NSA: We're from the government. Help us.
- By William Jackson
- Aug 01, 2007
LAS VEGAS ' The National Security Agency, whose initials once seemed to stand for No Such Agency, is moving from being a proprietary to an open-source organization. Sort of.
Information technology security and information assurance is becoming too critical, too big and too complex a problem for the government to address by itself, Tony Sager, chief of NSA's Vulnerability Analysis and Operations Group, said Wednesday in an opening address at the Black Hat Briefings computer security conference.
"We've got to figure out how to solve this problem with solutions that scale across the entire community," Sager said. That means his agency has to bring its information to the table and find common ground with the private and academic sectors. "'We're from the government and we're here to help' doesn't work with this crowd."
Although much of NSA's work remains secret, Sager's group is a reflection of the need to develop open and standardized security and research practices.
When he began working at NSA in 1977, "it was a dramatically different security problem," he said. IT security was a government monopoly. "The government owned the problem" and could control the technology. "Those days are over."
NSA has struggled with the change in culture. "But you have no choice but to be concerned about the security of commercial products" over which the government has no control, Sager said. "We changed the way we behaved" to gain the trust and cooperation of the security research community.
The development of security guidelines for operating systems is an example of this evolution. The NSA's security guidelines for Windows NT in 1999 were just one of 14 different sets of such guidelines for that OS. But the complexity of Windows 2000 made the job too difficult for NSA to tackle alone effectively. The agency built a cross-agency, public-private partnership with the Defense Information Systems Agency and the National Institute of Standards and Technology, the SANS Institute and the Center for Internet Security to develop guidelines.
This led to a standard default configuration for the OS required by the Air Force, which eventually was adopted by the Defense Department and civilian agencies.
NSA now is partnering with other agencies in developing a number of open programs such as the Common Vulnerabilities and Exposures scheme and the Security Content Automation Program housed at NIST. The collaborative process originally was like herding cats, Sager said, but standards for moving and using vulnerability information are beginning to mature.
William Jackson is a Maryland-based freelance writer.