2 September 1997

-------------------------------------------------------------------------------------

 1 September 1997, EE Times:

 Government To Evaluate Data Security Products

 Washington - The government is  promoting a kind of Underwriters' Laboratory for 
 information-security products, a move some in industry said is long overdue but 
 will succeed only if the effort avoids past secrecy and bureaucracy. 

 The National Security Agency (NSA, Fort Meade, Md.) and the National Institute
 of Standards and Technology (NIST; Gaithersburg, Md.) have formed a
 partnership to evaluate the quality and security of information-security
 technologies like Internet firewalls and encryption algorithms. Technical details
 about the partnership, dubbed the National Information Assurance Partnership, will
 be disclosed at next month's industry conference in Baltimore, program officials
 said. 

 "The idea is to encourage the U.S. security-testing [capability] and promote safer
 products," said Fran Nielsen, a NIST computer scientist who is helping to organize
 the joint program. While many in industry remain suspicious of government
 involvement in testing commercial products, Nielsen said there is some industry
 support for independent third-party testing of security devices. "Industry shouldn't
 be suspicious," she said. 

 Promoters said the effort will boost the international competitiveness of U.S.
 makers of information-security products by providing objective measures for
 evaluating new-product quality and security. Producers counter that the key to the
 effort will be how quickly they can get their products evaluated and on the market.

 Security experts wary of NSA involvement in product-testing nevertheless
 expressed qualified support for the partnership, largely because so little testing
 expertise resides outside government. "It's a good thing," said Bruce Schneier, a
 cryptographer and head of Counterpane Systems (Minneapolis). "The question is,
 are they going to be up front about it or are they going to be sneaky?" 

 Besides the National Computer Security Association (Carlisle, Pa.), an independent
 group that certifies computer-security systems, capabilities akin to an
 Underwriters Laboratory, don't exist. "Clearly we need somebody to do it
 [because] the private sector is completely clueless," Schneier said. 

 "It's far better than what the government has done in the past where they tried to
 do everything themselves," said Stephen Walker, president of computer and
 communications security specialists Trusted Information Systems Inc.
 (Glenwood, Md.). "The question is can they do it on a timely basis " evaluating this
 year's product rather than last year's. 

 The government partnership has three primary goals: 

 - Promoting demand and investment in information-security products as privacy
 needs grow. 

 - Shifting current testing from government laboratories to accredited private
 laboratories. 

 - Promoting research and development in security testing. 

 Once independent labs are accredited, Nielsen said, they would benefit from the
 transfer of government technology and expertise in security testing. She said the
 partnership's seal of approval would assure buyers that security products work as
 advertised. 

 The partnership's international component includes Canada, France, Germany, the
 Netherlands and the United Kingdom. With the United States, they have adopted
 common criteria for testing security products. However, some wonder whether
 the U.S. effort will provide timely testing and reciprocity with countries where
 their products have already been approved. 

 For instance, Walker of Trusted Information Systems said one of its security
 products was certified in several European countries in about six months.
 Speeding up the U.S. testing and certification process will be the toughest hurdle
 for the NSA/NIST partnership, Walker said. 

 Others doubt whether a government-sponsored certification program can keep
 pace with the commercial marketplace. Moreover, industry observers said NSA
 and NIST have been unable to get the effort off the ground for some time.
 "They've been talking about this stuff for years," said Fred Tompkins, director of
 policy analysis with the National Computer Security Association. 

 NSA officials could not be reached last week for comment. 

 Technical details about the partnership and specific projects will be unveiled at the
 Oct. 7 opening of the National Information Systems Security Conference. 

----------
