Federal computer security concerns.
These remarks, made last week at the National Computer Security Conference in Gaithersburg, Md., reflect one major concern among officials responsible for ensuring that all federal computer systems adequately protect data. With the rapid growth of computer networks, information systems are "more vulnerable today than they were four years ago," says Greene. "Without a major initiative ... The existing and future inventory will remain largely vulnerable to attack, at least through the next decade."
A recent survey of 17,000 computers in the Department of Defense (DOD) shows that at least half need stricter controls on access. Yet there are only three properly certified, commercially available products that DOD can use to upgrade the systems, and these work on fewer than 400 of DOD's machines. The report also notes that, in general, the government lags behind the private sector in adding on security measures, even when they are available.
Furthermore, a subcommittee reporting to the National Security Council recently concluded that the federal government's present approach to computer security is "fragmented and somewhat inconsistent." It also found that the lack of a clear policy "does little to convince industry to respond to the government's computer security needs."
To help bring some order into a chaotic situation, last fall President Reagan signed a directive setting up a central organization -- with Cabinet reprsentation -- responsible for government-wide computer security policy. The directive also broadens the government's data protection policy to include "sensitive" but unclassified government and nongovernment information.
"With classified information, the systems are secured as necessary to prevent compromise or exploitation," says Lt. Gen. William E. Odom, National Security Agency director. "With regard to other sensitive information, the protection shall be in proportion to the threat and potential damage to the national security," he says. "This policy means that our responsibility for information protection extends across the entire federal government and, in some instances, requires the cooperation of the private sector."
Although it isn't clear yet what this policy will mean in practice, some industry executives are worried about the policy's implications. The government has tried to reassure them. "The federal government in no way wants to assume the 'big brother' role with private industry," insists Odom. "Instead, it will actively seek information and advice from the private sector."
Government security experts are very interested in promoting awareness of potential computer security problems in business (SN: 4/5/83, p.294). This would help build a market for "trusted" computer equipment that automatically includes a variety of security features and meets DOD security standards. "Nursing systems that were born weak is only a stop-gap, not a solution," says Brotzman. "We need...to create systems with solid security features designed in from the beginning."
The Computer Security Center, originally formed in 1981 to serve DOD (SN: 7/3/82, p.12) and now operating on a national level, is responsible for developing standards, demonstrating which methods work best and doing research that tackles a variety of security problems. "The [research and development] challenge we face is an incredibly difficult one," says Odom.
For example, says Greene, "we don't know how to build software that does exactly what it is supposed to do and nothing else." This leaves open the possibility that a computer programmer can sneak in a "Trojan horse"--a hidden program feature that allows the programmer or a knowledgeable user to, say, copy a sensitive file when such an action is normally forbidden. At the computer security meeting, two researchers at the Honeywell Secure Computing Technology Center in Minneapolis described a partial solution to the "Trojan horse" problem in a new, complex computer being designed with DOD's security needs in mind.
Furthermore, military computer systems shared by many users should be able to handle data that may fall under different security classifications. This introduces sticky problems such as the level of security necessary and feasible for a word processor used to write the unclassified version of a classified report.
Researchers are also studying devices like "smart" cards, which incorporate integrated circuits that can store information, to replace or supplement passwords. Employees, for example, would use individualized cards for access to various computers. Each card would automatically record what information was accessed where and when, leaving an "audit trail" that can be checked periodically.
The main computer security problems are still "dumb human error" and "casual intrusion," says Dennis K. Branstad of the National Bureau of Standards in Gaithersburg, Md. "The problem has grown in magnitude, but the solutions are becoming available."
|Printer friendly Cite/link Email Feedback|
|Date:||Oct 12, 1985|
|Previous Article:||Animal-abuse case update.|
|Next Article:||New daminozide review.|