To ensure system security, set priorities

“It was always my intention to be an artist,” Van
Dyke said. Then a job with Rand Corp. spinoff Systems Development Corp. showed him that
art, logic and music skills worked in programming, too.


Later he joined Informatix Inc., since acquired by Sterling Software Inc. of Dallas,
and in 1978 he founded J.G. Van Dyke & Associates Inc. of Bethesda, Md., where he is
president. The company assists prime contractor Lockheed Martin Corp. in developing the
Defense Department’s Defense Message System.


GCN senior editor William Jackson spoke with Van Dyke at his Bethesda office.


What’s more



Age: 50
Family: Wife and three children, ages 27, 25 and 17
Last book read: Yellow Raft in Blue Water by Michael
Dorris
Last movie seen: “Saving Private
Ryan’’
Leisure activities: Sailing and jogging
Motto: “Do my best at what I think is right,
and everything else will fall in place.’’




GCN: How would you assess the state of information security in
government agencies?


VAN DYKE: In a word, pretty dismal. For any sophisticated hacker, accessing a
government or corporate system is like accessing any other free Web page. There are hacker
tools on the Internet, and you can build up quite a repertoire of penetration tools
without much creativity.


Hackers come in two varieties: those who wish to harass and disrupt, and those who wish
malevolently to inhibit the operation of an agency or corporation, or to obtain data and
use it.


I can see a business growing up for third-party hackers who have no particular
animosity but understand that they can sell data to someone who might be interested. We
can’t always assume that foreign nations and economic espionage motivate
penetrations.


GCN: Why is the level of
security so dismal?


VAN DYKE: Systems managers are fairly undereducated in their systems’
vulnerabilities and how to apply the security technologies available. They don’t have
a methodology to address their lack of security. Some don’t recognize the problem.
Others are overwhelmed.


There are exceptions. The Army’s research laboratories have a sophisticated set of
methodologies and technologies for protection, detection, response and education. The
problem is that while [some organizations] understand the technology, it is not very well
disseminated or applied.


Even in the intelligence community, which we spend a lot of time with, we can see that
global communications systems are very secure. But much less care is taken to protect
internal business process systems.


GCN: Why is that?


VAN DYKE: I think there is a lack of perception that information in those systems can
be as valuable as the information in transit globally.


Everyone has read about penetration of Pentagon systems—the denial of service and
the downtime. On the nonmilitary side, [agencies] are only in the initial stages of
awareness. Many systems managers don’t fear what they don’t see and can’t
prove.


There are lots of ways of rationalizing delays in responding to threats. You can say
there is no evidence that we have been penetrated, our operations are going swimmingly and
there should be no concern. Putting off concern until there is denial or disruption of
service or there is proof of a compromise could be costly.


Managers can further rationalize that the technology is not quite there yet and
expensive and not in the budget this year. Also, I think a lot of managers have enough to
do maintaining their day-to-day operations. To implement a security strategy is
time-consuming and money-consuming, and it may cause significant change in the way
business is done.


GCN: How good can you make
security?


VAN DYKE: Total security remains an illusion. All security today is partial. But I
believe you can baseline processes, create a security architecture, prioritize protection
of the crown jewels and mitigate the risk to the rest.


It requires a disciplined process and an understanding of the strengths and limitations
of products available today. Most are fairly limited. So to protect a system, you need a
collection of devices and security software.


Vendors are getting a little smarter at understanding they must have a full range of
services and devices. We can see a lot of mergers and acquisitions to provide the depth
and breadth to be responsive.


GCN: You talk about a
risk-based approach to security. With interconnected networks, is it adequate to implement
any level of security when someone else in the chain may have less?


VAN DYKE: Globalization has driven system constructs to be much more network-oriented,
and that includes more heterogeneous processors and systems that each have their own
security weakness.


It has tremendously multiplied the number of access points and, in some cases,
uncontrolled access points, because you may have third-party networks that you don’t
have the right to put limitations on or add security devices to.


When you prioritize what to protect, you may have to redefine your processes and your
systems to map them to the methodologies and technologies available. If you want a secure
system, you may have to change the way you do business. Most systems today have not been
built with security in mind.


In the early stages of global networks, the idea was to get more data to more people
faster. But it has made us much more vulnerable. There is a rethinking now on what is the
best kind of system. You have to throw security in as one of your design parameters rather
than an add-on.


GCN: Short of a service
shutdown, will year 2000 problems raise security concerns?


VAN DYKE: Most security devices are fairly new and have been built within the framework
of recognition of the year 2000 problem. The associated software should not be a problem.
A security concern would arise only if the date problem allowed information to get into
the wrong hands. I don’t see that.


GCN: Your company is
working on off-the-shelf security products for the military environment. How long before
there is a merger of commercial and military security?


VAN DYKE: In large measure, that merger has already taken place. The intelligence and
Defense Department community use a lot of commercial products where a lower level of
assurance is needed. At higher levels—and there will always be higher levels in the
military—commercial products still don’t suffice.


We’ve developed certificate workstations, public-key infrastructures, firewalls
and so on. We have also developed the Message Security Protocol for the National Security
Agency for high-assurance message protection. Version 4 will be available at the end of
this year and will provide multilevel security and allow multiple types of encryption
algorithms.


That is military-specific. The government understands it has to move in the direction
of consistency with the commercial world. Van Dyke has been asked to work with the
Internet Engineering Task Force on a modified specification for the ad hoc Internet
standard called Secure Multipurpose Internet Mail Extensions, and to add some of the more
robust MSP features to S/MIME.


The result will be S/MIME Version 3, which then will be a commercially consistent
protocol, widely used, that has multilevel security characteristics required by the
government.


DMS users originally were intended to use MSP Version 4 and Fortezza encryption
algorithms. But it became clear very quickly that not all users required that level of
assurance. So DMS’ flexible architecture is going to implement medium-grade
assurance. A request for information is out to the industry to see what can satisfy that.
I would suggest that most of the products that exist today will be able to respond to that
requirement.


GCN: Will MSP
4 be the key to multilevel traffic on a single network?


VAN DYKE: DMS has shown how difficult it is to produce multilevel security. From an
architectural standpoint, you can construct a multilevel-secure network, but it is very
expensive because it requires parallel dual paths. Also, there is a high-assurance guard
capability that allows enclaves of different security levels to coexist within the same
network.


MSP 4 provides the flexible multilevel architecture. But it still has a way to go
because, although the data labeling will provide different security levels, the
applications have to respond correctly to the different security levels. That ability is
really only being developed now.


I would expect that at the completion of DMS in the late-1999 to early-2000 time frame,
we will have effective multilevel security environments.


GCN: How significant are
the recently reported e-mail vulnerabilities?


VAN DYKE: Our company had a military messaging open house two years ago in which we
demonstrated commercial products responding to a DMS-like requirement. Virtually everyone
was using commercial e-mail systems and had had problems with e-mail servers going down,
or sending messages to the wrong party or not delivering them.


Some of these problems remain. A compromise has to be made in programs like DMS that
embrace commercial technology. Reliability and robustness seem to be part of the
compromise.


Most of the stovepiped and tremendously expensive systems that the government used to
build were really to ensure stability and robustness. They became too expensive.


So these are not new issues. DMS’ dependence on commercial e-mail systems means
some vulnerabilities. Vendors are working hard to improve the robustness, but the
vulnerabilities will be around for a while. 

inside gcn

  • HPE SGI 8600

    New supercomputers headed to DOD

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group