DHS Security Chief on Wireless Networks
by Matthew Gast
Last week, I attended a conference in Washington, D.C. put on jointly by the Wi-Fi Alliance and the publishers of Government Computer News. One of the keynote speakers was Robert C. West, the Chief Information Security Officer of the Department of Homeland Security (DHS).
Entrenched standards have a way of frustrating new efforts, even outside of technology. DHS began life as 22 separate organizations which were combined into one sprawling complex by Congress. Though there were nominally 22 organizations, many had no staff or budget; in practice, DHS was built from the six largest organizations: the Coast Guard, Secret Service, FEMA, INS, Border Patrol, and TSA. Six existing organizations meant six large legacy infrastructures to be tied together, and it's not a stretch of imagination to think about the political problems associated with it.
To get the headquarters up and running, DHS re-used a TSA contract. The TSA hired an integrator to develop packages for airport screening systems, so an airport goes to the integrator and purchases the small, medium, or large airport package. DHS used a "large airport" package to get their D.C. headquarters running quickly, but soon found the TSA was not a useful template. Network re-use is hard (just like code re-use, I suppose). DHS had to spend time to separate out the headquarters infrastructure from the rest of the network so it could be more flexible than a TSA airport installation.
Wireless networks are a hot topic at DHS, just as they are in much of the rest of the world. The starting policy for wireless is that it was not allowed, period. No 802.11, no cell phones, nada. This changed when the advantages of wireless networks started to be appreciated. For all their faults, mobile telephones are often only the piece of equipment that first responder units will have which are interoperable. A second example came when a federal air marshal was able to thwart a kidnapping because of quick communications. Air marshals have PDAs, which are their main communications devices, in spite of the "no wireless" policy adopted by the department. The technology has been developed to the point where air marshals can be in contact with computer systems even while in flight at 30,000 feet. An air marshal was recently able to respond to an Amber Alert and rescue a missing child, thanks to the wireless system. With the advantages of wireless networks becoming clearer, the policy changed to allow wireless networks upon further review and analysis.
The Federal Information Security Management Act (FISMA) directs federal agencies to follow NIST recommendations on computer security. NIST's wireless network recommendations, SP 800-48 was published in November 2002. West stated that he didn't feel it was a useful document because it was too short on technical specifics. (I'm well aware of the development of wireless technology in the past two years, since I see a need to update another written work from 2002.) In absence of clear technical direction, DHS is currently defining requirements across the department, performing cost/benefit analyses, and developing network architectures and policies.
Additional note (added September 28, 2004): Washington Technology has run a story about the conference.