Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested

Congress: Tighten IT security

Today's breaking news
Send to a friendFeedback

WASHINGTON, D.C. - Prompted by last year's terrorist attacks, momentum is building on Capitol Hill to expand the role of the National Institute of Standards and Technology in establishing IT security standards and best practices. But the prospect is raising concerns in some circles.

Four bills are pending in the House and Senate that would double or triple the annual funding of NIST's Computer Security Division. One of these bills, the Cybersecurity Research and Development Act, passed the House with overwhelming support.

After Sept. 11, the House Science Committee held hearings on the cyberterrorist threat and the lack of a coordinated U.S. response. The hearings focused on the need for more research and targeted NIST for much of the money. Other committees have focused on tightening the security of federal IT systems, which NIST oversees for all but national security systems. Lawmakers believe NIST needs "teeth" to be able to put more pressure on federal agencies.

While applauding the Hill's new focus on cybersecurity, industry trade groups and network security vendors worry that NIST could get too involved in determining the features of network security products. Any new certification processes from NIST could slow the delivery of new products and make them more expensive for corporate buyers, industry observers say.

"While we strongly support the intent of these bills that call on NIST to develop security standards, we're concerned that this could migrate into the government determining product standards," says Mario Correa, director of Internet and Network Security Policy at the Business Software Alliance (BSA). BSA is a lobbying group that includes IBM, Network Associates and Novell.

"We want to make sure that NIST creates a floor [for network security products], not a ceiling," Correa says.

NIST, an arm of the U.S. Commerce Department, already exerts major influence by selecting cry-ptography standards and reviewing the security of IT products and systems that the federal government buys. Many network vendors - including Check Point Software, Cisco, Cyber-Guard, Entrust, Network Associates, Lucent and Oracle - have had their products certified that they meet NIST requirements.

Vendors say any new security requirements they must meet for the federal market will likely have a ripple effect on commercial offerings, even though NIST's guidelines are voluntary for corporate IT buyers.

"If NIST is going to get more involved in security standards, it will help vendors to be NIST-certified in commercial accounts," says Tom McDonough, CEO of CyberWolf Technologies, which sells enterprise security management software.

Located in Gaithersburg, Md., NIST's Computer Security Division consists of 45 technologists and has an annual budget of $10 million.

The division selects cryptographic standards and runs a testing program to ensure IT products apply these standards correctly. The division conducts research in IT security and offers advice to federal IT buyers about evaluating system security.

The division accredits private laboratories to test the security of IT products such as firewalls, intrusion-detection systems and database software under a program called Common Criteria. Common Criteria evaluations will be mandatory for U.S. national security systems purchased after July 1.

"We get this question a lot about how our role is changing post-Sept. 11," says Edward Roback, NIST computer security division chief. "What we like to say is that we're turning up the intensity."

One of NIST's ongoing efforts is updating existing guidelines for how federal IT managers should assess the security of a major IT system. NIST also is establishing an accreditation program for private-sector organizations that conduct IT security reviews.

NIST works with the U.S. National Security Agency (NSA) to create recommended security targets for various classes of IT products. Since Sept. 11, NIST and NSA have stepped up their efforts to create security targets for 10 key technology areas, including operating systems, VPNs and smart cards. Private laboratories validate whether specific products meet these targets.

Some network security vendors embrace the idea of NIST creating security targets for additional classes of IT products.

"I'd like to see NIST getting more money to develop security targets for other products, including security management platforms like CyberWolf's," says Juanita Koilpillai, chairman of CyberWolf. Users of CyberWolf's software, which coordinates information from intrusion-detection, firewall and network management systems, include the Department of Defense and the Federal Emergency Man-agement Agency.

"One of the things our government customers look for is who has tested the software and how it's been evaluated," Koilpillai says. "If NIST has more funding, it will make it easier for the vendors to get certified."

Steve Bellovin, a computer security expert with AT&T Labs and one of the directors of the Internet Engineering Task Force's Security Area, says NIST does a good job of developing cryptographic standards and could use extra resources to speed its work and keep its processes open.

"I don't think anybody else is quite in the position to do some of these things," Bellovin says. "There's a limited amount of expertise in the world to design cryptographic algorithms."

However, Bellovin says NIST doesn't have a good track record in establishing broader IT secu-rity standards. As evidence, he points to the lack of industry support for NIST's Common Criteria program and its predecessor, the Orange Book.

"The problem that's inherent to this class of standard is that the evaluation process is time-consuming and expensive," Bellovin says. "Orange Book-evaluated systems were a lot more expensive and one or two years late. . . . Common Criteria is doing better because there are more testing labs, but it's still a lengthy evaluation process."

Bellovin says to improve cybersecurity, vendors need to take an architectural approach to designing security into their products - something that NIST can't test.

"The two biggest issues in security are buggy code and total system architecture," Bellovin says. "If Common Criteria requires more discipline in development and results in less buggy code, that's great. But it's not going to solve the architectural failures. We just don't know how to do that yet."


Contact Senior Editor Carolyn Duffy Marsan

Other recent articles by Marsan

NIST Computer Security Resource Center

Error 404--Not Found

Error 404--Not Found

From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:

10.4.5 404 Not Found

The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.

If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.