Feds Talk Security

Federal agencies, others join on security guidelines.

Tired of waiting for a consensus among corporate CIOs and security experts on how to lock down their networks, a group of federal agencies and industry organizations last week released guidelines of their own. The move, however, is being seen by some as the first step toward governmental regulation of security standards.

While government officials have been quick to say the Consensus Baseline Security Settings for Microsoft Corp. Windows 2000-based machines are only suggestions, security experts remain split, calling the list either a helping hand or heavy-handed.

"Assuming that the new security settings are well- thought-out, I think this is a good idea," said Phil Zimmermann, chief cryptographer at Hush Communications Inc., in Vancouver, British Columbia, who fought a long-running battle with the government over efforts to export his Pretty Good Privacy encryption software. "For too long, Windows machines have been wide open to attack. Anything that will tighten up millions of Windows machines will improve our collective immune system."

The guidelines are suggested base-line settings for machines running Windows 2000.

They were developed jointly by the Presidents Critical Infrastructure Protection Board, the Center for Internet Security, the National Security Agency, the General Services Administration, the National Institute of Standards and Technology, the Defense Information Systems Agency, and the SANS Institute. The group also released a small vulnerability scanner to check each machines settings.

While the guidelines are not yet mandatory for government agencies, most departments intend to implement them and expect their private-sector contractors to do likewise.

"I think CIOs within government are expected to implement these base lines," U.S. Air Force CIO John Gilligan said at the unveiling of the standards at the GSA here last week. "As we begin to establish these benchmarks, they would become effectively mandatory across the federal government."

Regardless of the governments intentions, some users are still not entirely comfortable with Washingtons involvement in the security industry.

"Having minimum standards of security is a good thing," said Fred Dunn, Short Message Service administrator at the University of Texas Health Science Center, in San Antonio. "Having the [government] set those standards, well, well have to wait and see. Earlier, the breach of a single system used to cause problems for one or a few, but internetworking and the complexity of operating systems has changed the rules."

Richard Clarke, President Bushs special adviser for cyber-security, emphasized, however, that the federal government does not have the legal authority today to impose technology requirements on the private sector. "Were not going to have federal requirements as the solution to the private sectors problems," he said at the announcement.

Nevertheless, the collaborating organizations emphasized that last weeks announcement is only the beginning and that they intend to develop standards for a wide range of software products, including firewalls, Oracle Corp.s database software and Microsofts IIS (Internet Information Services) Web server.

"Were forming an Oracle database team, and we have yet to get into printers, faxes and scanners," said Clint Kreitner, president and CEO of CIS, in Bethesda, Md., adding that the standards are not likely to break applications.

Officials at Oracle and Microsoft welcomed the development of guidelines for their products and said that just the governments adoption of the settings could change things for the better.

"The government is one of the largest consumers of IT software and can change the market and persuade vendors to change their practices," said Mary Ann Davidson, chief security officer at Oracle, in Redwood Shores, Calif. "They should be very demanding. I think enterprises probably will adopt [the guidelines] just because of the caliber of the entities involved in drafting them."

"The government agencies involved have a lot of security experience, and I think its very appropriate for them to get involved," said Steve Lipner, director of security assurance at Microsoft, in Redmond, Wash. "Anything the country does to improve security is a good thing. It should get the attention of IT managers."

Oracles Davidson said that the establishment of some consensus guidelines will help take some of the burden of security off the backs of administrators and return it to the vendors.

"The administrators shouldnt have to do a lot of work in securing our products because they never have enough time," Davidson said. "Im really interested in [the coalitions] take on what are the most important things to lock down. We want our products to be secure by default. If its not, we want to change it. You need ultimately to have a flexible configuration scheme so you can ask the customer whether they want the really paranoid installation."