CIA official: We need a secure OS, but where's the demand?

Industry is not providing government with the basic tools it needs to build a secure information infrastructure, say military and intelligence officials.

“What we need is a secure operating system,” Robert Bigman, chief of the CIA’s Information Assurance Group, said during a panel discussion at the Security Innovation Network showcase in Washington Oct. 26. “We gave up some time ago on the battle to build a secure operating system, and we don’t have one.”

The thousands of stand-alone IT security products being offered today are a reflection of the lack of overall security, he said.


Related story:

Access control: Feds search for scalable solution


Richard Hale, the Defense Department’s deputy CIO for information assurance, said there also is a lack of interoperable security products and that networking protocols need to be hardened to survive in the hostile environment of the modern world.

“There was no thought of a bad guy when these were developed,” he said. The military needs an information infrastructure that is “much less fragile,” but “the market is not demanding that right now.”

Both government and private-sector participants on the panel discussing government cybersecurity needs agreed that the problem stems from the lack of market demand for secure products. There was little consensus on just what the government could and should do to stimulate that market, however.

“We have to be careful about requiring things,” warned John Jolly, general manager of General Dynamics Information Systems Cyber Division. He suggested things are not likely to get better any time soon. “We all have to figure out how to operate in that fragile environment for the foreseeable future.”

Bigman acknowledged that the government’s record in mandating functionality for IT products “is not real good.” But he said the National Security Agency almost got it right in its efforts in the 1990s to develop a secure operating system based on Linux. The result, Security Enhanced Linux, now is used in the CIA, but has not been widely adopted in the commercial market, which he said is a reflection of the lack of demand.

“I’m not so sure it isn’t time to try it again, and do it right this time,” Bigman said.

The government’s ability to drive the IT market is limited, especially as that market focuses increasingly on the consumer.

“Vendors are driven by what they can sell,” Bigman said. “We are not a big part of their business. We are a smaller and smaller part of it. Demand comes from the consumer, and I haven’t seen it yet. I can’t be optimistic about that changing.”

The problem is likely to be amplified by tight budgets, which are driving agencies to rely more on large enterprisewide buys of off-the-shelf products. This means that government is using more products not designed to be secure and eliminates the niche markets of innovative small companies who often make significant advances in technology. Bigman said that because of budget constraints, the CIA is close to requiring that all IT acquisitions be made through group purchases.

“Clearly the trend is not to do individual niche purchases,” he said. “It makes it hard for the small company.”

Hale told an audience of vendors that DOD relies on industry input to help structure its IT buys and urged greater participation when the department issues requests for information in advance of a procurement. He also said that building products to stable standards can help the fast-moving IT industry supply workable products under the slower-moving government acquisition system.

Reader Comments

Wed, Mar 21, 2012

That would be nice if it were possible. It is not possible to make a secure os. Anything can be broken.

Fri, Nov 4, 2011 Jean D. Arc At the Pyre

It is always heart warming to see that we learn NOTHING from history. Dating back to research in the 60's and hardware-software implementations in the 70's, Multics-like derivatives on a secure hardware platform (remember this is all before vlsi, and ulsi) had the ability to satisfy the demands of "MULTI-LEVEL" security requirements, even as defined by the gnomes in the "snack bar" of the NSA. Fast forward 40+ years and what do you have? A large number of feather merchants and hucksters selling "cost effective" data processing solutons. They prove cost effective when your data and security is of NO value. The real solution lies in educated leadership, something that is seldom found within the beltway.

Thu, Oct 27, 2011 Todd OH

1. Why does our infinitely stupid government connect their network to the Internet where everything can and will be compromised? A private fiber network not attached to the Internet instantly solves ALL security issues. 2. Why doessn't are infinitely inept government develop their own secure and simple OS?

Thu, Oct 27, 2011 Marcus

There are tons of options out there for stable, secure operating systems with clear and concise standards for deploying software. The DoD is just obsessed with signing contracts with corporations. Get Linux or BSD, customize it to DoD needs, and deploy it. There's no excuse for wanting a secure OS and not having one when the source code is out there, for free, for you to build with.

Thu, Oct 27, 2011

Who needs a secure operating system when we already have the best, only computer system ever, Windows. After all Bill Gates did invent computing and he knows what is best for all of us.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above