Head Agency Technicians Keep Wary Eye On Security

[InfoSec News <isn () C4I ORG>]

http://www.newsbytes.com/news/01/161379.html

By Susan M Menke, Government Computer News
WASHINGTON, D.C., U.S.A,
01 Feb 2001, 4:15 PM CST

Agency chief technology officers face a growing list of security
threats without any sure-fire solutions, two CTOs said yesterday at
the ComNet trade show in Washington, DC.

Robert A. Flores, CTO of the CIA, and Jeffrey D. Pound Sr., CTO of the
Air Force Research Laboratory at Wright-Patterson Air Force Base,
Ohio, said their time is consumed by security and bandwidth issues.

"Every day something is bigger and more complicated than the day
before," Flores said. "We're basically competing with CNN [for
intelligence], but we don't get to charge for our services."

Pound said he worries a lot about "professional hackers, not just
kids," because the Air Force lab is "one of the top US targets." He
likes the security of virtual private networking, but existing
firewalls and VPN software cannot handle the gigabit-level throughput
of Air Force networks now being planned, he said.

Flores said the CIA "spends a lot of time trying to break other
people's networks. We try to hack ourselves to death" to find
vulnerabilities. Encryption is not the answer, he said. If all
transmissions and even stored data were encrypted against intruders,
the encryption would prevent indexing and searching of files and video
streams.

"And we don't believe biometrics is the answer" for user
authentication, Flores said. "It's not hard to hack the middleware"
that stores user identities. "We've got iris readers, but we don't
trust them."

Pound said the Air Force lab, like the rest of the Defense Department,
is putting its trust in public-key infrastructure and digital
certificates. "But what happens," he asked, "if someone inserts a
bogus certificate server in your chain? PKI is only as good as the guy
who gives out the keys."

The two CTOs said they are "scared to death" about malicious code
inserting itself into their secure networks via JavaScript, ActiveX
and other scripting languages. Their organizations are both preparing
to migrate to Microsoft Windows 2000 and its Active Directory
services.

Both said they also worry about the trend toward wireless handheld
devices, which Pound called "very scary. Bluetooth [short-range radio
networks] destroys physical security. Someone could stand outside a
window and read everything on your laptop."

Asked about outsourcing functions to application service providers,
Pound said it "won't ever happen for core processes." He said much DoD
work is already outsourced, but to other government agencies such as
the Defense Finance and Accounting Service.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".