CIA official: We need a secure OS, but where's the demand?
Connecting state and local government leaders
The chief of the agency's Information Assurance Group says it's time for a secure operating system done right, but it won't happen without widespread demand.
Industry is not providing government with the basic tools it needs to build a secure information infrastructure, say military and intelligence officials.
“What we need is a secure operating system,” Robert Bigman, chief of the CIA’s Information Assurance Group, said during a panel discussion at the Security Innovation Network showcase in Washington Oct. 26. “We gave up some time ago on the battle to build a secure operating system, and we don’t have one.”
The thousands of stand-alone IT security products being offered today are a reflection of the lack of overall security, he said.
Related story:
Access control: Feds search for scalable solution
Richard Hale, the Defense Department’s deputy CIO for information assurance, said there also is a lack of interoperable security products and that networking protocols need to be hardened to survive in the hostile environment of the modern world.
“There was no thought of a bad guy when these were developed,” he said. The military needs an information infrastructure that is “much less fragile,” but “the market is not demanding that right now.”
Both government and private-sector participants on the panel discussing government cybersecurity needs agreed that the problem stems from the lack of market demand for secure products. There was little consensus on just what the government could and should do to stimulate that market, however.
“We have to be careful about requiring things,” warned John Jolly, general manager of General Dynamics Information Systems Cyber Division. He suggested things are not likely to get better any time soon. “We all have to figure out how to operate in that fragile environment for the foreseeable future.”
Bigman acknowledged that the government’s record in mandating functionality for IT products “is not real good.” But he said the National Security Agency almost got it right in its efforts in the 1990s to develop a secure operating system based on Linux. The result, Security Enhanced Linux, now is used in the CIA, but has not been widely adopted in the commercial market, which he said is a reflection of the lack of demand.
“I’m not so sure it isn’t time to try it again, and do it right this time,” Bigman said.
The government’s ability to drive the IT market is limited, especially as that market focuses increasingly on the consumer.
“Vendors are driven by what they can sell,” Bigman said. “We are not a big part of their business. We are a smaller and smaller part of it. Demand comes from the consumer, and I haven’t seen it yet. I can’t be optimistic about that changing.”
The problem is likely to be amplified by tight budgets, which are driving agencies to rely more on large enterprisewide buys of off-the-shelf products. This means that government is using more products not designed to be secure and eliminates the niche markets of innovative small companies who often make significant advances in technology. Bigman said that because of budget constraints, the CIA is close to requiring that all IT acquisitions be made through group purchases.
“Clearly the trend is not to do individual niche purchases,” he said. “It makes it hard for the small company.”
Hale told an audience of vendors that DOD relies on industry input to help structure its IT buys and urged greater participation when the department issues requests for information in advance of a procurement. He also said that building products to stable standards can help the fast-moving IT industry supply workable products under the slower-moving government acquisition system.