhat by the re-entry of thousands of information technology workers into the job marketplace following the drawdowns and shutdowns among many high-technology companies.
A related concern is the outsourcing of information technology activities now taking place across the breadth of the commercial sector. Many Fortune 500 companies are outsourcing this work, which increases the complexity of the personnel issue.
Another problem is that the focus on system administration and network management tends toward functionality, with less emphasis on security. The two disciplines are not necessarily complementary, Jacobs notes, and managers frequently must sacrifice functionality to achieve security.
In the technology arena, Jacobs states that the commercial sector cannot provide sufficient security solutions for the NSA’s constituency in government. “The needs of the national security community may not be easily met by the technology coming out of the commercial environment that is aimed at a more generalized market.”
Jacobs continues that the bulk of commercial security technology falls into one of three categories. The first involves commercial products that are specifically designed and built for security purposes. These can include commercial cryptography and firewalls, for example, and they are designed for security alone.
The second category encompasses products that are security-enabled. These involve bundled products, such as desktop services, that may include certain cryptographic features. The third category includes security-relevant products that may be important to a system in a security sense regardless of whether they even have a security feature. These products include operating systems.
Companies that design and market security systems tend to focus their development activities on functionality requirements and time-to-market. This creates considerable stress in the system, Jacobs charges. “You have 25 firewall vendors out there, and each one of them is attempting to build the greatest firewall product known to man and get it to market the quickest because in that particular technology area the turnover is occurring every 18 to 24 months. That’s a fairly rapid turnover, and it creates some very real stresses.”
Jacobs is calling for a technology base that will encourage the design, development and creation of security software products and associated underlying code that are “very structured and verifiable.” He cites a need for efficient and understandable formal methods that easily permit independent evaluation of the software products. This approach also would permit “consistent and informed statements” to be made about the nature of a product and its performance. It is vital that security software is positioned to be legitimately and consistently evaluated, he says, adding that “we are not there today.”
International Commercial Cooperation Hallmarks Future Security
One emerging element of security that must emerge more quickly, according to the National Security Agency’s (NSA’s) Michael J. Jacobs, is a methodology for independent third-party testing of commercial information assurance technologies against commonly accepted standards. Within the past year, a multinational collaboration to develop a body of standards has evolved into an international standards organization. In the United States these standards are known as the Common Criteria.
Several nations, including the United States, some of its North Atlantic Treaty Organization allies and Australia and New Zealand, have signed a mutual recognition arrangement to serve as producing nations under that standard. These nations also are creating third-party evaluation processes to be carried out by commercial laboratories. The U.S. program is known as the National Information Assurance Partnership, or NIAP (SIGNAL, April 2000, page 51). Partnering with the NSA is the National Institute of Standards and Technology (NIST), which focuses on non-national-security U.S. government systems. This partnership has evaluated and certified five laboratories, and another eight facilities are being evaluated.
The effort will help empower security customers to make informed decisions. A firewall vendor, for example, can examine the government’s firewall requirements in a protection profile document. Several different NSA protection profiles already have been published to define firewall security characteristics, Jacobs notes, and these profiles help establish security levels. The prospective vendor can determine which protection profile best matches the firewall’s market, and one of the laboratories can verify the firewall’s claim using the profile. The degree of security offered by the firewall also can be quantified by its corresponding profile.
This process can be applied to firewalls, routers, operating systems, intrusion detection systems, smart cards and other security technologies. More than 20 products already have passed muster under the profile program, and another two dozen products are being evaluated, Jacobs relates. Certification extends across national borders among the other signatories of the Common Criteria agreement, so a vendor need not seek certification separately in each nation.
Beginning in July 2002, members of the U.S. national security community may buy only evaluated products. Information technology will be subject to the Common Criteria; commercial cryptography must meet Federal Information Processing Standard 140-1, and other items will be evaluated by the NSA.