DOD taps Netscape for security

In a dramatic change of direction, the Defense Department next month plans to turn to commercial products from Netscape Communications Corp. to provide many of the advanced security features slated for the much-delayed, billion-dollar Defense Message System.

The Defense Information Systems Agency, which manages DMS, intends to use Netscape to secure all communications classified top secret or below, said John Menkart, Netscape's regional sales manager.

Servers from Netscape will issue and manage software certificates that carry digital signatures as part of the Defense Medium Assurance Public Key Infrastructure, which will be the largest public-key infrastructure (PKI) in the world and one of the first in the federal government, according to industry sources. The cost of the products needed to launch the new security effort will be covered by DISA's 1997 purchase of a site license covering browsers and servers for 2 million users, he said.

The latest move places Netscape once again in a battle with Microsoft Corp. and Lotus Development Corp. for control of DMS desktops. Microsoft's and Lotus' products are DMS-approved, but one knowledgeable industry source said, "Netscape can meet 90 percent of the DMS requirements today. Why would you want to run something else?''

"They needed to come up with an architecture that enabled them to deploy certificates to the masses," said Netscape's Menkart. "Our technology leverages the directory and the certificate infrastructure to create a secure and robust environment."

The software certificates would be used by DOD employees to authenticate themselves to access various business applications' including administrative, procurement, health care, travel, payroll and personnel data.

In addition, the certificates will be used to perform encryption to protect data in transit across a network, secure e-mail and protect users while accessing sensitive documents.

While not directly addressing the Netscape issue, a former key DISA official backed PKI as an economical alternative for DOD. William Curtis, deputy director for procurement and logistics at DISA until accepting a new job as the Pentagon's Year 2000 czar last week, said, "Not everyone needs high-cost government security. We can use lower-cost commercial solutions." Curtis added that DOD has a "huge" need for PKI.

According to industry sources, DOD also plans to use PKI to support other applications, including a paperless process for authorizing and reimbursing travel expenses. (For more information, go to www.fcw.com.)

PKI would be a major divergence from DOD's plans developed more than a decade ago to arm all DOD employees with Fortezza-based hardware encryption to secure e-mail communications as part of DMS. DOD officials gradually have been backing away from the use of costly Fortezza cards, instead calling for commercial off-the-shelf solutions for securing communications.

One knowledgeable former DOD official said the plans for PKI reflect the thinking of only a few— albeit high-ranking— DISA officials who long ago tired of the complex DMS architecture as well as its slow testing and fielding.

According to the industry source, DOD knows that Fortezza cards are exorbitantly expensive and difficult to deploy widely. While some users will need the high level of security provided by Fortezza, many others will be adequately protected using software encryption provided by Netscape.

"There's a recognition in the commercial marketplace and in [DOD] that you don't need to put a bank vault on every door in DOD," the source said. "Sometimes you just need a good lock and key."

Microsoft, which has invested years of development and money to develop a DMS-compliant version of its Exchange product, questioned a DISA endorsement of Netscape and its PKI architecture.

"Why would DISA want to try to develop two separate systems: DMS and a separate PKI?'' said Mitra Azizrad, systems manager and DMS products manager for Microsoft Federal. "That's a question we have, as well as most of our DMS customers."

She added that it appears that DISA intends to establish "parallel'' messaging systems because she does not believe Netscape can meet DMS' top-secret requirements. However, if DISA does decide to embrace digital signatures as a standard, Microsoft intends to participate. "We can play in both universes— the commercial market and the high-security market,'' she said.

If DISA does plan to move its lower-level messaging to commercial products, Lotus, the other DMS messaging supplier, also will have an entrant. Keith Attenborough, the DMS product manager for Lotus, said the company plans to deliver a DMS World Wide Web browser in September.

John Pescatore, senior consultant with Trusted Information Systems Inc., said DOD would be taking a "major step forward" in the security arena by deploying a PKI. Canada is the only other government in the world that has moved toward launching a PKI, Pescatore said. "Most of the rest of the [U.S.] government still has no way to authenticate employees or citizens," he said.

In response to a DOD requirement, Menkart said Netscape also will be developing in its next-generation products "key escrow" functionality. This controversial technique allows a third party— in this case, DISA— to store a copy of a key needed to decode encrypted messages if a user loses his key or leaves an organization.

However, this method of storing a key has become a hot-button issue between industry and law enforcement agencies. Led by the FBI, law enforcement agencies want this technology to be widely used so that they can unscramble data involved in criminal cases.