28 July 1998
Source: Richard Lardner, Defense Information and Electronics Report

Source: Defense Information and Electronics Report
Issue: Volume 3, No. 28

ELINT -- Defense Electronics Intelligence
Date: July 17, 1998 -


The explosion of the commercial information security business has presented the federal government with major opportunities as well as some real problems. On the one hand, the large numbers of readily available infosec products has created a buyer's market. On the other hand, federal buyers must beware. That is, how can government customers be sure what they're getting will perform as advertised?

Mike Jacobs, the National Security Agency's deputy director of information systems security, has a plan to begin solving this problem, and it starts with the recently created National Information Assurance Partnership. The NIAP, a joint NSA/National Institute of Standards and Technology effort, will oversee the accreditation of commercial laboratories that will evaluate the quality of U.S.-made security products.

The NIAP, however, is but one component of a sturdy framework envisioned by Jacobs, a framework that will provide government managers with the policies and guidelines they need to make informed infosec purchasing decisions.

"The market is extraordinarily dynamic right now; there are many, many companies out there competing for pieces of the router market, pieces of the operating system market, pieces of the desktop security market, all offering security features of a variety of types," Jacobs told Defense Information and Electronics Report during a June 24 interview.

"The biggest difficulty we have is looking at all of those ranges of products. So our strategy says we've got to have some way of taking commercial products and working them off through an acceptable process that will provide, for government use, products that meet certain standards."

NIAP labs will use the international Common Criteria security standards, which will replace DOD's Trusted Computer System Evaluation Criteria. Ideally, at some point in the future Jacobs envisions a system wherein government managers would require that all security-related commercial products they buy conform to these new standards.

"Therefore, if you as vendor want to sell desktop security systems to me as a government agency . . . my policy says I will only accept for use in this agency desktop security systems that meet [certain] Common Criteria [evaluation assurance levels]," Jacobs said.

"The customer chooses what his security requirements are. That would then obligate you as the vendor to put your product through one of the laboratories. The laboratories' responsibility is to evaluate your product against your vendor claims and the Common Criteria. The equation is going to say whether or not you satisfy that level or don't. If you do, the product goes on the list. Then [I] as a purchaser can go to that list and say I need a desktop security feature, a firewall, a router, or whatever: Here's what's been through the NIAP process, and is commercially available for me to acquire," he said.

"I can go out and acquire that, and it satisfies the policy objectives of the agency in question, it satisfies the overall government objectives to have reasonable standards for security devices used within the government," added Jacobs, a 34-year NSA veteran. "And it seems to me it also satisfies the commercial market's desires to have access to the government market, but in a reasonable way.

"If we allowed unconstrained acquisition of anything that's out there, there's no assurance that vendor A's product is going to provide the security I need. There is a need to assure some discipline in our thinking when we're going through an acquisition process. There is a need to assure some discipline in our thinking as we decide what our security profile needs to be. And all that together, with the foundation provided by the NIAP, is a starting point."

During the hour-long interview, Jacobs also discussed the potential for commercial infosec products to be used to protect classified government information. Typically, NSA requires that government solutions be used to guard secret data. But Jacobs said times are changing.

"I don't think there's a line in concrete at this point in time," he said. "I think our basic strategy is -- in working with the private sector and those developing commercial products -- to raise the bar, if you will, of those commercial products."

It is likely there are some commercial products that, if approved through the NIAP process, could be used in networks that process classified information, Jacobs said. "That's possible. But we won't know that until we've seen it. Right now we haven't seen it."

As an example, Jacobs noted that commercial firewalls would not be used between classified and non-classified networks. But, said Jacobs, "let's take that same firewall and look at in a totally classified network . . . where you want to separate certain components within the classified network. Your entire enclave is system high, and your connections are also at the same classification. That product may be useable in that configuration.

"It's no longer simple enough to say 'Here's a device that will protect your communications.' In the days when I had point-to-point or netted communications . . . it really didn't matter what path I took because it was encrypted at my end and you were decrypting at your end, we had protection. Those days are gone," Jacobs said.

"I'm sitting on a network that is essentially global, it's divided by communities of interest, it's divided by classification in the case of the government. I've got to have other types of features I can put into that system to provide overall security. So I'm not just going to give you a device. What we need to be capable of giving you as a government user is an overall system profile," he said.

"You tell me what your system looks like and what you require of it in the way of protection. I assess what components you've got. Now commercial products come in through the NIAP process, that's going to solve part of your problem. Government solutions will solve other parts of the problem.

"So I need to be capable of looking at your system at a system level, and [then] give you the best products available to satisfy each of the [applications] within your network system that requires security features."

Richard Clarke, the president's senior director and national coordinator for security, critical infrastructure and counter-terrorism, said this week that a system similar to the one described by Jacobs would go a long way toward convincing the private sector to work more closely with government in developing ways to protect the nation's information infrastructure. The data sharing process called for in the NIAP, Clarke believes, would lay the groundwork for the public-private partnership called for by presidential decision directive 63.

Source: Defense Information and Electronics Report
Issue: Volume 3, No. 28
© Inside Washington Publishers