Australian Govt 'safe list' snubs Microsoft

[InfoSec News <isn () c4i org>]

http://www.zdnet.com.au/newstech/security/story/0,2000024985,20270727,00.htm

By James Pearce
ZDNet Australia
17 December 2002

Microsoft's products have been left off a list compiled by the Defence 
Signals Directorate that aims to evaluate and advise whether software 
is appropriate for use by Australian Government agencies. 

The Defence Signals Directorate Evaluated Product List (DSD EPL) 
provides a listing of products that have been deemed appropriate for 
use within the Australian Government for the protection of 
non-national security electronic information, according to the 
Directorate. 

"The reason that there are currently no Microsoft products on the EPL 
is that no Microsoft products have gone through evaluation in 
Australia," the DSD told ZDNet Australia   in correspondence. 
"However, the Microsoft Windows 2000 operating system has recently 
completed evaluation under the equivalent US program, the Common 
Criteria Evaluation and Validation Scheme (CCEVS)." 

Windows 2000 Professional and Windows 2000 Server were passed by the 
CCEVS on the 25 October this year. Australia, along with the US and 
around 13 other countries, participates in the Common Criteria 
Recognition Arrangement (CCRA), whose participants have agreed to 
mutually recognise each other's product evaluations. 

Government agencies were using Microsoft products years before any 
were declared as safe by the DSD because the EPL is a recommendation, 
rather than having regulatory force. According to the DSD, government 
agencies have to comply with DSD guidelines only when using 
cryptography to protect Commonwealth information, and must utilise a 
DSD-approved firewall to protect connections between government and 
public networks. 

The DSD said one reason why some products aren't on the list is the 
high cost that can be incurred by developers attempting to have their 
product listed. This certainly has a deterring effect on the 
proponents of open source software, who are trying to convince all 
levels of government to convert to open source. 

"We're very keen on seeing local [Australian] government look more 
seriously at adopting open source technology, but people said it's not 
on the evaluated product list by the DSD," Con Zymaris, CEO of 
Cybersource told ZDNet Australia  . He said the only way to get an 
open source system such as Linux on the EPL was to have a large 
corporation decide it would be beneficial for them if the government 
used Linux and therefore funded the research. 

The issue of whether government agencies should use open source 
software is a contentious one. The Initiative for Software Choice, a 
US lobby-group backed by computing giants such as Microsoft, Intel and 
Cisco Systems, is petitioning the US government to avoid open-source 
software. 

It is worried about a recent report by independent IT research 
corporation MITRE, which concluded, among other things, that removal 
of open source software would remove the demonstrated ability of that 
software to be updated rapidly in response to new types of 
cyberattack. 

Zymaris believes there is a sea-change occurring in the government. 
"In the past few months things seem to have become more positive," he 
said. "There is a higher awareness rate, and the IT managers have a 
more positive attitude [towards open source]." 

"The government has particular ways and processes of doing things," 
added Zymaris. "We shouldn't say 'Hey! Change all that and do it our 
way!', we should find the best way to work with them."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.