Government Plans to Make Net More Secure

Government officials will release next month a draft plan to protect government users of the global Internet communications network.

The Internet security plan is likely to shape the future of commercial Internet-security practices and also the security policy that will govern the Internet's big brother, the emerging National Information Infrastructure.

Pentagon and other federal users of the worldwide Internet have been hit repeatedly by skilled hackers, who use sophisticated techniques to steal passwords and crack open government computers linked to it. Although the government's classified information is kept separate from the Internet, security officials say hackers can use it to alter computerized data, view private records or cripple computer operations.

The security plan is being drawn up by the government-wide Federal Networking Council and its security subcommittee. The subcommittee is co-chaired by Denis Steinauer, a security expert at the National Institute for Standards and Technology, Gaithersburg, Md., and by Stephen Squires, an official at the Pentagon's Advanced Research Projects Agency, Arlington, Va.

The plan sets out who needs to do what to improve Net security for government users, Steinauer said. Included in the plan are measures to help agencies use existing security technology, and proposals to upgrade the Internet's software so users can reliably and safely identify themselves to each other.

One clear problem is posed by hackers' efforts to capture and abuse many individual's Internet passwords, so "we need to move the world off of reusable password authentication," he said.

NIST officials already are developing technology standards that will allow different commercially-developed data-scrambling and user-identification techniques to operate together on the Internet, he said.

The government's security plan will have no impact on Internet users in the short term, but will likely shape the market for security technology over the long term, said Tony Rutkowski, executive director of the Internet Society of Reston, Va.

The plan also is likely to have some impact on the many commercial users of the Internet, largely because the government's economic clout will shape the marketplace for security technology, according to David Sobel, a lawyer at the Washington-based Electronic Privacy Information Center. Sobel said his main concern is that the government might promote the use of the controversial Clipper chip .

.But there are sharp limits to the government's influence on non-government users of the Internet, said Wayne Madsen, a computer -security consultant based in Fairfax, Va. The worldwide network was not built for security and has too many participants for the U.S. government to control. "How will they get Mongolia and Cuba to follow the rules?" he asked.

Robert Bales, head of the National Computer Security Association of Carlisle, Pa., refused to comment on the plan until it is released.

Government officials have not decided yet how to distribute the plan for public comment, but are considering posting it on the Internet, said Steinauer.

Alongside government, industry officials are developing a steady stream of Internet-security devices, such as the Sidewinder software programs developed by Secure Computing Corp. of Roseville, Minn. Sidewinder is designed to allow Internet users to identify themselves and also to monitor computer hackers trying to break through the security system, said Kermit Beseke, president of the company.

Another new product is Veil, a software program intended to allow Internet users to defeat hackers' electronic eavesdropping, according to Greg Shanton, a marketing manager for TECSEC Inc., Vienna.

The Veil product uses an innovative encryption intended to minimize the difficulty of coordinating numerous passwords and security clearance that are normally maintained by large organizations, such as a department or agency, he said. The new method was developed by the company's president, Ed Scheidt, who served as chief of cryptography for the Central Intelligence Agency.