Call to Arms
Government's Net Security Woes Point to Need for Stronger Protection<@VM>FEMA Defends Its Systems<@VM>What Is PKI?
- By Jon William Toigo
- May 31, 2001
Successful hacker attacks against Web sites of the State Department, NASA, the Naval Weapons Research Center and even the White House ? all within recent months ? underscore that security remains the Achilles' heel of Web technology.
Despite initiatives within many government organizations to bolster the security of their intranet- and Internet-enabled systems, some observers, including Ira Winkler, said many of these efforts are cosmetic, at best.
Winkler, a former National Security Agency employee and now president of Internet Security Advisors Group, a Severna Park, Md., security consulting firm, said many government organizations have begun implementing the products and services offered by public key infrastructure providers recently approved by the General Services Administration under its ACES Project.
ACES, short for the Access Certificates for Electronic Services, seeks to ensure the interoperability of key authentication systems used by different government agencies and departments to encrypt data while in transit between government systems and end users. The contract was won by AT&T Corp., Digital Signature Trust Co. and Operational Research Consultants Inc.
While Winkler agreed that interoperability is important, he said the vulnerability of the systems that were communicating across the Internet or through intranets made the deployment of PKI systems premature and ineffective.
"The data on either end of the network is vulnerable, so securing it while it is in transit doesn't mean a lot," he said. "Many government agencies are making a big deal out of their deployment of PKI technology, but they are building this security on top of a fundamentally weak infrastructure. It's just cosmetic."
Winkler's comments have been given credence by numerous annual audits of the security of federal information technology conducted by the General Accounting Office since 1996. More than 20 agencies and departments surveyed continued to receive failing grades, according to a September 2000 report made to Congress by Joel Willemssen, director of GAO's Civil Agencies Information Systems Accounting and Information Management Division.
The low marks surprised Marianne Swanson, among others. Swanson is a senior security officer within the policy management and operations group of the computer security division of the National Institute of Standards and Technology. NIST, she said, has been developing Federal Information Processing Standards (FIPS) pertaining to security, and offering implementation guidance to agencies for nearly a decade under numerous mandates including the Computer Security Act of 1987 and the Brooks Act.
"When the inspector general audits an agency, they may ask why it is not following one of the FIPS. But if they have a different way to solve the problem, that's OK. They just have to explain what they are doing and document it" to pass the audit, she said.
Bill McSweeney, president and chief executive officer of Amitex Corp., a Chicago-based security consulting firm that has spent the past year conducting security audits for the Veterans Affairs hospital system in California, said that security has only recently become a hot button for most of the federal clients with whom his firm consults.
Most agencies have some sort of rudimentary security in place, "a password and user ID system, and maybe a firewall," he said. However, like commercial companies, most of the agencies traditionally have "spent more on coffee than on security," McSweeney said.
Winkler agreed, noting that recent presidential decision directives have created a mandate and authorized funds for bolstering security, but that effective security provisioning required that money be applied properly.
"You don't just buy a firewall or a PKI system. You need assessments and penetration tests to guide spending," Winkler said. "If you discover [flaws in your security,] that's what should guide how you spend your money."
His comments were echoed by Michael Linette, president of Web technology integrator Zerowait Corp., Newark, Del. That company recently completed security work for several government research laboratories. Linette said recent moves to adopt PKI systems might prove ineffective against skilled hackers if architectural provisions for security are not made.
"Security is reactive, not proactive." Linette said. Hackers routinely perform "port scans" on routers that interconnect Web servers to the Internet, looking for open ports that provide access to back-end systems, he said.
Linette estimated that more than 25 percent of government and commercial Web servers are attached to hubs directly without effective firewalls, leaving back-end systems "open to the world."
The solution, Linette said, is "to know how to harden" the network-connected system or to get the technical competence from a third-party integrator who knows the tricks of the hacker trade. Linette said these skills are not always available off the GSA schedule.
"Being on the GSA requires the disclosure of your firm's 'secret sauce.' This is not a good thing when it comes to security," Linette said. He said Zerowait's government work has been limited to projects that do not necessitate GSA contractor status.
Most observers agreed that the evolving technologies of Web security also impair the effectiveness of security provisions implemented by agencies and departments. Security technology is a moving target with no guarantees of interoperability between various internal and external products. That is why PKI security is a good thing, but its implementation in isolation from other elements of a security infrastructure, such as virtual private networks or firewalls, may lead to incompatibilities downstream, Winkler said.While most agencies and departments were reluctant to discuss security provisioning, the Federal Emergency Management Agency and Anteon Corp., a Fairfax, Va.-based systems integrator, did allow questions about ongoing work that would not require the explicit description of security arrangements.
William Prusch, director of FEMA's enterprise systems development division, said security was not an afterthought or bolt-on to existing systems, but an integral part of the planning and design of the agency's National Emergency Management Information System.
Prusch described NEMIS as an evolving agencywide system of hardware, software, telecommunications and applications software that provides a new technology base for FEMA and its partners to perform its emergency management mission.
The NEMIS system includes human services, infrastructure support, mitigation, emergency support and emergency coordination modules used to process FEMA-supported disaster response activities.
The system connects FEMA's headquarters, regional offices and National Process Servicing Centers. It is accessed via FEMA's intranet, temporary network extensions to support disaster field operations or through dial-up modem using Microsoft's Windows Terminal Server or PC Anywhere and, in some cases, via the Internet.
Prusch said the agency is seeking to extend the original four-year development contract with Anteon, which ended last September, for another four years to implement FEMA's e-grants initiative as well as to bring NEMIS into compliance with the recent Disaster Mitigation Act of 2000.
Security has been a part of NEMIS' design from the start, said Frank Stellar, NEMIS program manager with Anteon, because of the sensitive nature of some of the applications fielded by the agency. These include the Rapid Response Information System and the Response and Recovery Operations System.
"For good reason, FEMA didn't want all of its available response assets to be known," Stellar said, "or to have day-to-day operations and situation reports from disaster sites becoming public information. The need for security for these Internet-enabled systems was pretty self-evident."
Stellar said FEMA's participation in the ACES Project was more than window dressing. "PKI is a complementary component of FEMA's existing and robust security architecture," he said. FEMA was the first agency to implement the
GSA-approved PKI solution for its applications in July 2000.
FEMA's implementation of security has been by the book, according to Prusch. He said the agency has an enterprise security management group reporting to the chief information officer that "has undertaken numerous and continuous assessments of security."
"NEMIS implements an internal security management control system," Prusch said, "It was a good security architecture that Anteon and I were starting down the road to enhance with PKI a little over a year ago."
The agency was awarded 10,000 digital certificates in July 2000 under the ACES project that enabled secure, encrypted communications via the Internet to access NEMIS and between FEMA and other agencies and departments using the system.
The certificates play an important role in Web-based access to FEMA systems, according to Anteon's Web developer, Jeremy Fisher. The user, who has a certificate, navigates to the FEMA site, places a request for certification of credentials, has his certificate verified and only then is allowed to log in using a password and username.
"The certificate is routed to the appropriate authority ? the certificate authority that has been approved by GSA ? for verification before the user can sign in," Fisher said. He added ACES was an important replacement for the numerous, often incompatible, authentication systems deployed by different agencies.
According to one observer, FEMA is the poster child for security within the government space. The agency demonstrates the ideal implementation of PKI solutions, even according to critics such as Ira Winkler.
"Security should be built in and not bolted on," Winkler said. "Systems can be designed to be more secure. Just bolting on PKI to an insecure system is like changing the lock on the window of a house, but doing nothing to secure the door."Public key infrastructure, or PKI, is the combination of software, encryption technologies and services that enables an enterprise to protect the security of its communications and electronic business transactions.
The approach is based on a digital certificate, an "electronic passport" that establishes the credentials of someone who is doing business, sending e-mail or creating other transactions electronically.
A digital certificate is issued to an individual by a certification authority that vouches for the certificate holder's identity and validates the authenticity of the certificate each time it is used. The certificate contains a name, a serial number, expiration date, a copy of the certificate holder's public key and the digital signature of the issuing authority.