To ensure system security, set priorities
It was always my intention to be an artist, Van
Dyke said. Then a job with Rand Corp. spinoff Systems Development Corp. showed him that
art, logic and music skills worked in programming, too.
Later he joined Informatix Inc., since acquired by Sterling Software Inc. of Dallas,
and in 1978 he founded J.G. Van Dyke & Associates Inc. of Bethesda, Md., where he is
president. The company assists prime contractor Lockheed Martin Corp. in developing the
Defense Departments Defense Message System.
GCN senior editor William Jackson spoke with Van Dyke at his Bethesda office.
|Family: Wife and three children, ages 27, 25 and 17|
|Last book read: Yellow Raft in Blue Water by Michael|
|Last movie seen: Saving Private|
|Leisure activities: Sailing and jogging|
|Motto: Do my best at what I think is right,|
and everything else will fall in place.
GCN: How would you assess the state of information security in
VAN DYKE: In a word, pretty dismal. For any sophisticated hacker, accessing a
government or corporate system is like accessing any other free Web page. There are hacker
tools on the Internet, and you can build up quite a repertoire of penetration tools
without much creativity.
Hackers come in two varieties: those who wish to harass and disrupt, and those who wish
malevolently to inhibit the operation of an agency or corporation, or to obtain data and
I can see a business growing up for third-party hackers who have no particular
animosity but understand that they can sell data to someone who might be interested. We
cant always assume that foreign nations and economic espionage motivate
GCN: Why is the level of
security so dismal?
VAN DYKE: Systems managers are fairly undereducated in their systems
vulnerabilities and how to apply the security technologies available. They dont have
a methodology to address their lack of security. Some dont recognize the problem.
Others are overwhelmed.
There are exceptions. The Armys research laboratories have a sophisticated set of
methodologies and technologies for protection, detection, response and education. The
problem is that while [some organizations] understand the technology, it is not very well
disseminated or applied.
Even in the intelligence community, which we spend a lot of time with, we can see that
global communications systems are very secure. But much less care is taken to protect
internal business process systems.
GCN: Why is that?
VAN DYKE: I think there is a lack of perception that information in those systems can
be as valuable as the information in transit globally.
Everyone has read about penetration of Pentagon systemsthe denial of service and
the downtime. On the nonmilitary side, [agencies] are only in the initial stages of
awareness. Many systems managers dont fear what they dont see and cant
There are lots of ways of rationalizing delays in responding to threats. You can say
there is no evidence that we have been penetrated, our operations are going swimmingly and
there should be no concern. Putting off concern until there is denial or disruption of
service or there is proof of a compromise could be costly.
Managers can further rationalize that the technology is not quite there yet and
expensive and not in the budget this year. Also, I think a lot of managers have enough to
do maintaining their day-to-day operations. To implement a security strategy is
time-consuming and money-consuming, and it may cause significant change in the way
business is done.
GCN: How good can you make
VAN DYKE: Total security remains an illusion. All security today is partial. But I
believe you can baseline processes, create a security architecture, prioritize protection
of the crown jewels and mitigate the risk to the rest.
It requires a disciplined process and an understanding of the strengths and limitations
of products available today. Most are fairly limited. So to protect a system, you need a
collection of devices and security software.
Vendors are getting a little smarter at understanding they must have a full range of
services and devices. We can see a lot of mergers and acquisitions to provide the depth
and breadth to be responsive.
GCN: You talk about a
risk-based approach to security. With interconnected networks, is it adequate to implement
any level of security when someone else in the chain may have less?
VAN DYKE: Globalization has driven system constructs to be much more network-oriented,
and that includes more heterogeneous processors and systems that each have their own
It has tremendously multiplied the number of access points and, in some cases,
uncontrolled access points, because you may have third-party networks that you dont
have the right to put limitations on or add security devices to.
When you prioritize what to protect, you may have to redefine your processes and your
systems to map them to the methodologies and technologies available. If you want a secure
system, you may have to change the way you do business. Most systems today have not been
built with security in mind.
In the early stages of global networks, the idea was to get more data to more people
faster. But it has made us much more vulnerable. There is a rethinking now on what is the
best kind of system. You have to throw security in as one of your design parameters rather
than an add-on.
GCN: Short of a service
shutdown, will year 2000 problems raise security concerns?
VAN DYKE: Most security devices are fairly new and have been built within the framework
of recognition of the year 2000 problem. The associated software should not be a problem.
A security concern would arise only if the date problem allowed information to get into
the wrong hands. I dont see that.
GCN: Your company is
working on off-the-shelf security products for the military environment. How long before
there is a merger of commercial and military security?
VAN DYKE: In large measure, that merger has already taken place. The intelligence and
Defense Department community use a lot of commercial products where a lower level of
assurance is needed. At higher levelsand there will always be higher levels in the
militarycommercial products still dont suffice.
Weve developed certificate workstations, public-key infrastructures, firewalls
and so on. We have also developed the Message Security Protocol for the National Security
Agency for high-assurance message protection. Version 4 will be available at the end of
this year and will provide multilevel security and allow multiple types of encryption
That is military-specific. The government understands it has to move in the direction
of consistency with the commercial world. Van Dyke has been asked to work with the
Internet Engineering Task Force on a modified specification for the ad hoc Internet
standard called Secure Multipurpose Internet Mail Extensions, and to add some of the more
robust MSP features to S/MIME.
The result will be S/MIME Version 3, which then will be a commercially consistent
protocol, widely used, that has multilevel security characteristics required by the
DMS users originally were intended to use MSP Version 4 and Fortezza encryption
algorithms. But it became clear very quickly that not all users required that level of
assurance. So DMS flexible architecture is going to implement medium-grade
assurance. A request for information is out to the industry to see what can satisfy that.
I would suggest that most of the products that exist today will be able to respond to that
GCN: Will MSP
4 be the key to multilevel traffic on a single network?
VAN DYKE: DMS has shown how difficult it is to produce multilevel security. From an
architectural standpoint, you can construct a multilevel-secure network, but it is very
expensive because it requires parallel dual paths. Also, there is a high-assurance guard
capability that allows enclaves of different security levels to coexist within the same
MSP 4 provides the flexible multilevel architecture. But it still has a way to go
because, although the data labeling will provide different security levels, the
applications have to respond correctly to the different security levels. That ability is
really only being developed now.
I would expect that at the completion of DMS in the late-1999 to early-2000 time frame,
we will have effective multilevel security environments.
GCN: How significant are
the recently reported e-mail vulnerabilities?
VAN DYKE: Our company had a military messaging open house two years ago in which we
demonstrated commercial products responding to a DMS-like requirement. Virtually everyone
was using commercial e-mail systems and had had problems with e-mail servers going down,
or sending messages to the wrong party or not delivering them.
Some of these problems remain. A compromise has to be made in programs like DMS that
embrace commercial technology. Reliability and robustness seem to be part of the
Most of the stovepiped and tremendously expensive systems that the government used to
build were really to ensure stability and robustness. They became too expensive.
So these are not new issues. DMS dependence on commercial e-mail systems means
some vulnerabilities. Vendors are working hard to improve the robustness, but the
vulnerabilities will be around for a while.