http://www.fcw.com/fcw/articles/2002/0729/web-wire-07-31-02.asp By Diane Frank July 31, 2002 Wireless networks and devices are not as secure as the government needs them to be, and they won't be anytime soon, but federal officials have several ideas for making the best of a bad situation. Even as wireless connectivity becomes a necessary part of daily agency business, the products have not kept up with the security available on wired networks and systems. Existing standards - such as the IEEE 802.11 - do not provide enough security, and the stories of people accidentally or deliberately picking up signals transmitted by wireless devices are all too true, experts from government and the private sector said at a July 30 conference in Washington, D.C. "The word is getting out...that we do have a wireless security problem," Richard Clarke, President Bush's cyberspace security adviser and chairman of the Critical Infrastructure Protection (CIP) Board, said at the conference, co-sponsored by the Information Technology Association of America and the Center for Strategic and International Studies. The Defense Department has mastered securing traditional, broadcast "wireless" communications, but as it moves into network wireless, there is less assurance that the messages are secure, said John Stenbit, assistant secretary of Defense for command, control, communications and intelligence. Because there are few commercial wireless devices that DOD officials feel they can safely rely on, the department soon will issue a directive outlining the rules for its personnel concerning the use of those devices. "We're going to put some constraints on what kind of devices can be used, where they can be used," he said. Stenbit also said he hopes industry can come up with a way to detect the presence of wireless devices in secure areas and can help define a security certification and accreditation process for wireless devices. To address broader concerns, the CIP board has almost completed a new version of the National Plan for Cyberspace Security, which will be a companion to the Homeland Security National Strategy, released July 15. The new cybersecurity plan incorporates input from industry and academia, and will be released Sept. 18. One of the crosscutting issues the plan will address is wireless security and the potential instability of the Internet as more and more Web-enabled wireless devices connect to it, Clarke said. A key recommendation will be for the federal government to facilitate the research and development necessary to fix this problem, including providing funding and other resources to researchers and groups such as the Internet Engineering Task Force, he said. But members of industry also must act on their responsibility to secure their products and to help users deploy them. "The industry needs to work faster to come up with agreed standards, and standards that can be easily understood and widely applied," he said. Last week, the National Institute of Standards and Technology released a draft guide outlining basic steps to overcome security gaps in existing wireless standards and products. The Wireless Priority Service (WPS) for law enforcement, national security and emergency personnel is an initiatives the CIP Board commissioned, in part because of the government's homeland security efforts. The Defense Department's National Communications System is running the WPS pilot program, which is intended to result in an initial operating capability in December, said Katherine Burton, assistant deputy manager of the NCS. But it is a difficult challenge because the security and priority concerns must be addressed at every portion of a wireless network, not just the end devices, she said. The NCS is also waiting for supplemental funding to start another pilot program for a wireless Emergency Notification System, she said. Both the confidentiality and the integrity of those messages are critical so that personnel know they can rely on the notices, she said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 06:42:26 PDT