I have to admit it's getting better
Brian D. Snow, technical director of the National Security Agency's Information Assurance Directorate, stood before the RSA Conference 2001 in San Francisco last month and made his familiar plea.
'I'm from NSA, and I'm here to ask for your industry's help,' he said.
He wants off-the-shelf hardware and software to assure safety for sensitive but unclassified data traffic. But he doesn't want new security features.
'What we really need but are unlikely to get are greater levels of assurance' in existing products, he said.
Snow's definition of assurance is security that works, especially in a hostile environment. 'I'm not asking for development of new science,' he said, but for vendors to perfect the science already deployed.
Snow has been making the plea for some time now. He gave essentially the same talk at the Black Hat Briefings last July and said he would give it three more times this year. But there is good news. 'I'm changing the talk next year,' he said.
His public complaints are for the unconverted, Snow said. Privately, he is a little more optimistic about prospects for information assurance.
Open-source developers are beginning to embrace NSA's secure Linux kernel, which will be incorporated in a future release of a commercial product, he said. And he has talked with several vendors that, he said, seem to want to build high-quality reputations for their information assurance products.
Snow said he and other government users are more interested in the quality of the products they use than in the new features of the latest release.
Building in assurance, of course, lengthens the development cycle'anathema to companies competing on Internet time. But if users insist on reliability, information assurance in off-the-shelf products could turn into a selling point.
There are some indications this is happening.
Christopher Darby, president and chief executive officer of Internet security consultancy @stake Inc. of Boston, said more companies are putting quality above speed.
An off-the-shelf product that truly works could be worth more'both to a company's bottom line and to the users' peace of mind'than all of Silicon Valley's patches and service packs.