Top Secret
Top Secret
September 1, 2005: How does Australia’s government protect classified information? The answer is, well, classified. Still, David Braue suggests, we can learn a lot from the spooks
“I can’t discuss it,” says Francis Galbally, offering a firm but final smile that shows he knows the answer to the question but won’t share it in a million years.
The question related to how government organisations secure classified information systems, something with which Galbally and his team at Senetas have become intimately acquainted during their work to bring their locally developed encryption technology to the world market.
Senetas' technology is unique – a black box that is able to encrypt data streaming over core data networks at blistering speeds of up to 10 gigabits per second, which is the equivalent of one of Telstra’s major Sydney-to-Melbourne trunk lines. That’s far faster than typical IPSec-based encryption solutions, which take such a performance hit during encryption and decryption that Galbally reckons the Senetas technology, which operates at a lower level than IPSec, is nearly 40 percent faster.
Those are the kinds of figures that quickly win you support within communities where encryption counts, and - in the ultimate validation of the company’s technology - it recently scored the holy grail after securing a $10m-plus deal to supply its technology to the entire United States military establishment. The deal was clinched late last year by Senetas’ US partner SafeNet, and is currently being rolled out.
Want to know more? You’ll have to connect the dots; Galbally won’t – and can’t – say anything else.
- Classifying the classified
Such is the nature of IT in the rarefied world of classified information handling. If IT managers in normal organisations think they have it bad – and many do, what with the challenges of keeping up with a steady flood of vendor patches and technical vulnerabilities – they should consider the even stricter requirements facing their peers in government departments, particularly those handling even moderately sensitive information.
Over time, government organisations have developed robust ecosystems of certifications, regulations, policies and technical controls for ensuring that government bodies implement the right security on their information. In Australia, that system is managed by the Defence Signals Directorate (DSD), a sub-unit of the Department of Defence whose two main operational units include Sigint (signals intelligence, or spying on foreign governments) and Infosec (provision of information security products and services to the Australian government).
The DSD’s AISEP (Australasian Information Security Evaluation Program) is a necessary step for vendors eager to supply security products to government organisations. A complement to the multi-national Common Criteria (CC) program (www.commoncriteriaportal.org) and its ITSEC (Information Technology Security Evaluation Criteria) sub-program, AISEP is a stringent certification program in which source code is scrutinised, and products tested, until assessors are confident that the hardware and software are secure enough for government use.
CC policies, which were created to harmonise the UK-developed ITSEC with equivalents in Canada and the US, includes seven levels of increasingly Draconian certification – EAL1 through EAL7 – that roughly parallel ITSEC certifications E0 to E6. Through the CCRA (Common Criteria Recognition Arrangement), Levels EAL1 through EAL4 (the level held by Senetas’ CTAM products) are accepted by the governments of Australia, Canada, France, Germany, Japan, New Zealand, the UK and the USA.
The onus for AISEP certification is intense: products can take up to two years and thousands of dollars to be certified, and later version updates require re-certification. That’s kept the number of AISEP-certified products quite small: available at the DSD’s website, the Evaluated Products List currently includes just 75 products across all areas of IT security; only two, the SQ-Phoenix Digital Encryptor from CES Communications Ltd and Research In Motion’s BlackBerry mobile email device, were certified this year.
Because CC offers broader reach, most vendors have focused on obtaining ITSEC certification rather than jumping through the hoops to target the highest-security applications. The more-active CC ITSEC certification lists 295 additional products, but CCRA criteria mean that any systems for protecting Australia’s most sensitive information must be vetted here as well.
Higher levels of certification, which by deduction are those that would be used for protecting higher-security information, are administered by each individual country’s security authority – or, to be more precise, their authorised agents. Currently, there are only two organisations in Australia – CSC and ______ -- authorised to evaluate products on behalf of DSD.
The process for becoming and remaining an AISEP evaluator is, unsurprisingly, complex and expensive. Evaluation teams must be headed by an individual certified under the DSD’s I-RAP (InfoSec-Registered Assessor Program) – a certification that requires two years’ I-RAP-specific training, a $7000 examination and more than $3000 per year in ongoing license fees. Teams headed by a certified I-RAP handle Certified I-RAPs (there are only 34 of them in Australia, and just 6 outside of the ACT) maintain an intimate knowledge of the DSD’s two core security policy manuals: the Commonwealth Protective Security Manual (PSM) and the Australian Communications-Electronic Security Instruction 33 (ACSI 33). Yet with all this knowledge, not even I-RAPs can get anywhere near the most significant national security information: they’re allowed to assess information systems handling information that has been certified up to Protected level.
All this effort, and AISEP evaluators still can’t get near the juicy bits (and the presumably lucrative contracts surrounding them)? It’s enough to make you wonder whether all the effort is worth it. Certainly, one previously registered AISEP evaluator recently dropped out of the program. For those that remain, however, the benefits extend well beyond simple AISEP certification.
“We now know what calibre skill set” is needed for this type of work, says CSC’s Kim Valois, who, as international director of global security solutions with the consulting giant, heads CSC’s global security practice from her office in Canberra. “That cachet is very useful for any police organisation, government organisation, or anyone dealing with Commonwealth data.”
More importantly, says Valois, the stringent AISEP guidelines should provide inspiration for private-sector organisations facing the challenge of handling particularly sensitive information. “I’d like to see health organisations start to look at that,” she explains.
“When we start to look at the sensitivity issue around health information, there may be a need to have that level of stringency that’s today applied to classified information. You want people to be able to demonstrate without a doubt that they can protect information above and beyond what privacy legislation would require. The same amount of rigour [as set by the DSD] would meet almost any compliance standard you could put forward.”
- Lessons for us all
Valois’ contention certainly makes sense: after all, if a particular security practice is good enough to protect the nation’s secrets, surely it’s good enough to guard other kinds of everyday electronic records.
For companies interested in applying classified protection techniques to their data, however, you’re probably out of luck. Galbally was certainly not withholding information to be cheeky: right across government, details about protection of classified information are guarded as carefully as the information itself.
“Although security needs will be greatest when national security classified or non-national security classified information is being processed,” the DSD Web site explains, “even unclassified systems with no special safety, mission critical, or financial implications should have some degree of protection if a reliable or accurate service is to be maintained.” Guidance for establishing this protection is contained within the PSM, which has been updated this year but is only available to Australian government organisations on a need-to-know basis.
Ditto ACSI 33, whose scope includes recommendations as to which AISEP levels are appropriate for different classifications of information. ACSI 33 comes in two flavours: a Security-In-Confidence version that includes guidelines for protecting systems handling information that has been classified as Highly Protected, Confidential, Secret, or Top Secret. The second, unclassified version of ACSI 33, only sets down requirements for the four lower-security levels of information: Unclassified, In-Confidence, Restricted, and Protected.
A read through the 247-page ACSI 33 document will be informative for any IT executive charged with ensuring their company’s information security. Among its core topics: the mandatory appointment of an IT Security Adviser (ITSA) - roughly analogous to the Chief Security Officer (CSO) being introduced in many private-sector organisations - to ensure probity in the handling of sensitive information.
ACSI 33 also covers requirements for preparing and classifying ICT security documentation; developing a formal ICT Security Policy (ICTSP); developing risk management and system security plans; outlining security standard operating procedures; certifying and accrediting ICT systems; maintaining ICT security and managing security incidents; ICT security reviews; hardware, software, personnel and physical security; and communications, encryption and network security.
Other guidelines available from the DSD include a recently published BlackBerry Security Policy, the Information System Review Checklist, security policy advisories on the use of technologies such as SSL, and more. ICT security is DSD Infosec’s only business – and, even though they’re not talking out of class when it comes to securing classified information, there is nonetheless considerable value in guidance that comes from people that know far, far more than they’re telling.
Over time, stricter governance requirements are going to drive many private-sector organisations to look for even higher levels of security assurance and its associated reduction in risk. Several top-tier banks here and in the US, for example, are currently trialling Senetas’ technology, which has been helped immensely in the market by its US military win. Galbally says sales are doubling annually.
“Our technology,” he says, “is for anybody who has a risk profile where the risk of having the information intercepted is so great that they need to ensure that if for whatever reason the network breaks down, the information is kept secret.”
That may not mean everybody, but it doesn’t hurt to be careful even if you don’t need end-to-end encryption. Even if you’re not handling classified information, odds are you can learn a lot about how it’s done by following the government’s lead.
Related Article: