Certifiably trusted: Security assurance


As the calendar flips to fall, the Beltway remains embroiled in a bitter health care reform debate. Stubborn lawmakers from both sides of the aisle are butting heads to determine whether government should fund a public option designed to insure the tens of millions of Americans without coverage.

Rob Housman wants to provoke a similar conversation on Capitol Hill. Except Housman, who founded the nonprofit, Washington D.C.-based Cyber Secure Institute (CSI) last year, is championing something else that he believes government must step in to reform: the assurance levels of security and other IT products.

It is a cause that is not receiving even a fraction of the focus in Congress that health care is, but it is one in which Housman believes all Americans are similarly vested. His organization is trying to shake up the status quo by pushing government organizations and critical infrastructure providers – such as power plants and water companies – to deploy the “best available” technologies to fend off today's sophisticated and targeted attacks.

“Right now, what we have is market failure,” says Housman, executive director of the CSI, a research and advocacy group. “Nobody knows who's being hacked, for the most part. There are no standards in place. Technology manufacturers make wildly exaggerated claims about the security of their systems. When you have market failure, the government, at least at some level, has to step in and correct it, and I think that's where we're at.”

Housman, the former assistant director for strategic planning in the Office of National Drug Control Policy during the Clinton administration, says the IT security marketplace is fundamentally flawed. Buyers of technologies are not demanding the most robust products and, as a result, manufacturers are creating solutions that cluster somewhere in the middle – reliable enough to stop the average script kiddie, but not nearly advanced enough to deter the most advanced attacks. (Consider Heartland Payment Systems, TJX or anonymous reports in April that foreign spies penetrated the U.S. power grid.)

As a result, end-users are left devoting precious time and resources to “bolting on” security and patching flawed IT systems after the fact, instead of implementing a thoroughly tested solution from the start, Housman says.

“The technologies that we rely on today are certified, in essence, as insecure against the threats we face, which is why we have these constant problems,” he says. “If you're talking about federal systems or critical infrastructure, our role is to push for more secure and cutting-edge technologies that can defend us from sophisticated, intentional, well-funded attempts to penetrate.”

That means CIS is targeting not only policy-makers, but also average Americans – the ones who entrust organizations with their sensitive data (or to keep their electricity on). “We're trying to make people aware that most of the systems we rely on today are completely and totally insecure,” Housman says.

Organizations, both public and private, are hamstrung by a seemingly endless array of compliance demands drafted to protect against a breach. But only in federal government are entities required to purchase certified IT solutions to meet those mandates and safeguard their networks. The National Information Assurance Partnership (NIAP), managed by the National Security Agency, conducts these product evaluations on behalf of some 20 government agencies. Products are graded on an Evaluation Assurance Level (EAL) of 1 to 7, which assess their conformance to Common Criteria, an international standard that measures the security of IT systems. The tests essentially examine how well IT offerings stack up against what the vendors claim. Roughly 1,200 products have been evaluated since the standard was created in 1999.

All mainstream IT products – including ubiquitous platforms, such as Microsoft Windows – only have achieved an EAL 4 certification, due to the extreme time and cost involved. Santa Barbara, Calif.-based Green Hills Software, which sells operating systems to the military, is only one of two providers that has obtained EAL 7 certification (Tenix is the other).

Housman says all government organizations and critical infrastructure providers should deploy products that meet EAL 6 or 7 certifications, meaning they offer the “presence of both sophisticated threat agents and high-value resources,” according to NIAP.

“Technologies that meet those requirements are what we ought to be using for the things that matter,” Housman says.

But Shaun Gilmore, NIAP's technical director, says most IT makers seek to achieve an EAL 4, at most, because that designation is the highest level that is mutually recognized by NIAP and the 26 countries that use Common Criteria. In addition, he admits, the sheer cost and time spent for Common Criteria evaluation is a turn-off for vendors wanting to go to market quickly.

EALs beyond 4 require all code to be “semiformally or formally modeled” to “make sure, mathematically, there are no flaws in the product,” Gilmore says. “A complicated product is not going to be able to achieve an EAL 7 within a reasonable time, scale or cost.”

Carol Saulsbury Houck, director of NIAP, agrees. “The mass commercial market isn't out there for a high [EAL] level,” she says.

Santa Clara, Calif.-based McAfee, one of the world's leading IT security firms with 2008 revenue of $1.6 billion, has 12 major product lines that regularly go through Common Criteria evaluation. Greg Brown, the company's senior director of product marketing, says EAL 4 is the “recommended standard for purchasing products.”

“If it takes three months to do EAL 1, it takes 10 years to do EAL 7,” Brown says. “[Customers] would never be able to buy products. The deeper you investigate the integrity of the products, the more information you need to evaluate.”
Yet some wonder whether the lower EAL designations hold any value at all. According to NIAP, EAL 4 certifies protection against “inadvertent or casual attempts to breach the system security.”

David Kleidermacher, CTO of Green Hills, said earlier this year at the Embedded Systems Conference in San Jose, Calif., that EAL 1 to 4 certifications are “essentially meaningless and have wasted immense amounts of money and time,” according to a story in Military and Aerospace Electronics magazine.

But even if Housman's group reaches its goal of getting federal requirements to force certain organizations to deploy only the “best available” technology that the market produces, as judged by NIAP, organizations still would be reliant on human beings to implement and deploy the products effectively, experts say. Without properly configured solutions, even the most hardened technologies could fall down to a hacker attack.

“We really don't know what it takes for a system to be secure,” says Ravi Sandhu, founder and executive director of the Institute for Cyber Security at the University of Texas at San Antonio. “You can still deploy them incorrectly. Just deploying products that have achieved a certain level of security doesn't mean your overall system is going to be secure. Let's say you buy a product that does encryption. Encryption can be very strong and resistant to cryptographic attacks, but if you don't manage the keys, your overall system can be compromised.”

But Housman says he believes manufacturers are capable of producing IT that can overcome configuration shortfalls. Today's technologies should “make up for your mistakes,” he says. “It should be so secure you can't screw it up.”

And flawless deployment is not enough on its own anyway, he says. “Even if every end-user does everything perfectly, even if there are no configuration mistakes, even if it was properly installed – if you are using an insecure technology, you're going to get penetrated.”

Aside from forcing organizations to use certain technology, Housman is relying on change within the C-level suite to demand inherently secure products. But that may run counter to today's bare-bones mentality, in light of the troubled economy and focus on compliance demands, says John Kindervag, senior analyst at Forrester. The bonuses of many security managers are tied to how many budget lines they can keep off spending plans, he says. Plus, security teams are incentivized to fulfill compliance regulations first and, if there is any money left over, worry about countering the most serious threats to a network.

“We have bigger problems. Unless companies are forced to do it, they won't put good security in,” Kindervag says. “They want the easy way out and they want it to be cheap. They don't even know or care if it's secure. They want the impression of security. Hope is the greatest threat mitigation strategy in many large organizations: ‘We just hope we don't get hacked. We're guessing the odds are in our favor.'”

An overhaul coming
The organizations that best protect their infrastructure from cyberattack are the ones most skilled at evaluating risk, Sandhu says. After all, certifications simply provide insight into the security of an individual technology. They do not take into account the unique environments in which the products are deployed.

“You have to have context before you can say something is secure,” Sandhu says. “At the end of the day, security is about risk management and risk mitigation at the system level. We have to take that point of view that we can't reduce it to the effectiveness of individual products. There's more to maintaining an automobile than saying you should use oil that has this rating.”
But NIAP, in response to frequent criticism, believes it at least can offer some help ridding products of vulnerabilities and requiring the development of more trusted IT.

Phil Dunkelberger, CEO of Menlo Park, Calif.-based encryption maker PGP Corp., likens Common Criteria to data security guidelines, such as PCI. “They're snapshots in time,” he says. “You can be fully compliant one day and, with the evolving threats that are out there, be out of compliance the next day.”

Common Criteria has a number of drawbacks, he says. They include the lag time and high cost – it often takes 12 to 24 months for a product to be evaluated and a test could run as high as $1 million per product. That means smaller companies that might produce a best-of-breed solution cannot sell to government because they cannot afford to be evaluated, which, experts say, threatens innovation.

The main qualm that McAfee's Brown expresses is that Common Criteria gives no consideration to the threat protection capability of the product in question. Instead, the framework allows the vendor to define the protection profiles against which the evaluation is conducted.

“There is no mechanism in the government certification world to give consideration to that vendor protection capacity,” Brown says. “In order to provide protection, you have to understand the threat landscape. That's an ongoing investment. Products have to be designed so they can leverage the research you're doing.”

NIAP's Gilmore says his organization plans to get away from the existing model. Instead of the vendor providing what it wants to be evaluated, NIAP would offer them a set of requirements, depending on the type of technology, against which they must be evaluated. That way, the manufacturer “can't exclude things we think are critical.”

“We're working with industry to develop protection profiles to represent what is achievable for that product type,” Gilmore says. “We're going to say, ‘Here's our profile that we developed within industry that we think is achievable.' And if industry buys into that early, at least we know it's not unreasonable.”

In addition, with version 4 of Common Criteria due out at the end of next year, the partnership hopes to find a way to lower the time and cost that vendors must invest in the process. More importantly, perhaps, is NIAP's plan to also conduct additional tests that seek to discover product vulnerabilities.

“We've tried to make tweaks,” Gilmore says of the standard. “You get to the point where you can't keep making minor tweaks and have a significant impact. You can't look at a product like you used to when you're talking about millions of lines of code and ever-increasing complexity.”

Even with the planned changes, there still is nothing forcing government and other industries to deploy the best of the best, as is Housman's objective. He admits he faces an uphill climb. Most corporations are averse to government regulations. And buying more reliable IT products likely will cost more. But he contends that organizations would be willing to foot the additional expense, especially if they realize that money lost to a data breach would trump any inventory purchase.

The CIS is committed to “shaking up the world of cybersecurity,” Housman says. “If we can go to the moon, we can a make a secure cyber system.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.