CTOs keep wary eye on security measures

CTOs keep wary eye on security measures

By Susan M. Menke

GCN Staff

FEB. 1—Agency chief technology officers face a growing list of security threats without any sure-fire solutions, two CTOs said yesterday at the ComNet trade show in Washington.

Robert A. Flores, CTO of the CIA, and Jeffrey D. Pound Sr., CTO of the Air Force Research Laboratory at Wright-Patterson Air Force Base, Ohio, said their time is consumed by security and bandwidth issues.

"Every day something is bigger and more complicated than the day before," Flores said. "We're basically competing with CNN [for intelligence], but we don't get to charge for our services."

Pound said he worries a lot about "professional hackers, not just kids," because the Air Force lab is "one of the top U.S. targets." He likes the security of virtual private networking, but existing firewalls and VPN software cannot handle the gigabit-level throughput of Air Force networks now being planned, he said.

Flores said the CIA "spends a lot of time trying to break other people's networks. We try to hack ourselves to death" to find vulnerabilities. Encryption is not the answer, he said. If all transmissions and even stored data were encrypted against intruders, the encryption would prevent indexing and searching of files and video streams.

"And we don't believe biometrics is the answer" for user authentication, Flores said. "It's not hard to hack the middleware" that stores user identities. "We've got iris readers, but we don't trust them."

Pound said the Air Force lab, like the rest of the Defense Department, is putting its trust in public-key infrastructure and digital certificates. "But what happens," he asked, "if someone inserts a bogus certificate server in your chain? PKI is only as good as the guy who gives out the keys."

The two CTOs said they are "scared to death" about malicious code inserting itself into their secure networks via JavaScript, ActiveX and other scripting languages. Their organizations are both preparing to migrate to Microsoft Windows 2000 and its Active Directory services.

Both said they also worry about the trend toward wireless handheld devices, which Pound called "very scary. Bluetooth [short-range radio networks] destroys physical security. Someone could stand outside a window and read everything on your laptop."

Asked about outsourcing functions to application service providers, Pound said it "won't ever happen for core processes." He said much DOD work is already outsourced, but to other government agencies such as the Defense Finance and Accounting Service.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above