U.S. military plans mandatory cyberdefense
|
|||
 | |||
|
ARLINGTON, VA. - The Pentagon wants to mandate application and network security services for the military, and later this summer plans to issue guidelines that the Army, Navy, Air Force and Marines will need to follow to protect Web-based resources from cyberattacks.
The Defense Department recently told military brass that computer network defense will be mandatory. It will propose guidelines on use of firewall, intrusion-detection and antivirus technologies that it wants deployed across its sprawling global networks that include three million users at 1,500 locations. The mandate means commercial security products and managed security service providers will have to pass muster by undergoing security certification by the Defense Department. Such certification could force enterprise-class security vendors to improve their wares and could help ease companies' fears about outsourcing sensitive security duties to service providers.
"We want to issue these criteria in the next two months and then institute a process for accrediting commercial or government entities for computer network defense," says Col. Larry Huffman, commander at the Defense Information Systems Agency's Global Network Operations Security Center, which works with Carnegie Mellon's CERT Coordination Center to assess network threats that could affect national security. CERT, which is funded primarily by the Defense Department, provides security alerts related to denial of service, computer viruses and software vulnerabilities.
The Pentagon is working with CERT to define these security requirements. However, some providers of managed security services are concerned about CERT's extremely influential role in shaping national cyberdefense.
"They're an academic-based organization and not very hands-on," says Paul Robertson, director of risk assessment at TruSecure of Reston, Va., which offers managed security services and security equipment testing. CERT is "good at incident response and collecting information, but hands-on security stuff is outside their purview."
OneSecure, which offers managed security services based on integrating Check Point, NetScreen and Cisco products for firewall and intrusion-detection management at its Sunnyvale, Calif., data center, isn't eager to line up for Defense Department inspection.
"I'm not sure CERT is good at intrusion-detection technologies," says Nir Zuk, OneSecure's CTO, though he adds that the OneSecure staff were all trained in incident response at CERT.
"We're not sure the Defense Department always knows what's best or what's the best idea," says Zuk, formerly a research engineer with Check Point and once a software director in the Israeli military. "It depends on what their rules are. When the Defense Department issues their guidelines, we will take a look at them."
From the Pentagon's point of view, there's a growing need to see security measures deployed uniformly by trusted parties. Earlier this year the Defense Department said it was developing a policy that would mandate use of intrusion-detection systems in all military networks (See story).
Potential cyberthreats - such as the week-long Chinese hacker campaign earlier this month to try to break into U.S. government Web sites - has the Pentagon worried.
During the China hacker campaign, the military "saw two million probes and scans from a China source," Huffman says.
The expected massive denial-of-service attack from China never materialized - although the White House Web site was blitzed for a few hours by a strong denial-of-service attack from an unknown source. Given the fact that these attacks can occur anytime from anywhere, the Defense Department thinks the time has come to mandate uniform security requirements across the services. "We must have mandates to ensure security," Huffman says.
RELATED LINKS
