NSA Looks to IT Industry to Harden Vulnerable U.S. Nets
U.S. intelligence agencies, including the National Security Agency, are increasingly turning to commercial solutions in their efforts to head off the alarming number of cyber attacks that culminated in last year's massive breach at the U.S. Office of Personnel Management.
With critics complaining that government agencies have done little since the OPM attack to harden their networks, NSA's Information Assurance Directorate is seeking vendor solutions through a program called Commercial Solutions for Classified (CSfC) program. Among its goals is "developing new ways to leverage emerging technologies to deliver more timely [information assurance] solutions for rapidly evolving customer requirements," the program's web site explains.
Security analysts note the effort seeks to reduce the time required to certify secure architectures and devices from years to months or weeks. The effort also reflects broader U.S. efforts to reform a moribund government acquisition system by adopting industry best practices.
NSA said last month it has so far developed product requirements for virtual private networks, campus wireless LANs, "data at rest" solutions and mobile access. Project managers added that they would continue to use equipment supplied by government contractors as well as commercial products to protect classified information. However, the new directive adds that NSA's Information Assurance Directorate (IAD) would "look first to commercial technology and commercial solutions in helping customers meet their needs for protecting classified information…."
The spy agency has traditionally built and certified government systems according to strict design and implementation criteria to protect sensitive and classified data. That process remains time-consuming and unable to keep up with evolving cyber threats.
The response is CSfC, which according to a new study "serves to strengthen the national cyber-posture by enabling commercial solutions to be used in the layered solutions that protect national security systems information."
Adds the study released this week by the Washington-based Institute for Critical Infrastructure Technology: "CSfC is designed to provide agencies with a list of components vetted against a common framework that satisfies NSA IAD’s security requirements while incorporating emerging technologies and improving national security."
According to the think tank's analysis, the new NSA model relies on a "layered" information security framework made up of "redundant, trusted components that are supplied by or included in approved commercial solutions."
The layered defense approach differs from other security models such as "defense in depth" that use multiple devices to protect networks, with each device performing a different security function. By contrast, the layering of commercial devices is intended to fulfill the same security function as a way of meeting information assurance requirements for each security function.
The layered defense approach being adopted by NSA means "each component in each layer of the overall solution is independent of components in the same layer and in adjacent layers of the security hierarchy," the institute's report notes.
The study also argues that layered cyber defenses are most effective when different components rely on a variety of algorithms, processors, protocols, platforms and configurations. Hence, the NSA effort is likely to mix and match commercial and contractor-supplied solutions as it seeks to harden government networks against increasingly sophisticated attacks.
The report also notes that NSA will ensure interoperability among commercial and contractor-supplied systems using Suite B encryption algorithms, a category of commercial crypto used for military and government as well as industry security. Along with encryption, the public-domain algorithms are used for key exchanges, digital signature and hashing, a technique for turning a string of characters into fixed-length key.
Among other eligibility steps, potential vendors for the CSfC initiative must submit IT components to the NSA-managed National Information Assurance Partnership for security testing. Once approved, the component would be added to a CSfC component list.
While there are plenty of commercial vendors developing new security frameworks, some may balk at an NSA requirement that "obligates [commercial vendors] to provide sufficient information for the NSA to make a risk decision and to cooperate with the NSA to mitigate any discovered vulnerabilities…."