I used to believe that the practice of information security owed a huge debt to the military. I couldn't have been more wrong.
Those who still suffer from armed forces envy should remember some of the most significant federally subsidized security flops. The military, correctly identifying the potential impact of hostile code, began an expensive and futile 20-year search for the ultimate trusted operating system. Meanwhile, antivirus software was invented by hobbyists, and we're still using it today.
Realizing that if someone could read a file, he or she could provide unauthorized access to someone else, the military came up with a super-flexible and highly generalized concept called multilevel security. But attempts to use the resulting B1 systems collapsed under the weight of impracticality. In the meantime, the commercial market started at the simple end of the spectrum and developed enterprise digital rights management. Then, the defense community tried and failed to squeeze its same overweight multilevel security technology into IP packets; the commercial world developed the firewall.
The business world doesn't need the defense community to help it develop secure technology, and, whenever it accepts military ideas, it winds up with the wrong agenda. Commercial multi-user systems already had authentication mechanisms and file level access controls, so we can't thank the Orange Book for the security functionality in Unix and Windows.
But Orange Book C2 requirements can take full credit for the totally useless auditing system in every Windows box. Unable to agree on what level of auditing detail would be enough, the defense community demanded a mechanism that captured huge amounts of peripheral data on virtually every keystroke, yet failed to deliver any kind of useful information on what actually took place. Commercial security information and compliance monitoring tools are built with the opposite philosophy: Captur-ing some activity data is always better than none.
Sometimes the military is actually harmful to commercial security. Government controls over encryption significantly limited widespread commercial use of the only access-control mechanism that is practical for the Internet. The only question is whether this held us back for five years or for 10. What a comforting thought for everyone who has had their credit card stolen from a hacked site.
We can pat ourselves on the back for being more pragmatic than the feds, but unfortunately, we're still trapped in military mire. Case in point: The Green Book--an abstract NSA-published guide to password management--inspired a generation of bright but naÏve young SOX auditors to demand password-aging. Created in an ivory tower far from the realities of middle-aged memory, its password complexity and aging guidelines failed to take into account the problems that come with requiring people to regularly change their passwords. Made nearly obsolete by password-slurping malware, the Green Book's counterproductive ideas live on in the minds of newbies unaware of their source.
Obviously, secrecy is important to business, as is the ability to trust messages to the military, but these two camps have opposite priorities. For example, if we had developed a business approach that ensured transactions were genuine instead of a military approach that protected the secrecy of credit card numbers, ID theft wouldn't be an issue today.
It's time our profession stops playing war games and gets in touch with its business roots.
This column originally appeared in the March 2006 issue of Information Security magazine.