DOD ignores security policy

Despite a growing awareness of security threats and hacker attacks, many Defense Department agencies are ignoring a policy that requires the use of certified secure operating systems and are choosing instead to use commercial operating systems, such as Microsoft Corp.'s Windows NT, for critical applications.

For many years, DOD agencies seeking secure systems purchased operating system configurations given a C2 security rating from the National Security Agency's Orange Book secure-level product requirements. According to a 1988 directive, DOD agencies are required to use commercial products that have been evaluated by NSA and designated as trusted computer products. In the rating system, C2 is a basic or low level of security built on individual accountability and is for systems that need controlled-access protection.

Ed Giorgio, a principal at Booz-Allen & Hamilton Inc. and former chief of cryptoanalysis and cryptography at NSA, said the advent of networking has resulted in a gap between the policy for certified systems and agencies' practices.

"None of the networked systems really meet any kind of a reasonable level of protection for classified information," Giorgio said. "We're in a very bad situation right now. Systems that are approved for classified information are getting connected in ways they shouldn't be, making them insecure."

However, many DOD agencies appear to be ignoring C2 requirements, particularly with the widespread adoption of Windows NT. Only one configuration of Windows NT— Version 3.5— has been certified C2, according to NSA, and that configuration, issued in 1995, cannot be connected to a network and requires a software "patch" to fix a bug. Windows NT 4.0, including networked components, was submitted to NSA in October 1997, but it has not yet been certified, said Scott Culp, Microsoft's security product manager. Windows 4.0 also has been submitted for testing in England against standards the United States has indicated it will soon recognize.

"Security is at the top of our priority list," Culp said. "We are building security into our products because we need it, not because it's a process we have to go through."

According to a statement from NSA provided to FCW, "NSA believes all users of security products should have adequate information in order to determine the appropriateness of the products being used in their systems. This should, at a minimum, include a third-party evaluation of the product as well as a review of how the product is implemented in the system."

But most DOD users are not buying the certified configuration. The Navy is deploying Windows NT 4.0, which has not been C2-certified, as part of its Information Technology for the 21st Century (IT-21) initiative, which defines the basic computing environment aboard ships and on shore. As part of IT-21, the Navy is porting several command and control applications to Windows NT.

Meanwhile, the Air Force in April awarded a contract to a four-vendor team to pilot an initiative to move command and control applications from Unix to Windows NT.

The Navy's information security program office has developed a Windows NT 4.0 security configuration guide, said Capt. Dan Galik, program manager of Navy information systems security at the Navy's Space and Naval Warfare Systems Command.

This guide also was adopted with minor modifications by the Defense Information Systems Agency when DISA approved Windows NT for inclusion in the Defense Information Infrastructure Common Operating Environment, which defines the standard computing environment for command and control applications.

Galik said using the Windows NT version that had been certified by NSA would have been contrary to the IT-21 goal of supplying the best commercial systems to fleet users because this version was "largely ignored by most commercial users due to functional problems and a perplexing graphical user interface."

"This is clearly a nonstarter when one of the fundamental requirements of IT-21 is to move the Navy into a position to exploit network-centric warfare," Galik said. "We must have a network. NT 4.0 has the same C2 security features as 3.5; they have just not been evaluated by the NSA."

Galik added that the Navy relies on a "defense in depth" approach, which includes several layers of security protection in addition to the operating system. These additional layers include firewalls, intrusion detection products and anti-virus software.

Microsoft's main operating system competitor, Sun Microsystems Inc., stopped submitting products several years ago for NSA evaluation. Instead, Sun's recent versions— beginning with Version 2.4— of the Solaris and Trusted Solaris operating systems have been certified by testing laboratories in England as meeting newly emerging international standards called the Common Criteria for Information Technology Security Evaluation.

John Leahy, Sun Federal group manager for government affairs, said the company made the change after it found that NSA testing was taking years and that the version that was finally certified was obsolete by the time it was C2-approved. In contrast, testing in Europe against the Common Criteria takes only months to complete, he said.

Although NSA maintains a close dialogue with the English testing lab, the agency said in a statement, it does not recognize products tested in England that likely would be used in classified government systems and that require a high degree of assurance in the integrity of the product.