"We are notorious for always need new types of functionality," Dickie George, the National Security Agency's Information Assurance Directorate technical director, said in an interview with GovInfoSecurity.com (see transcript below). "It is a real trade off. You always want the functionality and you always know that you are providing opportunities so you need to take that into account and try to build in additional security every time. It is a race."
Are we winning the race? Read on for George's answer.
In the first of a two-part interview with GovInfoSecurity.com's Eric Chabrow, George discusses:
- The strength of today's technologies that assure the security of the federal government's civilian, intelligence and military information systems and networks.
- New information assurance technologies coming down the pipeline.
- Whether the government is winning the race to adequately secure its systems from those seeking to infiltrate them.
In part two of the interview, George discusses the challenge of recruiting qualified IT security experts for government.
George began at the National Security Agency in August 1970 after graduating from Dartmouth College. He started in the Crypto-Math Intern Program, having tours in Research, the SIGINT Directorate and the Information Assurance Directorate's predecessor organization. Except for a tour in the Signals Intelligence Directorate and one at the Center for Communications Research in Princeton, he has worked in the Information Assurance Directorate's since 1973, and has served as its technical director since 2003.
ERIC CHABROW: How strong are today's technologies to assure the security of the information in civilian, military and intelligence networks and systems?
DICKIE GEORGE: The technologies are getting better. The certainly provide a level of security that we haven't seen before. They have to be used correctly and that is really the key. You have to layer security together to cover all of the bases and you have to have users that are capable of using them in a away that they get the assurance that they need.
CHABROW: When you say layer security together, what do you mean by that?
GEORGE: You don't want to rely on one piece of equipment all by itself. You need to have an operating system that is configured correctly. You need to have boundary protection, a firewall. Depending on what your needs are, you have to have antivirus protection, you have to take advantage of the technology that is available to provide the levels of assurance that you need against all of the threats that are present in today's world.
CHABROW: Is there a way you could sort of illustrate this? Maybe in a sense of showing what NSA is doing in relationship to layering these various pieces together?
GEORGE: It starts with the architecture and the policy. In a given environment, there is a threat that you are concerned about and typically there is a large number of threats. You need to try to address all of those threats by putting adequate protection in place. Boundary protection might keep a threat out, but if the threat is already in the inside then you need to have other layers of protection. You need to have antivirus to try to catch something that is happening. You need to make sure that you aren't allowing something in. If you get encrypted mail, the firewall is not going to see it, so you need to have something else that is going to check once it is decrypted to make sure that nothing bad is happening
You really need to ensure that you have covered all of the bases of what the threat environment is like. And that threat environment has changed so dramatically over the years, basically because of the change in the access. We have functionality today that provides a lot more access for hackers or criminals that they never had in the past and functionality that is present in today's technology allows them to do things that they wouldn't have been able to do 15 or 20 years ago.
CHABROW: What kind of new information assurance technologies do you see in the pipeline that can help?
GEORGE: There are occasionally radical shifts in the type of technology that is available. More often than that, it is an evolution where the products are not all that changed but they are providing additional layers of security.
For example, in operating systems, when you see newer operating systems coming out, they get to take advantage of the fact that they have seen the types of attacks that the adversary is running against older operating systems and they try to design the latest versions to be safe from those types of threats. It is not a huge change in what an operating system can do, but it does limit the vulnerability space.
You are going to have intrusion prevention and intrusion protection and that is going to be a place where we see things changing. Biometrics will change things because it will add an extra layer of security against unauthorized access. So you will see occasional huge changes, but more likely, it is to evolution and as thing evolve the user has to understand what has evolved and how that can be used to provide the protection. The functionality is the key. The functionality is something that ever user wants and yet it provides an opportunity for the adversary.
CHABROW: You mentioned one type of technology, biometrics. How is biometrics making NSA's system or government systems more secure?
GEORGE: Biometrics has come a long, long way recently. It really does make it a lot harder for an adversary to pretend to be someone they are not because they have that extra characteristic that they have to be able to match, whether it is a thumbprint or an iris scan, even a voice check. There are a number of things that can make it harder for an unauthorized person to gain access. Biometrics is one of the ones where commercial industry and academia are making great strides in how they can introduce this in such a way that it doesn't intrude on the user's world; it doesn't make it harder for the good user but it makes it significantly harder for the unauthorized use.
CHABROW: Could you see one day that biometrics will be the only way or the main way to authenticate a user in an IT system and they won't be using usernames or passwords?
GEORGE: You certainly can see that in a home space, but I can't see it in Department of Defense because we will run half that extra layer and we will take advantage of numerous layers to protect ourselves. You have to remember that no matter how good technology is, the adversary always has an advantage because the defense sets up the game plan and sets up the rules and then the adversary, the attacker, can try to figure out ways to cheat and they have a tremendous advantage. There is always a lag time in getting attacks blocked. The more layers that you have, and passwords and PINs are not very intrusive at all, the more layers that you have the more safety you have.
CHABROW: So the idea is to keep adding additional ways to authenticate rather than just replacing one with another?
GEORGE: That is exactly right. If you keep adding additional layers of protection it makes it harder and harder for the adversary to get through all of the layers.
CHABROW: Have you seen any attempt by these evildoers out there of trying to figure out ways to bypass biometric authentication?
GEORGE: The only ways I have seen have been in our own research labs. When we are trying to test to see how good the biometrics we would be putting in place are, we do a lot of checking to see how well - we can use balloons with faces painted on them to look like human beings. Some of our researchers are really pretty clever in ways they try to get around them. I can imagine that the adversary would be equally good but our people are really good at testing these things.
CHABROW: Have they been successful or not yet?
GEORGE: Over time, we are making improvements and the reason we are making improvements is because we do find faults. When we are developing our own techniques, historically we always find that we can make them better.
CHABROW: Are there other areas where you are finding vulnerabilities in which you now feel more secure with the type of security you are using because of this kind of testing?
GEORGE: Yes indeed. Over time, we have found lots and lots of problems in stuff that we produce and in things that we buy over the open market and it is getting better. We do provide feedback when we do find problems. We are trying to raise the bar. It is a never-ending game. As we find vulnerabilities and as we fix them, we find more vulnerabilities and I don't see that ever stopping.
CHABROW: Do you feel that your systems are as secure now as ever?
GEORGE: That is a very interesting question. They have more layers of security and they have more security built in, they also have more functionally. And one of the things you always try to do as an attacker is figure out ways to get a system to operate in a way it is not supposed to and then you can take advantage with that. And the more functionality that is there, the more ways there are for an attacker to get it to operate in a way that no one ever conceived that it would operate and you can take advantage of those things. The better the system is, the more interesting it is, the more capability it has, the more opportunities there are for an attacker to find a way in. We are notorious for always needing new types of functionality, but we want our equipment to be able to operate, to do more things, and every time we increase the functionality we allow for problems.
CHABROW: As you were saying, you want the functionality so you are figuring out ways to secure that?
GEORGE: It is a real trade off. You always want the functionality and you always know that you are providing opportunities so you need to take that into account and try to build in additional security every time. It is a race.
CHABROW: And we are winning the race so far?
GEORGE: We are not losing.