Feds look to secure wireless nets

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/0729/web-wire-07-31-02.asp

By Diane Frank 
July 31, 2002

Wireless networks and devices are not as secure as the government 
needs them to be, and they won't be anytime soon, but federal 
officials have several ideas for making the best of a bad situation.

Even as wireless connectivity becomes a necessary part of daily agency 
business, the products have not kept up with the security available on 
wired networks and systems. Existing standards - such as the IEEE 
802.11 - do not provide enough security, and the stories of people 
accidentally or deliberately picking up signals transmitted by 
wireless devices are all too true, experts from government and the 
private sector said at a July 30 conference in Washington, D.C.

"The word is getting out...that we do have a wireless security 
problem," Richard Clarke, President Bush's cyberspace security adviser 
and chairman of the Critical Infrastructure Protection (CIP) Board, 
said at the conference, co-sponsored by the Information Technology 
Association of America and the Center for Strategic and International 
Studies.

The Defense Department has mastered securing traditional, broadcast 
"wireless" communications, but as it moves into network wireless, 
there is less assurance that the messages are secure, said John 
Stenbit, assistant secretary of Defense for command, control, 
communications and intelligence.

Because there are few commercial wireless devices that DOD officials 
feel they can safely rely on, the department soon will issue a 
directive outlining the rules for its personnel concerning the use of 
those devices.

"We're going to put some constraints on what kind of devices can be 
used, where they can be used," he said.

Stenbit also said he hopes industry can come up with a way to detect 
the presence of wireless devices in secure areas and can help define a 
security certification and accreditation process for wireless devices.

To address broader concerns, the CIP board has almost completed a new 
version of the National Plan for Cyberspace Security, which will be a 
companion to the Homeland Security National Strategy, released July 
15. The new cybersecurity plan incorporates input from industry and 
academia, and will be released Sept. 18.

One of the crosscutting issues the plan will address is wireless 
security and the potential instability of the Internet as more and 
more Web-enabled wireless devices connect to it, Clarke said. A key 
recommendation will be for the federal government to facilitate the 
research and development necessary to fix this problem, including 
providing funding and other resources to researchers and groups such 
as the Internet Engineering Task Force, he said.

But members of industry also must act on their responsibility to 
secure their products and to help users deploy them. "The industry 
needs to work faster to come up with agreed standards, and standards 
that can be easily understood and widely applied," he said. 

Last week, the National Institute of Standards and Technology released 
a draft guide outlining basic steps to overcome security gaps in 
existing wireless standards and products.

The Wireless Priority Service (WPS) for law enforcement, national 
security and emergency personnel is an initiatives the CIP Board 
commissioned, in part because of the government's homeland security 
efforts.

The Defense Department's National Communications System is running the 
WPS pilot program, which is intended to result in an initial operating 
capability in December, said Katherine Burton, assistant deputy 
manager of the NCS. But it is a difficult challenge because the 
security and priority concerns must be addressed at every portion of a 
wireless network, not just the end devices, she said.

The NCS is also waiting for supplemental funding to start another 
pilot program for a wireless Emergency Notification System, she said. 
Both the confidentiality and the integrity of those messages are 
critical so that personnel know they can rely on the notices, she 
said.
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.