Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
While Heartbleed distracts, hackers hit US universities
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs
Even the most secure cloud storage may not be so secure, study finds  
3D printing will transform these five industries
Most but not all sites have fixed Heartbleed flaw
NEC launches face-recognition protection for PCs
Hundreds of medical professionals targeted in multi-state tax scam
Super-high frequencies could one day deliver your mobile video
Americans cool with lab-grown organs, but not designer babies
IT Departments Not Losing Ground to Managed Service Providers (Yet)
Where's my gigabit Internet, anyway?
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
/

Congress: Tighten IT security

Today's breaking news
Send to a friendFeedback


WASHINGTON, D.C. - Prompted by last year's terrorist attacks, momentum is building on Capitol Hill to expand the role of the National Institute of Standards and Technology in establishing IT security standards and best practices. But the prospect is raising concerns in some circles.

Four bills are pending in the House and Senate that would double or triple the annual funding of NIST's Computer Security Division. One of these bills, the Cybersecurity Research and Development Act, passed the House with overwhelming support.

After Sept. 11, the House Science Committee held hearings on the cyberterrorist threat and the lack of a coordinated U.S. response. The hearings focused on the need for more research and targeted NIST for much of the money. Other committees have focused on tightening the security of federal IT systems, which NIST oversees for all but national security systems. Lawmakers believe NIST needs "teeth" to be able to put more pressure on federal agencies.

While applauding the Hill's new focus on cybersecurity, industry trade groups and network security vendors worry that NIST could get too involved in determining the features of network security products. Any new certification processes from NIST could slow the delivery of new products and make them more expensive for corporate buyers, industry observers say.

"While we strongly support the intent of these bills that call on NIST to develop security standards, we're concerned that this could migrate into the government determining product standards," says Mario Correa, director of Internet and Network Security Policy at the Business Software Alliance (BSA). BSA is a lobbying group that includes IBM, Network Associates and Novell.

"We want to make sure that NIST creates a floor [for network security products], not a ceiling," Correa says.

NIST, an arm of the U.S. Commerce Department, already exerts major influence by selecting cry-ptography standards and reviewing the security of IT products and systems that the federal government buys. Many network vendors - including Check Point Software, Cisco, Cyber-Guard, Entrust, Network Associates, Lucent and Oracle - have had their products certified that they meet NIST requirements.

Vendors say any new security requirements they must meet for the federal market will likely have a ripple effect on commercial offerings, even though NIST's guidelines are voluntary for corporate IT buyers.

"If NIST is going to get more involved in security standards, it will help vendors to be NIST-certified in commercial accounts," says Tom McDonough, CEO of CyberWolf Technologies, which sells enterprise security management software.

Located in Gaithersburg, Md., NIST's Computer Security Division consists of 45 technologists and has an annual budget of $10 million.

The division selects cryptographic standards and runs a testing program to ensure IT products apply these standards correctly. The division conducts research in IT security and offers advice to federal IT buyers about evaluating system security.

The division accredits private laboratories to test the security of IT products such as firewalls, intrusion-detection systems and database software under a program called Common Criteria. Common Criteria evaluations will be mandatory for U.S. national security systems purchased after July 1.

"We get this question a lot about how our role is changing post-Sept. 11," says Edward Roback, NIST computer security division chief. "What we like to say is that we're turning up the intensity."

One of NIST's ongoing efforts is updating existing guidelines for how federal IT managers should assess the security of a major IT system. NIST also is establishing an accreditation program for private-sector organizations that conduct IT security reviews.

NIST works with the U.S. National Security Agency (NSA) to create recommended security targets for various classes of IT products. Since Sept. 11, NIST and NSA have stepped up their efforts to create security targets for 10 key technology areas, including operating systems, VPNs and smart cards. Private laboratories validate whether specific products meet these targets.

Some network security vendors embrace the idea of NIST creating security targets for additional classes of IT products.

"I'd like to see NIST getting more money to develop security targets for other products, including security management platforms like CyberWolf's," says Juanita Koilpillai, chairman of CyberWolf. Users of CyberWolf's software, which coordinates information from intrusion-detection, firewall and network management systems, include the Department of Defense and the Federal Emergency Man-agement Agency.

"One of the things our government customers look for is who has tested the software and how it's been evaluated," Koilpillai says. "If NIST has more funding, it will make it easier for the vendors to get certified."

Steve Bellovin, a computer security expert with AT&T Labs and one of the directors of the Internet Engineering Task Force's Security Area, says NIST does a good job of developing cryptographic standards and could use extra resources to speed its work and keep its processes open.

"I don't think anybody else is quite in the position to do some of these things," Bellovin says. "There's a limited amount of expertise in the world to design cryptographic algorithms."

However, Bellovin says NIST doesn't have a good track record in establishing broader IT secu-rity standards. As evidence, he points to the lack of industry support for NIST's Common Criteria program and its predecessor, the Orange Book.

"The problem that's inherent to this class of standard is that the evaluation process is time-consuming and expensive," Bellovin says. "Orange Book-evaluated systems were a lot more expensive and one or two years late. . . . Common Criteria is doing better because there are more testing labs, but it's still a lengthy evaluation process."

Bellovin says to improve cybersecurity, vendors need to take an architectural approach to designing security into their products - something that NIST can't test.

"The two biggest issues in security are buggy code and total system architecture," Bellovin says. "If Common Criteria requires more discipline in development and results in less buggy code, that's great. But it's not going to solve the architectural failures. We just don't know how to do that yet."

RELATED LINKS

Contact Senior Editor Carolyn Duffy Marsan

Other recent articles by Marsan

NIST Computer Security Resource Center

Error 404--Not Found

Error 404--Not Found

From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:

10.4.5 404 Not Found

The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.

If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.