The speaker is Richard George who has worked at the National
Security Agency as a Cryptologic Mathematician for 32 years in
the Information Assurance Directorate. Mr. George currently
serves as the Technical Director for the Information Assurance
Evaluations Group.
I was asked to address views on the future of IA, and how NSA
can work with the private sector to secure our critical
infrastructure. I’d like to start by saying that we have no hope of
doing that without you, so we must find a way of doing it together.
Let us first look at the history of Information Assurance. 30 years
ago cryptography was the game. NSA produced boxes; there was
little competition in the private sector. The contractors who were
involved were basically dedicated to producing products for
Department of Defense (DoD) in partnership with us. We had no
Commercial-of-the-Shelf (COTS) time-schedule to compete with,
no funny colors or functionality to compare to. Like the old Ford,
comes in any color you want as long as you want army green.
1
CONFIDENTIALITY was king of the security services!
Data in storage was safe; after all it was on paper. Computers,
where they existed, were stand-alone. Boxes were stand-alone.
They could fail in bad ways, but it was our job to make sure they
wouldn’t. In today’s network world, a big concern is the adversary
sending in something that causes the box to misbehave in a bad
way. That’s not a new thought – in the old days we had “spoofing”
attacks which were very similar. But a spoofer’s abilities were
much more limited. Think of a guy holding a radio (battery
operated). What can you really tell it to do that’s bad? Here’s a
real life example of spoofing in the old days. Military
communication equipments have to work, so failures cause plain
text to transmit and receivers (even in cipher mode) to recognize
plain text coming in. In Viet Nam, guards using our equipment in
cipher mode would hear messages like “HELP! They’re coming in
over the East wall!” Everyone would rush to the East wall; then
the enemy who sent the message using an unencrypted radio
would come in over the West wall, do their thing, and vanish. The
key is functionality – absolutely necessary functionality, lives
2
literally depend on it -- functionality is the bane of security, and
old boxes had little functionality, so there was little they could do
wrong. What was the state of Information Assurance: Our equipments
used NSA designs, all classified, and cleared workers; we still had no good
metric for what that really bought you, but we did get a warm, fuzzy feeling.
It’s very easy to “measure” crypto: example Advance Encryption Standard
(AES), you can say how many bits of strength you get. It’s hard to measure
the strength of a “solution”; what does a hacking attack cost? We are
scientists, we want a number, a discrete security score, and we have no real
method to generate that score. Everything has changed. The solutions
needed are much more complicated. Security services have much different
values: authentication, availability, integrity, non-repudiation. So where are
we today? The Network is king. But that is so much more complicated!
How do you configure a radio? On and off, cipher to plaintext, not very
hard. How do you configure a network? Hard! There are so many choices!
The Windows 2000 Configuration Guide has 18 volumes. “COTS” is the
word of the day. Our customers are familiar with COTS from
home and no one wants to learn a new system. Everyone wants
functionality. More functionality means more potential problems.
At some time we have to mature to the point where we realize
3
that unnecessary functionality is not good; we have to sacrifice
functionality for security. This is a very important step for us to
take as security conscious users. NSA has a COTS strategy,
which is: when COTS products exist with the needed capabilities,
we will encourage their use whenever and wherever appropriate.
AES has been a tremendous help; it provides an algorithm (and
eventually a suite of algorithms), which we are confident will
provide the cryptographic protection needed for all levels of
classified information. Of course, it’s pretty well known that
crypto design, though challenging, is the easy part. The real
problem is in implementing it correctly. That’s where we need to
be careful. In my view, that’s where the government, NSA in
particular, can be most helpful: working with the private sector to
ensure that U.S. commercial products provide the security needed
by our critical infrastructure and our citizens as well. In fact, we
have a responsibility to do everything we can to work with U.S.
industry to make U.S. products the best in the world; to make U.S.
security products the products of choice world-wide. That brings
us to this point of the discussion. If we – government and critical
4
infrastructures – are going to COTS products, where is IA going:
Does that mean we’re giving up on assurance? Absolutely not.
There has been a migration in DoD thinking from a “risk
avoidance” model to a “risk management” model. This is more a
change in advertising than in reality; we know we always had
risks, we’re just sharing more risk information with the customer
so that we can work together to decide which risks are smart to
take, and what steps we can take - policies, procedures, etc.- to
lessen these risks. There are different risks that are acceptable in
different circumstances as well as different needs; we have to
address those facts. There is additional emphasis in government
on functionality – users want the same functionality on the job
that they have at home. (In fact, it’s like the phone – they want
exactly the same functionality, push the same button, and get the
same result that they have at home.) For a while now, commercial
vendors have sold products by adding functionality and adding
technological complexity to reduce the user’s responsibilities; plug
and play rules! However, added functionality is added
opportunity for an adversary, as well as added opportunity for the
5
coder to make mistakes – these things go hand-in-hand. The
combination has caused out-of-the-box configurations to be wide
open, because, heaven forbid, a user turns his machine on and is
not able to perform some advertised function. That is changing!
Vendors still will provide extensive functionality, but functionality
that the average user doesn’t need, that really provides the
adversary more opportunity than the user, that functionality will
be disabled; the user will enable it when needed. A desired end
state for me would be that the DoD configuration become the
standard out-of-the-box configuration, hopefully without placing
too much burden on the average user. We see movement in that
direction and I would like to thank industry for making that
effort. Another trend that I see is more functionality being
combined into fewer boxes, compression of services in some sense.
This is being done in many ways, from treating voice and date as
packets, to combining firewall and intrusion detection services in
a single box. Once again, there is an up side and a down side to
this, but it’s coming! Yet another fact that affects our traditional
view of assurance: there really are very few companies today that
6
fit our traditional view of “American” companies. Now, whether
we originally had a good reason for feeling there was assurance in
using American companies or not, this assurance is no longer
there. In fact, when we buy many of the products today, we don’t
know who wrote the code. There are some methods of adding
assurance: such as purchasing products which have been
evaluated under the common criteria, but even then, it is not clear
what assurance we achieve in this way. We have no metric that
defines what level of assurance we achieve through common
criteria evaluation, no “score” to assign to a product or solution. A
typical product today is: some new code, some old code, some
borrowed (or bought) code, perhaps some malicious - we just can’t
be sure. Another significant problem: US industry has extremely
capable designers, coders, and developers; however, often the
programmers are not familiar with all aspects of the technology
they are developing – crypto for example – and because of that,
the implementations lack the level of security that is desired (and
in fact, the level is well below what is possible). This is where we
can help. We need to work together to develop some method of
7
gaining the level of assurance we all would like. Testing and good
software design and development practices are essential but may
not be sufficient. So, is assurance really hard? Yes, but luckily
US Industry is taking on the challenge – greatly aided by analysts
worldwide who are willing to point out problems to them – that is
an invaluable aid to all of us (especially when it is done the “right”
way: tell the vendor and let a fix be prepared before the weakness
is announced to the world). Security has become important –
industry realizes that and the consumer realizes that (these two
facts are not independent.) Quality has increased significantly
over the last couple of years – spurred by various viruses, cyber
problems, as well as events like 9/11. Security can now be sold as
a feature. There are events like the security month at Microsoft,
which herald a new era in COTS assurance: when a company like
Microsoft takes that public stance, assumes a role of security
leader, that’s a significant statement. We encourage all US
Industry to make security “Job One”. We have a role to play in
this. We have been lucky enough to be able to work with a
number of government agencies and private groups on our
8
configuration guides. These guides have achieved widespread use
and have also received widespread attention from the analyst
community. The feedback we have received – positive and
negative – has been very much appreciated. These are living
documents, and your comments have allowed us to improve the
quality of the guides. By the way, people often think of our
Windows Configuration Guides, which are our most ambitious
efforts, but there are guides available on the website as well, for
other products which have wide use within our customer base.
And more are coming. They are resource intensive and upkeep is
hard, but they have tremendous benefit. So what is the future of
IA? The future is a world where security solutions are created by
melding together mainly COTS security products. It’s a world
where there are various components working together, and the
security provided by one can be undermined by another. It’s a
world where we – all of us – are working together, sharing
knowledge, creating better products. It may be, for DoD, there are
security choke points where GOTS slices are in place, either to
add to the assurance of the system or because there is no COTS
9
slice to fill that particular position. It’s a world where defense in
depth - real defense in depth, not defense in width - makes life
really hard on the adversary. (Defense in depth means there are a
number of obstacles that must be passed at every entry point,
rather than a number of entry points where each have an
obstacle.) So, what we have here is a golden opportunity - I like to
think US Government security analysts are the best in the world.
I believe that US private sector analysts - including many of you –
are the most talented in the world. US industry has always been
the world leader. That makes us – together – pretty powerful, but
it also makes us the most attractive target there is. Let’s all work
together to make that target really hard to hit. Can we work
together to provide the assurance US critical infrastructure
needs? I sure hope so, because that assurance will not be achieved
if we don’t work together. Thanks!
10