U.S. Develops Net Security Standards
Wed Jul 17, 2:40 AM ET
By D. IAN HOPPER, AP Technology Writer
WASHINGTON (AP) - The Pentagon ( news - web sites), the National Security Agency and private organizations have developed security standards for Microsoft's most popular business computer operating system in order to stop the most common assaults against federal networks.
The government will announce the standards on Wednesday to show federal computer engineers how to alter Microsoft's Windows 2000 ( news - web sites) operating system to make it more secure.
Government experts hope that the benchmarks will solve an embarrassing problem that affects both federal and private computer networks, largely by plugging security holes most hackers already know about.
Technology research firm Gartner estimated recently that through 2005, 90 percent of computer attacks will use known security flaws for which a solution is available.
"It's a massive problem," said Clint Kreitner, head of the Center for Internet Security, a partnership of companies and American and Canadian government agencies. "They slap their systems on the Net and get ready to go, then wonder why they get breached in the next 10 minutes."
Most recent attacks were written and released by bored kids testing their skills, but the government is becoming more concerned about organized attacks against federal computers from terrorists or foreign governments.
"What we're trying to do is have a government and industry partnership to set benchmarks for frequently used software," said Richard Clarke, the president's computer security adviser.
The Windows 2000 standards — a how-to guide to change security settings — will be required for Defense Department computers, and the White House is considering whether to require the same for the rest of the government. Standards guides for other software will follow.
Several government agencies have had their own security standards for some time. What's new about Wednesday's announcement is that the various agencies have agreed on a single standard — a difficult task that was worked out about three months ago.
Experts at CIS, the NSA and the Commerce Department ( news - web sites)'s National Institute for Standards and Technology had three different candidates for standards at first. On April 18, the authors met in a room at NIST offices in Maryland.
"They were told they could leave as soon as they came to an agreement," said Alan Paller of the Sans Institute, a research and education group involved in the announcement.
That night, they had a document several hundred pages long describing how to make Windows 2000 secure but still usable.
That was only half the battle, though. Clarke said they wanted to make it easy for federal network engineers to make the changes.
"You'd give a 200-page document to a system administrator, and say, 'Have a nice day,'" Clarke said. "So no one did it."
To fix that, the government has a software tool that grades computer security so that everyone, from the engineers to top executives, understands how secure their computers are. The tool then recommends changes.
The standards and the tool will be offered free to anyone. The experts hope that private companies will adopt the standards as well and encourage software makers to ship their products in a more secure configuration.
"If it's just government, it won't have as much value as if it's government and the private sector," Clarke said.
Intel Corp., Visa and Chevron are already part of the private partnership that will promote the standards.
Some government agencies, including the Air Force, are hoping that within a year they can use their procurement power to require that vendors offer more secure versions of their software based on the standards.
"Now we can go to Microsoft and others to say that this is our common set of expectations," Air Force Chief Information Officer John Gilligan said. "Right now, we're doing the work. We can then get into negotiations about how they can subsume a substantial part of that work."
Microsoft has seen the standards and offered some suggestions to the final product.
The standards aren't an end-all solution for computer security. Clarke said computer security is as much employee training as it is good software. But the experts see it as a solid first step.
"It'll reduce the low-hanging fruit," Clarke said. "Given the growing sophistication of hackers, we're going to continue to have problems."