Federal computer security concerns."The inherent ability of current computer systems to protect themselves and their data is appallingly low," says Robert L. Brotzman, director of the federal government's computer security center in Fort George G. Meade Fort George G. Meade, U.S. army post, 13,500 acres (5,460 hectares), central Md., between Baltimore and Washington, D.C.; est. 1917 as a World War I induction center. , Md. "Computer security requires a fundamental change in the way industry designs and builds computers," adds Col. Joseph S. Greene Jr., the center's deputy director. These remarks, made last week at the National Computer Security Conference in Gaithersburg, Md., reflect one major concern among officials responsible for ensuring that all federal computer systems adequately protect data. With the rapid growth of computer networks, information systems are "more vulnerable today than they were four years ago," says Greene. "Without a major initiative ... The existing and future inventory will remain largely vulnerable to attack, at least through the next decade." A recent survey of 17,000 computers in the Department of Defense (DOD (1) (Dial On Demand) A feature that allows a device to automatically dial a telephone number. For example, an ISDN router with dial on demand will automatically dial up the ISP when it senses IP traffic destined for the Internet. ) shows that at least half need stricter controls on access. Yet there are only three properly certified See certification. , commercially available products that DOD can use to upgrade the systems, and these work on fewer than 400 of DOD's machines. The report also notes that, in general, the government lags behind the private sector in adding on security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security , even when they are available. Furthermore, a subcommittee sub·com·mit·tee n. A subordinate committee composed of members appointed from a main committee. subcommittee Noun reporting to the National Security Council recently concluded that the federal government's present approach to computer security is "fragmented and somewhat inconsistent." It also found that the lack of a clear policy "does little to convince industry to respond to the government's computer security needs." To help bring some order into a chaotic situation, last fall President Reagan signed a directive setting up a central organization -- with Cabinet reprsentation -- responsible for government-wide computer security policy. The directive also broadens the government's data protection policy to include "sensitive" but unclassified un·clas·si·fied adj. 1. Not placed or included in a class or category: unclassified mail. 2. government and nongovernment information. "With classified information, the systems are secured as necessary to prevent compromise or exploitation," says Lt. Gen. William E. Odom, National Security Agency director. "With regard to other sensitive information, the protection shall be in proportion to the threat and potential damage to the national security," he says. "This policy means that our responsibility for information protection extends across the entire federal government and, in some instances, requires the cooperation of the private sector." Although it isn't clear yet what this policy will mean in practice, some industry executives are worried about the policy's implications. The government has tried to reassure them. "The federal government in no way wants to assume the 'big brother' role with private industry," insists Odom. "Instead, it will actively seek information and advice from the private sector." Government security experts are very interested in promoting awareness of potential computer security problems in business (SN: 4/5/83, p.294). This would help build a market for "trusted" computer equipment that automatically includes a variety of security features and meets DOD security standards. "Nursing systems that were born weak is only a stop-gap, not a solution," says Brotzman. "We need...to create systems with solid security features designed in from the beginning." The Computer Security Center, originally formed in 1981 to serve DOD (SN: 7/3/82, p.12) and now operating on a national level, is responsible for developing standards, demonstrating which methods work best and doing research that tackles a variety of security problems. "The [research and development] challenge we face is an incredibly difficult one," says Odom. For example, says Greene, "we don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. how to build software that does exactly what it is supposed to do and nothing else." This leaves open the possibility that a computer programmer can sneak in Verb 1. sneak in - enter surreptitiously; "He sneaked in under cover of darkness"; "In this essay, the author's personal feelings creep in" creep in a "Trojan horse See Trojan. Trojan Horse hollow horse concealed soldiers, enabling them to enter and capture Troy. [Gk. Myth.: Iliad] See : Deceit (application, security) Trojan horse "--a hidden program feature that allows the programmer or a knowledgeable user to, say, copy a sensitive file when such an action is normally forbidden. At the computer security meeting, two researchers at the Honeywell Secure Computing For the general concept, see . Secure Computing Corporation, or SCC, is a public company (NASDAQ: SCUR) that develops and sells computer security products, such as:
Furthermore, military computer systems shared by many users should be able to handle data that may fall under different security classifications. This introduces sticky problems such as the level of security necessary and feasible for a word processor used to write the unclassified version of a classified report. Researchers are also studying devices like "smart" cards, which incorporate integrated circuits Integrated circuits Miniature electronic circuits produced within and upon a single semiconductor crystal, usually silicon. Integrated circuits range in complexity from simple logic circuits and amplifiers, about 1/20 in. (1. that can store information, to replace or supplement passwords. Employees, for example, would use individualized in·di·vid·u·al·ize tr.v. in·di·vid·u·al·ized, in·di·vid·u·al·iz·ing, in·di·vid·u·al·iz·es 1. To give individuality to. 2. To consider or treat individually; particularize. 3. cards for access to various computers. Each card would automatically record what information was accessed where and when, leaving an "audit trail" that can be checked periodically. The main computer security problems are still "dumb human error" and "casual intrusion," says Dennis K. Branstad of the National Bureau of Standards National Bureau of Standards: see National Institute of Standards and Technology. National Bureau of Standards - National Institute of Standards and Technology in Gaithersburg, Md. "The problem has grown in magnitude, but the solutions are becoming available." |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion