Competing encryption modes vie for acceptance

Civilian agencies are even further away from standardizing on an electronic messaging encryption method, as dispute over the suitability of three competing standards already in use intensifies.

What is becoming clear is that Fortezza-based encryption, to be used in 2 million Defense Department PC systems to secure messages over the Defense Message System, is unlikely to be deployed by many of the civilian agencies.

DMS is the model for many civilian agencies' messaging systems, but observers see little comparison between civilian encryption needs and those of DOD, and agencies are looking for less expensive and more easily employed solutions.

"Civilian agencies realize that DMS may not provide all the answers," said Lynn McNulty, president of McNulty and Associates, at a recent IDC Government seminar. "The government is trying to look at higher issues. There is a lot of policy that needs to be made before other decisions [about products] are made."

Currently at issue is what software standard to adopt. Federal agencies are using a range of software solutions to secure their electronic mail.

"The users appear to be using a whole variety of things," said Phil Mellinger, chief engineer of the General Services Administration's Federal Security Infrastructure Program. "I don't think there's a whole lot of consensus right now. It's survival of the fittest."

Mellinger said he believes a standard will come about by evolution rather than by government mandate. An evolving standard may be more likely to match what the industry is providing to users.

The Internet Mail Consortium, an industry organization promoting the uses of mail on the Internet, has identified three security technologies likely to become the standard for securing e-mail: the Message Security Protocol for X.400, Secure Multipurpose Internet Mail Extensions and Pretty Good Privacy. None of these is interoperable with the other two.

"As of right now, it appears there are at least three viable competing alternatives, and the situation will be resolved in a way that is messier than the VHS and Beta war," said Dave Crocker, principal with Brandenburg Consulting, Sunnyvale, Calif. "Products will have to ship with all three, and users will have to pay attention to those and start dealing with them for at least the next couple of years."

Civilian agencies are choosing a solution based on what the application is, and there does not appear to be a standard even within agencies themselves and in dealing with the public. However, at least for now, there does not appear to be a sense of urgency.

"We assume there will be products available on a governmentwide basis to the civilian agencies," said Neil Stillman, deputy assistant secretary for information resources management at the Department of Health and Human Services. "That's the direction it's headed."

He added that HHS "is not yet at the problem" where an agencywide decision on secure messaging needs to be made. "But we hope that when we are, the solution arrives."

"There are a lot of products out there we can use," said Ron Hack, director of the Office of Systems and Telecommunications Management at the Commerce Department. "It depends on the level of security you require.

"Many civilian agencies don't require electronic messaging outside of the agency," he said. "If they have a need for sensitive security, then they can use encryption, and there are lots of options to encrypt."