DOD ignores security policy

Despite a growing awareness of security threats and hacker attacks, many Defense Department agencies are ignoring a policy that requires the use of certified secure operating systems and are choosing instead to use commercial operating systems, such as Microsoft Corp.'s Windows NT, for critical app

Despite a growing awareness of security threats and hacker attacks, many Defense Department agencies are ignoring a policy that requires the use of certified secure operating systems and are choosing instead to use commercial operating systems, such as Microsoft Corp.'s Windows NT, for critical applications.

For many years, DOD agencies seeking secure systems purchased operating system configurations given a C2 security rating from the National Security Agency's Orange Book secure-level product requirements. According to a 1988 directive, DOD agencies are required to use commercial products that have been evaluated by NSA and designated as trusted computer products. In the rating system, C2 is a basic or low level of security built on individual accountability and is for systems that need controlled-access protection.

Ed Giorgio, a principal at Booz-Allen & Hamilton Inc. and former chief of cryptoanalysis and cryptography at NSA, said the advent of networking has resulted in a gap between the policy for certified systems and agencies' practices.

"None of the networked systems really meet any kind of a reasonable level of protection for classified information," Giorgio said. "We're in a very bad situation right now. Systems that are approved for classified information are getting connected in ways they shouldn't be, making them insecure."

However, many DOD agencies appear to be ignoring C2 requirements, particularly with the widespread adoption of Windows NT. Only one configuration of Windows NT— Version 3.5— has been certified C2, according to NSA, and that configuration, issued in 1995, cannot be connected to a network and requires a software "patch" to fix a bug. Windows NT 4.0, including networked components, was submitted to NSA in October 1997, but it has not yet been certified, said Scott Culp, Microsoft's security product manager. Windows 4.0 also has been submitted for testing in England against standards the United States has indicated it will soon recognize.

"Security is at the top of our priority list," Culp said. "We are building security into our products because we need it, not because it's a process we have to go through."

According to a statement from NSA provided to FCW, "NSA believes all users of security products should have adequate information in order to determine the appropriateness of the products being used in their systems. This should, at a minimum, include a third-party evaluation of the product as well as a review of how the product is implemented in the system."

But most DOD users are not buying the certified configuration. The Navy is deploying Windows NT 4.0, which has not been C2-certified, as part of its Information Technology for the 21st Century (IT-21) initiative, which defines the basic computing environment aboard ships and on shore. As part of IT-21, the Navy is porting several command and control applications to Windows NT.

Meanwhile, the Air Force in April awarded a contract to a four-vendor team to pilot an initiative to move command and control applications from Unix to Windows NT.

The Navy's information security program office has developed a Windows NT 4.0 security configuration guide, said Capt. Dan Galik, program manager of Navy information systems security at the Navy's Space and Naval Warfare Systems Command.

This guide also was adopted with minor modifications by the Defense Information Systems Agency when DISA approved Windows NT for inclusion in the Defense Information Infrastructure Common Operating Environment, which defines the standard computing environment for command and control applications.

Galik said using the Windows NT version that had been certified by NSA would have been contrary to the IT-21 goal of supplying the best commercial systems to fleet users because this version was "largely ignored by most commercial users due to functional problems and a perplexing graphical user interface."

"This is clearly a nonstarter when one of the fundamental requirements of IT-21 is to move the Navy into a position to exploit network-centric warfare," Galik said. "We must have a network. NT 4.0 has the same C2 security features as 3.5; they have just not been evaluated by the NSA."

Galik added that the Navy relies on a "defense in depth" approach, which includes several layers of security protection in addition to the operating system. These additional layers include firewalls, intrusion detection products and anti-virus software.

Microsoft's main operating system competitor, Sun Microsystems Inc., stopped submitting products several years ago for NSA evaluation. Instead, Sun's recent versions— beginning with Version 2.4— of the Solaris and Trusted Solaris operating systems have been certified by testing laboratories in England as meeting newly emerging international standards called the Common Criteria for Information Technology Security Evaluation.

John Leahy, Sun Federal group manager for government affairs, said the company made the change after it found that NSA testing was taking years and that the version that was finally certified was obsolete by the time it was C2-approved. In contrast, testing in Europe against the Common Criteria takes only months to complete, he said.

Although NSA maintains a close dialogue with the English testing lab, the agency said in a statement, it does not recognize products tested in England that likely would be used in classified government systems and that require a high degree of assurance in the integrity of the product.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.