Prompted by last year’s terrorist attacks, momentum is building on Capitol Hill in Washington D.C. to expand the role of the National Institute of Standards and Technology in establishing IT security standards and best practices, and the prospect is raising concerns in some circles.
Four bills are pending in the U.S. House of Representatives and U.S. Senate that would double or triple the annual funding of NIST’s Computer Security Division. One of these bills, the Cybersecurity Research and Development Act, passed the House with overwhelming support.
After Sept. 11, the House Science Committee held hearings on the cyber terrorist threat and the lack of a coordinated U.S. response. The hearings focused on the need for more research and targeted NIST for much of the money. Other committees have focused on tightening the security of federal IT systems, which NIST oversees for all but national security systems. Lawmakers believe NIST needs “teeth” to be able to put more pressure on federal agencies.
While applauding the Hill’s new focus on cyber security, industry trade groups and network security vendors worry that NIST could get too involved in determining the features of network security products. Any new certification processes from NIST could slow the delivery of new products and make them more expensive for corporate buyers, industry observers say.
“While we strongly support the intent of these bills that call on NIST to develop security standards, we’re concerned that this could migrate into the government determining product standards,” says Mario Correa, director of Internet and Network Security Policy at the Business Software Alliance (BSA). BSA is a lobbying group that includes IBM Corp., Network Associates Inc. and Novell Inc.
“We want to make sure that NIST creates a floor [for network security products], not a ceiling,” Correa says.
NIST, an arm of the U.S. Department of Commerce, already exerts major influence by selecting cryptography standards and reviewing the security of IT products and systems that the federal government buys. Many network vendors – including Check Point Software Technologies Ltd., Cisco Systems Inc., CyberGuard Corp., Entrust Inc., Network Associates Inc., Lucent Technologies Inc. and Oracle Corp. – have had their products certified that they meet NIST requirements.
Vendors say any new security requirements they must meet for the federal market will likely have a ripple effect on commercial offerings, even though NIST’s guidelines are voluntary for corporate IT buyers.
“If NIST is going to get more involved in security standards, it will help vendors to be NIST-certified in commercial accounts,” says Tom McDonough, CEO of CyberWolf Technologies Inc., which sells enterprise security management software.
Located in Gaithersburg, Md., NIST’s Computer Security Division consists of 45 technologists and has an annual budget of US$10 million.
The division selects cryptographic standards and runs a testing program to ensure IT products apply these standards correctly. The division conducts research in IT security and offers advice to federal IT buyers about evaluating system security.
The division accredits private laboratories to test the security of IT products such as firewalls, intrusion-detection systems and database software under a program called Common Criteria. Common Criteria evaluations will be mandatory for U.S. national security systems purchased after July 1.
“We get this question a lot about how our role is changing post-Sept. 11,” says Edward Roback, NIST computer security division chief. “What we like to say is that we’re turning up the intensity.”
One of NIST’s ongoing efforts is updating existing guidelines for how federal IT managers should assess the security of a major IT system. NIST also is establishing an accreditation program for private-sector organizations that conduct IT security reviews.
NIST works with the U.S. National Security Agency (NSA) to create recommended security targets for various classes of IT products. Since Sept. 11, NIST and NSA have stepped up their efforts to create security targets for 10 key technology areas, including operating systems, VPNs and smart cards. Private laboratories validate whether specific products meet these targets.
Some network security vendors embrace the idea of NIST creating security targets for additional classes of IT products.
“I’d like to see NIST getting more money to develop security targets for other products, including security management platforms like CyberWolf’s,” says Juanita Koilpillai, chairman of CyberWolf. Users of CyberWolf’s software, which coordinates information from intrusion-detection, firewall and network management systems, include the U.S. Department of Defense and the Federal Emergency Management Agency.
“One of the things our government customers look for is who has tested the software and how it’s been evaluated,” Koilpillai says. “If NIST has more funding, it will make it easier for the vendors to get certified.”
Steve Bellovin, a computer security expert with AT&T Labs and one of the directors of the Internet Engineering Task Force’s Security Area, says NIST does a good job of developing cryptographic standards and could use extra resources to speed its work and keep its processes open.
“I don’t think anybody else is quite in the position to do some of these things,” Bellovin says. “There’s a limited amount of expertise in the world to design cryptographic algorithms.”
However, Bellovin says NIST doesn’t have a good track record in establishing broader IT security standards. As evidence, he points to the lack of industry support for NIST’s Common Criteria program and its predecessor, the Orange Book.
“The problem that’s inherent to this class of standard is that the evaluation process is time-consuming and expensive,” Bellovin says. “Orange Book-evaluated systems were a lot more expensive and one or two years late. . . . Common Criteria is doing better because there are more testing labs, but it’s still a lengthy evaluation process.”
Bellovin says to improve cybersecurity, vendors need to take an architectural approach to designing security into their products – something that NIST can’t test.
“The two biggest issues in security are buggy code and total system architecture,” Bellovin says. “If Common Criteria requires more discipline in development and results in less buggy code, that’s great. But it’s not going to solve the architectural failures. We just don’t know how to do that yet.”