Security Product Trust Demands Laboratory Test and Evaluation
National Security Agency promotes information technology trials through protection profiles, flexible common criteria.
Uncertainty surrounding a patchwork of commercial information security products hurriedly placed in use on U.S. Defense Department computers and networks is reshaping policy. Successful test and evaluation of these products in specified laboratories will soon become a prerequisite for procurement by military services and defense agencies.
As evaluation policy emerges, the National Security Agency (NSA) is embarking separately on a major long-term program to modernize the inventory of high-grade cryptographic devices. The new cryptography will exploit technology to keep pace with modern communications as bandwidth applications change.
Driving the policy change is the unconstrained acquisition process that now exists within the Defense Department. There is no requirement to purchase only evaluated security products. However, a policy is emerging that will obligate those in the national security community to begin buying information products that have undergone evaluation, according to the NSA’s Michael J. Jacobs. He is the agency’s deputy director for information systems security.
Jacobs maintains that competent independent security testing is necessary to design, build, market, procure or employ commercially available products and systems that will achieve any level of confidence. While not easy and not inexpensive, testing to a specific set of international common criteria clearly will add value to products for both government and commercial markets.
In an interview at the NSA’s Fort Meade, Maryland, headquarters, Jacobs observes that this policy should help encourage vendors to submit their products for evaluation to one of eight qualified commercial laboratories. The laboratories are part of the National Information Assurance Partnership (NIAP), a government initiative designed to meet security testing needs of both information technology producers and customers.
NIAP is a collaboration between the National Institute of Standards and Technology (NIST) and the NSA. This program fosters objective measures and test methods for evaluating information technology. NIAP’s plan is based on promoting development of a new commercial security testing and evaluation industry. The program opens security testing and evaluation to competition, widens testing choices and alternatives, and is expected to lower testing costs.
While not available in large numbers in all categories, products evaluated by these security testing laboratories generally are available in areas such as operating systems, firewalls and intrusion detection sensors, Jacobs states. However, many of the products evaluated only a year or so ago are already being replaced in the market by more advanced versions, which are quite different and could need laboratory re-evaluation.
Jacobs asserts that marketing information on a wide range of commercial products gives the impression that they provide specific levels of security, so customers are “a bit confused.” Customers are buying products through the Defense Department such as operating systems that have never been evaluated in a laboratory and could have holes in them. “The desire to improve and maintain functions in the network environment drives customers to procure new generations of products. Frequently, security is an afterthought,” he points out.
Customers can depend on independent third-party testing as a way to ensure conformance to their security requirements, enhancing confidence. Rapid changes in information technology, increasing complexity and growing dependence makes cost-effective testing a critical element. Jacobs believes the policy of restricting Defense Department procurement to evaluated products “needs to be in place to serve as a pulling mechanism—to instruct the government’s national security users that they must buy tested products.”
Formal testing has long been a principal method of assuring conformance to function, performance reliability or interoperability specifications. Once this new security product evaluation policy is implemented, there will be an initial transition period, Jacobs says. After an interval, the Pentagon will mandate that all security products must first pass a common criteria evaluation before they can be purchased and employed on department computers and networks. The policy is expected to become a magnet, pulling industry toward protection profile testing.
The use of products that have undergone this evaluation helps form the essential underpinnings for ensuring trust in information systems. This trust is at the center of secure operations in a global network environment. An international initiative, the common criteria approach establishes a standard that opens the way to worldwide recognition of evaluation results. Standards for information technology security align and resolve technical differences between Europe, Canada and the United States.
This common criteria structure also provides flexibility in the specification of secure products. Version 2.0 of the common criteria was published in May 1998, taking into account the extensive review and trials of the first version two years earlier. As part of the process, consumers and other parties specify the security functions of a product in terms of protection profiles and independently select an evaluation assurance level (EAL). There are seven levels, each with increasing security test requirements, Jacobs states.
An important tool in building protection profiles is what Jacobs calls a “virtual center,” an information assurance framework forum. Developed in a collaborative effort involving NSA solution architects, customers with requirements, component vendors and commercial integrators, the forum guides development. The framework provides top-level guidance in addition to the specification of essential security features and assurances for products. This process brings producers and consumers together before products are assembled. Once built, the products will better meet the customers’ needs, Jacobs claims.
Meeting bimonthly in two- or four-day sessions, the forum identifies network security needs of U.S. services and agencies. The group also exchanges information on security threats and obtains industry input on state-of-the-art products and practices. Each session is topic specific, Jacobs notes, with industry presentations on products such as firewalls or routers. During the sessions, they also explore policy barriers and training solutions and set standards in network security.
A framework statement from the meeting is used to guide developers and customers in selecting products and classes of products to meet their needs. “The forum’s work implies evaluations of the resulting products, and there is a complimentary evaluation program,” Jacobs confirms. The framework establishes the basic concept at the product level, and the NSA produces a protection profile. This profile uses language from the common criteria, an internationally recognized lexicon to describe security robustness in products.
Protection profiles define an implementation-independent set of security requirements and objectives for a category of products or systems. These classifications define products that meet similar consumer needs for information technology security. The profile is intended to be reuseable and to define requirements that are known to be useful and effective in meeting identified objectives. As an aid to formulating procurement specifications, profiles support the definition of functional standards.
The NSA no longer uses its Rainbow series of trusted computer system evaluation criteria and its interpretations, which defined levels of trust with ratings identified by designations such as C2 or B1. Each level of trust was built upon the previous level to increase security features of a product. These security features have been pulled into common criteria, international and other relevant security standards. The standards have undergone a six-year process of amalgamation in an international forum, which is continuing, Jacobs says.
An international information security standards agreement cleared up any outstanding issues. As the United States signed the agreement, version 2 of the common criteria, approximately 700 pages of fairly detailed specifications, was approved, Jacobs contends. The agreement established security levels from EAL-1 to EAL-7. Levels EAL-5 and above are for products used in classified systems and are evaluated internally by the NSA. U.S. laboratories are only qualified to evaluate unclassified products.
The customer writes the protection profiles for the laboratory evaluation. However, in many cases, the NSA writes the profiles as the customer for the U.S. government. The vendor then submits the products to federal agencies. Once a product is evaluated against a profile and successfully tested, Jacobs or his NIST colleagues issue a certificate. The product is then made available to any user who wants to buy it, he explains.
“Remember, this is not a classified product and not restricted only to U.S. government use. Anyone who buys the product will benefit from the testing process through a little more confidence, a seal of approval,” Jacobs continues. “When the NSA built and owned the [cryptographic] ‘black boxes,’ the agency may have spent up to 10 years conducting research and development, down to the most minute level,” he contends. “There was huge confidence that this was a strong system. The products now and the evaluation methodologies do not develop the same confidence levels.
“The vendor selects the [evaluation] target for the product. This provides a level of assurance and is better than not having gone through the evaluation, but should not infer our [NSA] guarantee,” Jacobs illustrates. “At a level above the threshold specified for evaluation, problems may later arise for the user. The more stringent the evaluation, the longer it takes and the more it costs. The vendor must decide on the market for the product, along with a price that both the market and shareholders will support,” he maintains.
The Rainbow series once dominated U.S. security, while the information technology security evaluation criteria (ITSEC) dominated in Europe, Canada and elsewhere in the world. U.S. vendors often found it difficult to place their products, even though they might have been U.S.-certified, in those markets without duplicate testing. “Vendors wanted one-stop shopping, which would address the evaluation requirements of European customers, to avoid a time-consuming, expensive process,” Jacob suggests.
Having products evaluated twice was a market inhibitor, not only for U.S. vendors but also for European and Canadian companies seeking a market here, Jacobs reveals. As a result, in October 1998, five nations convened an information security conference in Washington, D.C., and signed a mutual recognition agreement. The United States, Canada, the United Kingdom, France and Germany agreed to recognize each other’s laboratory security evaluations, placing products from the laboratories on consistent and consolidated lists. Since then, Australia and New Zealand have joined, and the Netherlands is preparing to become a member. Other nations such as Japan, South Korea and Israel might also become members.
Jacobs makes it clear that the NSA is changing, moving from hardware-only product development to a mixed environment. Hardware design and product development will continue, he adds, but the agency increasingly works with commercial vendors to improve the security integrity of their products. “We also work with the customer [user] to blend modern technology with the security enhancements that the NSA can incorporate in systems and networks.” Meanwhile, the agency will continue to provide traditional types of hardware and software cryptography at the system level.
“We also must modernize the NSA’s inventory of high-grade cryptographic devices to meet modern communications requirements,” Jacobs points out. He adds that a program will begin this year to design, develop and field over the next decade cryptographic equipment to replace “virtually everything in the inventory.” A small funding planning wedge is in the fiscal year 2000 budget to begin cryptographic replacement in a new communications environment.
Jacobs relates that the cryptographic replacement plan is part of a normal business cycle. This cycle, which occurs every decade, includes replacing equipment that is no longer user friendly, is difficult and is time consuming to operate. As an example, the NSA produced and distributed more than 30,000 cryptographic devices last year on traditional contracts. Over the past five years, more than 200,000 cryptographic devices have been produced and delivered, he states.
As in the past, “security brings with it certain overhead costs, some in terms of dollars, some in functions. There will always be some overhead to assure that a system is secure,” he asserts. Even though the NSA has a monopoly in cryptography, the agency also seeks to reach out to customers who may have misplaced confidence in technology.
Many factors are converging—technology, threat environment and awareness of the customer—to make it a good time to be in the security business, Jacobs emphasizes. Today’s threats are often in the headlines and are well known. In a network environment, intrusions are common. The intrusions, however, are not just in government networks. Because of this, a higher market demand for security services and a parallel higher awareness of vulnerabilities exist.
In addition, resource limitations must be addressed, Jacobs comments. Not enough funding is available to put all of the desired security features into products and systems, so it becomes a matter of choosing the most important functions, the most important technology to pursue. Therefore, the NSA is involved in private industry initiatives that are often product specific. It is also working on a series of internal activities to begin developing the next generation of cryptographic devices, which could be software. And while this process continues, the agency is producing standard cryptographic devices.
At its core, the cryptographic process remains much the same as in the past. It is an art form as much as it is science, converting plain text digits into ciphers in the most efficient way, Jacobs explains. “There are many different types of cryptographic algorithms employed, depending on speed and type of communications involved. The key is in the bit length, which deals with the strength of the underlying cryptography and resulting cipher.
“Over time, we must continue to expand the bit length, the strength quotient. Everything has a finite end; a bit length, once relatively immune to crypt analysis, may no longer be immune. As computational power increases, you must stay ahead to be certain the system cannot be overwhelmed,” Jacobs relates. “We are confident in government-produced cryptographic systems and their algorithms. We work hard to ensure that high-grade systems stay ahead of the curve.”
However, Jacobs continues, this requires a lot of customer discipline in the proper use of a system. Awareness is a command function, and increasingly it is becoming more important. There are more components in today’s protected systems. In the past, cryptographic devices were simply installed in a turnkey fashion on communications systems and began operating. Today, networks begin at the desktop, involving operating systems, routers and firewalls. While the cryptographic black box might be secure, vulnerability could lurk somewhere else in the network, he insists.
To a great extent, security depends on system configuration. If a change is made to a port setting on a firewall, as an example, this act could invalidate the security and integrity of the system, Jacobs remarks. “There is a higher risk that technology dynamics and system configurations will invalidate security features certified the day before,” he adds. “This implies a greater burden than ever on the user.
“Security components are technology, procedure and personnel. We have the technology, but procedures may not be properly implemented even when fully developed and deployed, and the person is the essential element in security,” Jacobs reports. “Defense Department angst is making information assurance a very high priority.
“With 2,000 Information Systems Security Organization employees, most with more than 15 years’ experience, the NSA is running very hard. The agency is keeping pace with the customer, making certain that new technology, procedures and training evolve to address the more nontraditional network environment. Simultaneously, the agency is keeping pace with traditional security requirements,” Jacobs comments.
The NSA recognizes that in a rapidly evolving world of information technology and connectivity, we can neither stand still nor go it alone. We can only provide workable solutions by government, industry and academia striving together to develop and implement solutions, Jacobs concludes.