Many Devils in GOVNET Details

by Andy Oram

A grandiose scheme for a self-contained government network has
been reported in
Wired
and
internet.com.
The proposal has already received enough criticism to suggest that it
will quietly vanish, but the
Request for Information
(available only in Microsoft Word format) makes for amusing reading,
if nothing else. Several passages illustrate the naïve errors
that tend to be made by people who haven't been initiated in the practices of computer
security. Because of that, the proposal leaves me doubting the ability
of the new Advisor for Cyberspace Security or the more established
General Services Administration to rise to the challenge presented by
our current crisis.







Malicious Mobile CodeMalicious Mobile Code

Virus Protection for Windows

By Roger A. Grimes

August 2001

1-56592-682-X, Order Number: 682X

542 pages, $39.95








First off, no computer user of any sophistication can miss the irony of
an agency promising iron-clad security, which "shall be impossible for
malicious code (e.g., computer viruses) to penetrate," while requiring
both the Request for Information and all responses to be in Microsoft
Office formats.




Voice communication and potential video will include
"multicast/broadcast" capabilities. What do the authors mean by
"broadcast"? Outside of Ethernet or spread spectrum radio, I don't
understand how that term applies to digital media. And every kind of
broadcast I can think of implies easy interception by unintended
listeners.








Read O'Reilly's Security Bibliography, a list of the best security books by O'Reilly and other publishers, which should help you find resources to protect your systems and your privacy in these troubled times.








Perhaps broadcasting—whatever it is—will not be a problem
if strong encryption is used, as the Request for Information
promises. But it does not ask what mechanism will be used to
distribute keys or authenticate users. Those little details, as
security experts always say, are probably more critical to get right
than the simple statement that encryption will be used.




And why do the authors explicitly say, "No encryption of routing or
addressing information is contemplated at this time"? If that
information is unimportant, why was Attorney General Ashcroft so
anxious to put interception capabilities into the Anti-Terrorism Act
(now called the USA act)?
And if you try to save some trouble by not encrypting the routing or
addressing information, how can you prevent spoofing and
man-in-the-middle attacks?




Threats to the proposed infrastructure are not the only things that
the Request for Information puts on indefinite hold. Also relegated to
"a later date" are such fundamental questions as "security management
requirements" and "security of network management and control
technologies." It's not hard to define a fully secure system, so long
as you don't mind leaving a few back doors.




I wish I could find some point of merit, or even something showing
careful consideration, in this Request for Information. Why didn't
they start with the fundamental security question—controlling who uses the system
and how accounts are assigned and revoked?
Why didn't they include the standard, well-known advice that
the source code for all software be vetted for security before it can
be loaded on any system? Why don't they address the obvious question
of how to exchange information with collaborators (such as vendors or
non-federal agencies) who lie outside the network, instead of
blustering that "There will be no interconnections or gateways to the
Internet or other public or private networks"?




Absent such considerations, which pop into my mind within the first
couple minutes of reading the document, I am left with just the
evidence of bluffing and irresponsible overconfidence. GOVNET "will
support critical government functions and will be immune from
malicious service and/or functional disruptions to which the shared
public networks are vulnerable (i.e., so-called cyber attacks)."
However, they are quite confident that the network will "evolve to
maintain technology and service currency with state of the art
commercial services to the maximum extent practical." (Microsoft
Office?) Meanwhile, it will "provide the highest levels of reliability
and availability" (although they deliberately refuse to "specify a
particular requirement for availability or reliability").




It's getting late. The country needs a strategy. It doesn't necessarily
have to be controlled from any center. I have always said
that true security comes from grass roots. (See my article
Cyber Hygiene, Not Cyber Fortress Protects Our Networks, for instance.)
Furthermore, security for federal agencies is not uppermost among my
worries (except for obvious cases like the military and the FBI). I
would rather have someone mess around with records at Housing and
Urban Development (federal) than screw up a water filtration plant
(local) or delete hospital records (private). But this does not free
federal agencies to engage in buffoonery such as this Request for
Information.




Can this plan be fixed?