Government devises computer security standards to fight most common Internet threats
Tuesday, July 16th 2002, 12:00 am
By: News On 6
WASHINGTON (AP) _ Creating a ``Good Housekeeping'' approval seal of sorts, the government is releasing standards and a software program that will help computer users configure their systems for maximum security against hackers and thieves.
The program will be made available free to anyone and mandated for some federal agencies.
The Pentagon, National Security Agency and other agencies will join with private partners Wednesday in announcing the security standards for computers that run Microsoft's Windows 2000. The operating system is commonly used by businesses and government.
The seal of approval comes in the form of a small program that probes computers for known security flaws and makes suggestions on how to eliminate holes used by hackers.
The unprecedented effort will have immediate impact.
All Defense Department computers will have to meet the standards immediately. The White House is considering making the rest of the government follow suit.
Experts say the keys to success will be extending the standards to home and business users, making them simple enough for the public to understand and ensuring they stay ahead of increasingly sophisticated computer attackers.
``If it's just government, it won't have as much value as if it's government and the private sector,'' said Richard Clarke, President Bush's computer security adviser.
The private partners in the project have their eyes set on broadening the standards to other operating systems, including the Windows products most commonly used at home.
``It's a massive problem,'' said Clint Kreitner, head of the Center for Internet Security, a nonprofit partnership of companies and American and Canadian government agencies. ``They slap their systems on the Net and get ready to go, then wonder why they get breached in the next 10 minutes.''
The effort has brought together some of the biggest names in business, including computer chipmaker Intel Corp., Chevron and Visa _ part of the group that helped create the standards and is encouraging their use.
Microsoft, which is embarking on its own efforts to makes its software more secure, has reviewed the standards and made suggestions.
The standards have developed slowly, in part because security in the past frequently has been handled through technical security bulletins written for engineers.
``You'd give a 200-page document to a system administrator, and say, 'Have a nice day,''' Clarke said. ``So no one did it.''
The breadth of the problem is staggering. The technology research firm Gartner recently projected that through 2005, 90 percent of computer attacks will use known security flaws for which a solution is available but not installed.
Most recent attacks were written and released by bored youngsters testing their skills, but the government is becoming more concerned about organized attacks against federal computers from terrorists or foreign governments.
Several government agencies have had their own security standards for some time. What is new about Wednesday's announcement is that the various agencies have agreed on a single standard _ a difficult task that occurred about three months ago.
Experts at the CIS, the NSA and Commerce's National Institute for Standards and Technology had three different candidates for standards at first. On April 18, the authors met in a room at NIST offices in Maryland.
``They were told they could leave as soon as they came to an agreement,'' said Alan Paller of the Sans Institute, a research and education group involved in the announcement.
That night, they had a document several hundred pages long describing how to make Windows 2000 secure, but still usable.
That was only half the battle, though. Clarke, the White House adviser, said they wanted to make it easy for federal network engineers to make the changes.
To fix that, the government created the software tool that grades computer security so that everyone, from the engineers to top executives, understands how secure their computers are. The tool then recommends changes.
Some government agencies, including the Air Force, plan to use their procurement power to require that vendors offer more secure versions of their software based on the standards.
``Now we can go to Microsoft and others to say that this is our common set of expectations,'' said John Gilligan, the Air Force's chief information officer. ``Right now, we're doing the work.''