[ISN] Australian Govt 'safe list' snubs Microsoft

From: InfoSec News (isnat_private)
Date: Wed Dec 18 2002 - 01:44:40 PST

  • Next message: InfoSec News: "RE: [ISN] Microsoft upgrades IE flaw to critical after criticism"

    http://www.zdnet.com.au/newstech/security/story/0,2000024985,20270727,00.htm
    
    By James Pearce
    ZDNet Australia
    17 December 2002
    
    Microsoft's products have been left off a list compiled by the Defence 
    Signals Directorate that aims to evaluate and advise whether software 
    is appropriate for use by Australian Government agencies. 
    
    The Defence Signals Directorate Evaluated Product List (DSD EPL) 
    provides a listing of products that have been deemed appropriate for 
    use within the Australian Government for the protection of 
    non-national security electronic information, according to the 
    Directorate. 
    
    "The reason that there are currently no Microsoft products on the EPL 
    is that no Microsoft products have gone through evaluation in 
    Australia," the DSD told ZDNet Australia   in correspondence. 
    "However, the Microsoft Windows 2000 operating system has recently 
    completed evaluation under the equivalent US program, the Common 
    Criteria Evaluation and Validation Scheme (CCEVS)." 
    
    Windows 2000 Professional and Windows 2000 Server were passed by the 
    CCEVS on the 25 October this year. Australia, along with the US and 
    around 13 other countries, participates in the Common Criteria 
    Recognition Arrangement (CCRA), whose participants have agreed to 
    mutually recognise each other's product evaluations. 
    
    Government agencies were using Microsoft products years before any 
    were declared as safe by the DSD because the EPL is a recommendation, 
    rather than having regulatory force. According to the DSD, government 
    agencies have to comply with DSD guidelines only when using 
    cryptography to protect Commonwealth information, and must utilise a 
    DSD-approved firewall to protect connections between government and 
    public networks. 
    
    The DSD said one reason why some products aren't on the list is the 
    high cost that can be incurred by developers attempting to have their 
    product listed. This certainly has a deterring effect on the 
    proponents of open source software, who are trying to convince all 
    levels of government to convert to open source. 
    
    "We're very keen on seeing local [Australian] government look more 
    seriously at adopting open source technology, but people said it's not 
    on the evaluated product list by the DSD," Con Zymaris, CEO of 
    Cybersource told ZDNet Australia  . He said the only way to get an 
    open source system such as Linux on the EPL was to have a large 
    corporation decide it would be beneficial for them if the government 
    used Linux and therefore funded the research. 
    
    The issue of whether government agencies should use open source 
    software is a contentious one. The Initiative for Software Choice, a 
    US lobby-group backed by computing giants such as Microsoft, Intel and 
    Cisco Systems, is petitioning the US government to avoid open-source 
    software. 
    
    It is worried about a recent report by independent IT research 
    corporation MITRE, which concluded, among other things, that removal 
    of open source software would remove the demonstrated ability of that 
    software to be updated rapidly in response to new types of 
    cyberattack. 
    
    Zymaris believes there is a sea-change occurring in the government. 
    "In the past few months things seem to have become more positive," he 
    said. "There is a higher awareness rate, and the IT managers have a 
    more positive attitude [towards open source]." 
    
    "The government has particular ways and processes of doing things," 
    added Zymaris. "We shouldn't say 'Hey! Change all that and do it our 
    way!', we should find the best way to work with them."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 11:37:56 PST