Comment Articles

What the feds really think about cybersecurity

Robert Vamosi CNet

Published: 09 Aug 2002 11:22 BST

Talk then turned to the upcoming National Strategy to Secure Cyberspace (NSSC) release, a plan to help businesses, the government, and home users secure their computers. Sachs mentioned that the government, as a huge buyer of software, could influence the market by favoring vendors who follow the NSSC's suggestions for creating more secure computer systems.

Sachs was then asked about the government's previous (and some would argue unsuccessful) attempts to establish "trusted computer standards" -- the NSA's Rainbow Series, a set of guidelines from the 1980s, grouped by colour codes, that cover a broad range of computer security topics.

Sachs dismissed the notion that vendors who followed those standards were left out in the cold. But the NSA's Richard George admitted that the Rainbow Series guidelines were difficult for businesses to adhere to, because the standards were different from the technologies most vendors were using at the time. "If the government writes a policy," he said, "it should be a policy that can be followed." The NSSC, on the other hand, is based on suggestions from businesses, the government, and individual users.

Sachs asked that everyone take a look at the NSSC proposal when it is released to the public on 19 September 2002. He suggested that readers respond with suggestions for the next release, currently scheduled for February 2003.

The panellists agreed that today's software developers are not taught how to program securely. Culp pointed out that Microsoft is now schooling its programmers in security, but the NSA's George pointed out that vendors can't test everything.

They also looked to the future of cybersecurity. Tom Parker of Global Intersec said that vulnerability researchers are "scratching the bottom of the barrel" to find new exploits. He predicted that finding new families of bugs, such as the unsigned integer or format string vulnerabilities, may soon become rare.

But the panelists believe older protocols will come back to haunt us again, as happened with SNMP (Simple Network Management Protocol). Last February, researchers discovered flaws in the protocol that put all Internet traffic at risk -- a problem no one foresaw when it was created in 1988.

On a final note, Dave Farrell of SRI International reminded everyone that you don't have to wait until a software maker releases a patch to plug a security hole. There are other ways to mitigate the risks. CERT, for example, usually contains non-vendor patch solutions in their advisories.