Bush Advisors Sings Praises Of Open-Source Security

Marcus Sachs, director of communication infrastructure protection at the White House's Office of Cyberspace Security, spoke at the Open Source Security Summit, which was held here and sponsored by Red Hat and Dell Computer.

One aim of the event was to educate attendees about where open-source technology exceeds the security requirements of some federal agencies and where it currently falls short.

Sachs told conference attendees, most of whom were open-source devotees, that Apache Web servers are growing in popularity in federal installations.

"Most likely we'll see an increase in Apache and a decrease in [Microsoft's IIS Web server," Sachs said, referring to what he expects to be revealed in future data culled by security consulting firm Netcraft.

While the Office of Cyberspace Security adopts a neutral stance about whether security products are developed in open or proprietary code, government agencies want security software's capabilities to be verified by the National Information Assurance Partnership (NIAP), Sachs said.

The NIAP, which is sponsored by the National Security Agency and the National Institute for Standards and Technologies, seeks to develop programs that gauge the capabilities of products used to conduct security certifications for federal agencies. It also verifies that individuals performing the audits and providing other security consulting services are qualified to do so.

As it turns out, the open-source movement is fundamental to the way the NIAP works, Sachs said, explaining that the NIAP oversees the development of open-source Common Criteria tools that are used in defining profiles,schematics of how and where security products and their intended environments work.

Yet getting the NIAP's blessing for an open-source product is problematic, given that no one person or company can sign off on an open-source product's capabilities since, by definition, those features are always changing.

Michael Tiemann, CTO of Red Hat, Raleigh, N.C., told CRN at the summit that his company wholeheartedly supports the NIAP's efforts, although getting certification from the group "is extremely costly, and NIAP does not want to certify a specific distribution due to our open-source nature," he said. "Currently, we are in discussions with the Pentagon to work out the details."

Meanwhile, Sachs, who reports to Richard Clarke, the State Department official appointed last year by Bush to serve as his chief adviser on cybersecurity matters, said the government is not out to regulate the Net. But the government must get its own house in order, Sachs said.

"The federal government must make sure its networks run as securely as we are advocating everyone else's do," Sachs said, referring to security measures suggested for home and corporate users in the recently released National Strategy to Secure Cyberspace.

Solution providers said last year's terrorist attacks made them and their clients re-evaluate their business-continuity and security priorities.

"The government is buying different [IT solutions now," said Dendy Young, CEO of GTSI, a Chantilly, Va., solution provider serving the federal government. "There is a much stronger focus on security and flexibility and portability," he said. "One of the shocks that was generated by 9/11 was business continuity. How do I know that if my computer center gets hits by a plane that I have everything backed up and that [I can have my network up and running again in seconds? Most people, of course, had never come to grips with that possibility before."

In related news, Westcam, a Houston-based security ISV, this month made available a beta version of security-enhanced Linux at www.securityenhancedlinux.com.

The Open Source Development Group, Oxford, Miss., is among the organizations offering training on SE Linux, which originated from a National Security Agency research project.