Foreign Ownership, Control, and Influence (was RE: Apology - not necessary)

["Loomis, Rip" <rloomis () python ideas com>]

On Saturday, September 26, 1998 12:57 AM, Marcus J. Ranum
[SMTP:mjr () nfr net] wrote:
> Since his posting I've made a number of enquiries of unquotable
> nonexistent sources. None of them have pointed to a single
> substantive "smoking gun."  Clearly the DOD may have problems
> with Israelis...
[[S N I P]]
> While Frank's points about national security make sense (especially
> in the light of Crypto AG and related tales) this is about
> squashing mud-slinging attempts, not security.

Marcus (and everyone)
First, a disclosure.  From 1995-1997, I was a Navy officer stationed
at NSA, and the company I work for (SAIC) does some work for
NSA and other parts of the government.  At the same time, I do not
now nor have I ever spoken on behalf of either organization about
FW-1 (or in fact much else).  I only <delurk> to try to enhance
understanding and reduce FUD.  Hopefully I don't bore anyone
with this...

In the Communications Security (COMSEC) world (which includes
NSA cryptography), there are certain rules about doing work with
FOCI companies--that is, companies that have Foreign Ownership,
Control, or Influence.  From that point of view, CheckPoint is a
FOCI company and would not normally be granted permission to
fabricate or be involved with NSA cryptographic equipment that
uses strong classified (Type I) algorithms.  (This should not come
as a huge surprise to anyone).

In the COMPUSEC world, the concepts that led to the FOCI rules
do still apply--but I believe that NSA is finding it harder and harder
to apply the rules even in the COMSEC world.  I believe (although
I have no special insight) that one of the driving reasons for allowing
the FORTEZZA/CAPSTONE/SKIPJACK algorithms to be declassified
was not only to allow software implementations, but also to allow
hardware fabrication in offshore facilities.  I know that for the
military
GPS receivers (the Precise Positioning Service requires NSA keying
material), the requirement to do all chip fabrication in US-controlled
facilities has a noticeable impact on prices and technology.

The biggest problem here is, in fact, FUD.  With changes to the
procurement regulations, it is difficult to justify purchasing "US ONLY"
products if foreign products are competitive--and it's getting more
and more difficult to tell the difference.  NAI's "CyberCop Scanner"
is a product from a US company, but the original product/company
(Ballista, from SNI) was Canadian with modules written all over the
world (e.g. CORE SDA, in South America).  In May, I was at a Sun
presentation for US Government personnel and contractors, during
which the FW-1 question was specifically raised--and even though
Sun (as a major reseller) had source code access, all that anyone
was able to say was, "We hear that NSA has a problem with it."

In the end, as with many things, there may be individual people
within NSA and other parts of the government who believe that DoD
should not use FW-1 and other products that are not free of FOCI
concerns.  Those people are not misguided or stupid; they may raise
valid concerns--see Frank's original message for a really good summary
of those.  I *do* agree with Frank's statement that "Any prudent DoD
or Corporate Network/Information Security Officer should look at all
of the factors involved before using *any* given product and choose
the product which offers the highest security, and poses the least
potential risk."   But the bottom line is that I sincerely doubt that
there
is a directly exploitable back-door in FW-1.  I also doubt that anyone
at the policy-making levels of NSA, DISA, or other such organizations
is going to go on record as saying "FW-1 is prohibited". That does
*not* mean that NSA is going to rush out and buy it, though.  *Many*
factors get involved in any government purchasing decision...

If anyone has a hard spot with anything I said, or wants clarification,
please e-mail me privately at home <rip () clark net>, since I think
this is *real* close to being off-topic for PyroWiz already.  And now
back to our regularly scheduled SPF vs AG vs Shrinkwrapped tools
vs M$ evils vs.....hey, has anyone tried putting together an FAQ yet?
We're starting to need it....

        --Rip Loomis (speaking as a private citizen)
          Security Engineer, SAIC
          Gilbert.R.Loomis () cpmx saic com       rip () clark net

P.S. Looked around for a copy of the FOCI regs on the web, and
couldn't find them.  I suspect (can't find my printed copy) that that
means the regs are For Official Use Only, so I can't disseminate them.