NSA, counterparts sign pact on securing computer networks Agreement sets standards for protecting software, systems from intruders

October 06, 1998|By Neal Thompson | Neal Thompson,SUN STAFF

With more money and information zipping across the Internet, the National Security Agency and it counterparts from four other nations yesterday signed an agreement aimed at making the information highway a safer place for governments and consumers to do business.

That agreement, five years in the making, creates new standards for computer systems and software programs, which face stricter requirements to make them less vulnerable to hackers.

The goal is to assure that government secrets, consumer credit card numbers and other private information don't fall into the wrong hands.

By agreeing on a so-called "Common Criteria," the five nations established a set of standards that programs such as Windows NT will be tested against before they can be marketed. If the software meets all criteria, it will be "certified." Like a stamp of approval, that will tell consumers the software is resistant to computer viruses or hackers.

Previously, computer and software companies had to be "certified" in each country.

Along with the United States, the agreement was signed by security agencies from Germany, Britain, France and Canada. Other countries are expected to sign in the future.

Making computers more secure is a goal of the Pentagon, which is becoming increasingly concerned about "cyber attacks" -- terrorist efforts to break into or disable the nation's critical computer systems. The Pentagon lobbied for and supported yesterday's agreement.

Implications are also huge for those seeking to turn the Internet into the shopping mall of the future. Microsoft, for example, has ,, one in 10 employees in so-called "hacker teams," which work to make products hacker-resistant, said Craig Mundie, a senior vice president with Microsoft.

"Microsoft is investing heavily in this area," said Mundie, speaking at the National Information Systems Security Conference in Arlington, where the agreement was signed.

Yesterday's very public appearances by top NSA brass at Hyatt Regency conference rooms was also notable as another step in from the cold for the Fort Meade-based spy agency.

NSA's dual mission is to spy on other nations by intercepting their electronic communications and also to keep U.S. communications from being intercepted. In the past, it did that largely by using a set of guidelines called the Orange Book to evaluate the computer programs of its main customer, the Department of Defense.

Now, NSA works regularly with Microsoft, Sun Microsystems and Oracle Corp. to test the strength of those companies' software programs. With the new agreement, NSA will use seven private laboratories to test all computer products seeking NSA's stamp of approval.

"The realities are that we can no longer stay in what, for most of our history, has been a relatively monopolistic environment," said Michael Jacobs, NSA's deputy director of Information Systems Security. "We've always been very involved, but it's always been in a very cloistered environment. Inevitably, we'll be more public than our role in the past was."

John Pike, an NSA expert with the Federation of American Scientists, said NSA's Orange Book approach was out of date and lengthy, and computer companies have long complained about the need for a quicker method, especially in this fast-paced competitive field of high technology.

The new system, said Deputy Commerce Secretary Robert L. Mallett, will potentially build trust in the Internet and increase consumers' confidence in electronic commerce.

"That system will help businesses and consumers around the world to know exactly how safe their electronic commerce transactions really are," Mallett said.

Pub Date: 10/06/98

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.