The speaker is Richard George who has worked at the National Security Agency as a Cryptologic Mathematician for 32 years in the Information Assurance Directorate. Mr. George currently serves as the Technical Director for the Information Assurance Evaluations Group.
I was asked to address views on the future of IA, and how NSA can work with the private sector to secure our critical infrastructure. I’d like to start by saying that we have no hope of doing that without you, so we must find a way of doing it together. Let us first look at the history of Information Assurance. 30 years ago cryptography was the game. NSA produced boxes; there was little competition in the private sector. The contractors who were involved were basically dedicated to producing products for Department of Defense (DoD) in partnership with us. We had no Commercial-of-the-Shelf (COTS) time-schedule to compete with, no funny colors or functionality to compare to. Like the old Ford, comes in any color you want as long as you want army green.
CONFIDENTIALITY was king of the security services! Data in storage was safe; after all it was on paper. Computers, where they existed, were stand-alone. Boxes were stand-alone. They could fail in bad ways, but it was our job to make sure they wouldn’t. In today’s network world, a big concern is the adversary sending in something that causes the box to misbehave in a bad way. That’s not a new thought – in the old days we had “spoofing” attacks which were very similar. But a spoofer’s abilities were much more limited. Think of a guy holding a radio (battery operated). What can you really tell it to do that’s bad? Here’s a real life example of spoofing in the old days. Military communication equipments have to work, so failures cause plain text to transmit and receivers (even in cipher mode) to recognize plain text coming in. In Viet Nam, guards using our equipment in cipher mode would hear messages like “HELP! They’re coming in over the East wall!” Everyone would rush to the East wall; then the enemy who sent the message using an unencrypted radio would come in over the West wall, do their thing, and vanish. The key is functionality – absolutely necessary functionality, lives literally depend on it -- functionality is the bane of security, and old boxes had little functionality, so there was little they could do wrong. What was the state of Information Assurance: Our equipments used NSA designs, all classified, and cleared workers; we still had no good metric for what that really bought you, but we did get a warm, fuzzy feeling. It’s very easy to “measure” crypto: example Advance Encryption Standard (AES), you can say how many bits of strength you get. It’s hard to measure the strength of a “solution”; what does a hacking attack cost? We are scientists, we want a number, a discrete security score, and we have no real method to generate that score. Everything has changed. The solutions needed are much more complicated. Security services have much different values: authentication, availability, integrity, non-repudiation. So where are we today? The Network is king. But that is so much more complicated! How do you configure a radio? On and off, cipher to plaintext, not very hard. How do you configure a network? Hard! There are so many choices! The Windows 2000 Configuration Guide has 18 volumes. “COTS” is the word of the day. Our customers are familiar with COTS from home and no one wants to learn a new system. Everyone wants functionality. More functionality means more potential problems. At some time we have to mature to the point where we realize that unnecessary functionality is not good; we have to sacrifice functionality for security. This is a very important step for us to take as security conscious users. NSA has a COTS strategy, which is: when COTS products exist with the needed capabilities, we will encourage their use whenever and wherever appropriate. AES has been a tremendous help; it provides an algorithm (and eventually a suite of algorithms), which we are confident will provide the cryptographic protection needed for all levels of classified information. Of course, it’s pretty well known that crypto design, though challenging, is the easy part. The real problem is in implementing it correctly. That’s where we need to be careful. In my view, that’s where the government, NSA in particular, can be most helpful: working with the private sector to ensure that U.S. commercial products provide the security needed by our critical infrastructure and our citizens as well. In fact, we have a responsibility to do everything we can to work with U.S. industry to make U.S. products the best in the world; to make U.S. security products the products of choice world-wide. That brings us to this point of the discussion. If we – government and critical infrastructures – are going to COTS products, where is IA going: Does that mean we’re giving up on assurance? Absolutely not. There has been a migration in DoD thinking from a “risk avoidance” model to a “risk management” model. This is more a change in advertising than in reality; we know we always had risks, we’re just sharing more risk information with the customer so that we can work together to decide which risks are smart to take, and what steps we can take - policies, procedures, etc.- to lessen these risks. There are different risks that are acceptable in different circumstances as well as different needs; we have to address those facts. There is additional emphasis in government on functionality – users want the same functionality on the job that they have at home. (In fact, it’s like the phone – they want exactly the same functionality, push the same button, and get the same result that they have at home.) For a while now, commercial vendors have sold products by adding functionality and adding technological complexity to reduce the user’s responsibilities; plug and play rules! However, added functionality is added opportunity for an adversary, as well as added opportunity for the coder to make mistakes – these things go hand-in-hand. The combination has caused out-of-the-box configurations to be wide open, because, heaven forbid, a user turns his machine on and is not able to perform some advertised function. That is changing! Vendors still will provide extensive functionality, but functionality that the average user doesn’t need, that really provides the adversary more opportunity than the user, that functionality will be disabled; the user will enable it when needed. A desired end state for me would be that the DoD configuration become the standard out-of-the-box configuration, hopefully without placing too much burden on the average user. We see movement in that direction and I would like to thank industry for making that effort. Another trend that I see is more functionality being combined into fewer boxes, compression of services in some sense. This is being done in many ways, from treating voice and date as packets, to combining firewall and intrusion detection services in a single box. Once again, there is an up side and a down side to this, but it’s coming! Yet another fact that affects our traditional view of assurance: there really are very few companies today that fit our traditional view of “American” companies. Now, whether we originally had a good reason for feeling there was assurance in using American companies or not, this assurance is no longer there. In fact, when we buy many of the products today, we don’t know who wrote the code. There are some methods of adding assurance: such as purchasing products which have been evaluated under the common criteria, but even then, it is not clear what assurance we achieve in this way. We have no metric that defines what level of assurance we achieve through common criteria evaluation, no “score” to assign to a product or solution. A typical product today is: some new code, some old code, some borrowed (or bought) code, perhaps some malicious - we just can’t be sure. Another significant problem: US industry has extremely capable designers, coders, and developers; however, often the programmers are not familiar with all aspects of the technology they are developing – crypto for example – and because of that, the implementations lack the level of security that is desired (and in fact, the level is well below what is possible). This is where we can help. We need to work together to develop some method of gaining the level of assurance we all would like. Testing and good software design and development practices are essential but may not be sufficient. So, is assurance really hard? Yes, but luckily US Industry is taking on the challenge – greatly aided by analysts worldwide who are willing to point out problems to them – that is an invaluable aid to all of us (especially when it is done the “right” way: tell the vendor and let a fix be prepared before the weakness is announced to the world). Security has become important – industry realizes that and the consumer realizes that (these two facts are not independent.) Quality has increased significantly over the last couple of years – spurred by various viruses, cyber problems, as well as events like 9/11. Security can now be sold as a feature. There are events like the security month at Microsoft, which herald a new era in COTS assurance: when a company like Microsoft takes that public stance, assumes a role of security leader, that’s a significant statement. We encourage all US Industry to make security “Job One”. We have a role to play in this. We have been lucky enough to be able to work with a number of government agencies and private groups on our configuration guides. These guides have achieved widespread use and have also received widespread attention from the analyst community. The feedback we have received – positive and negative – has been very much appreciated. These are living documents, and your comments have allowed us to improve the quality of the guides. By the way, people often think of our Windows Configuration Guides, which are our most ambitious efforts, but there are guides available on the website as well, for other products which have wide use within our customer base. And more are coming. They are resource intensive and upkeep is hard, but they have tremendous benefit. So what is the future of IA? The future is a world where security solutions are created by melding together mainly COTS security products. It’s a world where there are various components working together, and the security provided by one can be undermined by another. It’s a world where we – all of us – are working together, sharing knowledge, creating better products. It may be, for DoD, there are security choke points where GOTS slices are in place, either to add to the assurance of the system or because there is no COTS slice to fill that particular position. It’s a world where defense in depth - real defense in depth, not defense in width - makes life really hard on the adversary. (Defense in depth means there are a number of obstacles that must be passed at every entry point, rather than a number of entry points where each have an obstacle.) So, what we have here is a golden opportunity - I like to think US Government security analysts are the best in the world. I believe that US private sector analysts - including many of you – are the most talented in the world. US industry has always been the world leader. That makes us – together – pretty powerful, but it also makes us the most attractive target there is. Let’s all work together to make that target really hard to hit. Can we work together to provide the assurance US critical infrastructure needs? I sure hope so, because that assurance will not be achieved if we don’t work together. Thanks!