Last week, the White House released its draft National Strategy to Secure Cyberspace. This report is part of Homeland Defense initiatives, developed by cybersecurity czar Richard Clarke and the President's Critical Infrastructure Protection Board (PCIPB).
Given overwhelming industry criticism of early 802.11 security measures, many had expected this broad report on cybersecurity in general to come down hard on unprotected wireless LANs. Indeed, Clarke had rattled the sabre in public statements this summer. According to Brian Krebs of the Washington Post, Clarke warned that companies selling wireless gear have an obligation to notify customers of associated risks.
"It seems irresponsible for industry to sell a product that could be so easily misused by customers in a way that jeopardizes their proprietary and confidential information," said Clarke.
Not so fast
Further town meetings are planned and public comments are due by November 18. In addition, sector boards have been formed to define industry-specific plans for the banking/finance, insurance, chemicals, oil/gas, electric, law enforcement, higher education, transport, water and IT/telecommunications industries.
Why the delayed and protracted discussion?
According to the PCIPB, "This unique partnership and process is necessary because the majority of the country's cyber resources are controlled by entities outside of government. For the strategy to work, it must be a plan to which a broad cross-section of the country is committed."
Hmmm. Most automobiles are owned and operated by private citizens, but drivers are required to obey traffic laws or suffer penalties for non-compliance. Eventually, the PCIPB must put a stake in the ground, making difficult decisions about minimum network security measures. Bringing about change will require not only information-sharing and education, but the force of law to mandate timely implementation of clearly-defined best practices and contingency plans.
Anyone interested in voicing his or her opinion about our national plan to improve the sad state of cybersecurity should download last week's draft report, read it thoroughly, and participate in the nearest town hall meeting and/or submit comments directly to mailto:firstname.lastname@example.org.
To give you a head-start, here is a thumbnail of the draft strategy:
- Our economy is heavily dependent on cyberspace, security incidents are costly and increasing, so let's fix vulnerabilities before attackers find them.
- Private network operators are "encouraged to provide maximum feasible security for the infrastructures they control". The federal government should "strive to serve as a model" on how infrastructure assurance is best achieved."
- The U.S. government will try to avoid new mandates, relying first upon market incentives, resorting to regulation as a last resort.
- The strategic goal is to empower everyone to secure their own turf. This goal will be accomplished through increased education about vulnerabilities and security measures; creating better security technologies and implementing them faster; fostering responsibility through market forces, volunteer efforts, and public-private partnerships; improving the security of federal networks; and building better coordination and crisis management systems.
To support these goals, the draft proposes initiatives for home users and small businesses, large enterprises, industry sectors, national issues, and global issues. For example, home users are encouraged to firewall "always on" Internet connections, use stronger passwords, and rigorously apply anti-virus updates and security patches. ISPs and vendors "should consider joint efforts to make it easier for the home user and small business to obtain security software and updates automatically and in a timely manner."
This gives you the flavor. Recommendations are fairly broad; considerable effort will be required to convert wish-lists like these into actions. Federal agency and national priority recommendations are presented in slightly more detail, and it is there that wireless LANs are mentioned.
WLAN security: We can do better
War driving and eavesdropping vulnerabilities are briefly described to illustrate the perils of introducing new technology without adequately securing it. To identify and neutralize security risks brought about by new technologies like WLANs:
- The draft strategy recommends that federal departments and agencies be "especially mindful of security risks when using wireless." To that end, agencies are advised to review the National Institute of Standards and Technology (NIST) special publication 800-48 on Wireless Network Security and consider adopting policies and procedures that reflect "careful consideration of additional risk reduction measures" like continuous intrusion detection, mutual authentication, stronger encryption and shielding.
- The draft further recommends that the government and industry work together to increase awareness of security issues related to 802.11b and related standards, and to promote development of improved standards that have "built-in, transparent security." Presumably, this is an indirect reference to the work underway in IEEE 802.11i, MAC Enhancements for Advanced Security.
The 802.11i working draft is not yet available for public review, but inputs to that draft are available from the IEEE web page cited above. The NIST publication, distributed for public comment on July 24th, actually covers not only 802.11 WLANs, but also 802.15 Bluetooth WPANs and security issues associated with wireless PDAs and smart phones. The comment period on this NIST draft publication has already closed, so expect an updated version to emerge later this year.
The NIST publication, in a nutshell
The NIST publication on wireless network security enumerates threats and vulnerabilities associated with WLANs, WPANs, and handhelds devices and provides an overview of available technologies for securing these networks and devices. It proposes steps that should be taken to maintain secure wireless networks, such as maintaining an inventory of wireless cards and devices and deploying firewalls between wired and wireless systems. It also recommends using complementary security measures like Secure Shell, TLS and IPsec for stronger cryptographic protection, conducting periodic vulnerability assessments and random audits, and tracking and adopting security enhancements and patches as they become available. Overall, this publication recommends cautious, informed use of wireless technologies. For example:
- "Agencies should not undertake wireless deployment for essential operations until they understand and can acceptably manage and mitigate the risks."
- "To a large extent, [wireless] risks can be mitigated. However, mitigating these risks requires considerable tradeoffs between technical solutions and costs. Today, the vendor and standards community is aggressively working towards more robust, open and secure solutions in the near future. For these reasons, it may be prudent for some agencies to simply wait for these more mature solutions."
- "Agencies should understand that physical controls are especially important in a wireless environment. Agencies must enable, use and routinely test the inherent security features (authentication and encryption) that exist in wireless technologies. In addition, firewalls and other protection mechanisms, as appropriate, should be employed."
- "FIPS 140-2 Security Requirements for Cryptographic Modules is mandatory and binding for federal agencies. As currently defined, neither the security of 802.11 nr Bluetooth meets the FIPS standard. In [these] instances, it will be necessary to employ higher level cryptographic protocols and applications."
These are but a few of many recommendations made in the NIST publication. I encourage all readers interested in WLAN security to peruse the NIST draft publication and its eventual successor. This publication is a good read, not just for the government agencies that will eventually be compelled to comply with the final version, but for anyone with planned or active WLAN deployment.
Not just for government agencies
The PCIPB seems to be hoping that federal cybersecurity programs like this NIST publication will be voluntarily adopted by the private sector. One wonders how strong the NIST publication will be in its final form, or whether public comment will water down strong statements and morph firm requirements into "where appropriate, as needed" guidelines. However, if the PCIPB wants the government to set a good example, it should ensure the approved NIST publication has some teeth in it, then aggressively implement the resulting best practices in ALL agency wireless LANs and PANs.
Although I would love to see the government set a good example, I do not think this alone would be sufficient. I believe it is essential for publications like these to mandate timely implementation of improved security measures -- and not just for government agencies. The PCIPB may be inclined to let market forces alone drive stronger cybersecurity, but I am not.
CIOs and CSOs know that strong enterprise network security is not negotiable, although security edicts that completely sacrifice usability for security are often circumvented. User education is a critical component in successful security implementation, but woe is the company that simply hardens IT servers while trusting end users to secure their own desktops. Ideally, security measures are refined, implemented and enforced by organizational units, in accordance with a centrally-established corporate security policy.
In the end, I hope our government lays down a few rules to require better minimum security for all private sector networks -- including wireless LANs.
Lisa Phifer is vice president of Core Competence, Inc, a Chester Springs, Penn.-based network consulting company. Phifer is also an expert for SearchNetworking.com and SearchSecurity.com.