During a Baltimore conference last summer of 1,000 Homeland Security Department workers, Robert West, the agency's chief information security officer, made the rounds at an after-hours social event. There he met a federal air marshal eager to show him what was running on his wireless personal digital assistant.
"This is how they send me orders; this is how they tell me what airplane to get on," the marshal told West, illustrating how wireless communications let air marshals respond quickly to changing plans and last minute threats.
West was impressed but had a simple reply: "That's great, but our wireless policy right now is no wireless." Wireless posed too many security risks.
Then the marshal told West what had happened a couple of weeks earlier. A colleague was on his way to a flight when he got an Amber Alert on his wireless PDA. Using the PDA, the marshal was able to download a picture of the missing child, catch the abductor and return the child home.
"Now, if you're me, puffing your chest and saying wireless is not an option, what do you say to that?" West said, recounting the incident for a crowd of government officials and industry executives at a wireless security conference held earlier this month by Government Computer News and the Wi-Fi Alliance. Government Computer News and Washington Technology are publications of PostNewsweek Tech Media.
"It was one of those watershed events for me in my short tenure within the department," West said.
The Homeland Security Department has since changed its policy to permit certified and accredited wireless networks. The department has formed a wireless-security working group to perform risk assessments and identify secure methods of deploying wireless networks.
And although DHS has been criticized for not adequately implementing security practices -- most recently in a July report by its own inspector general -- there's no turning back now, West said.
"The wireless train has left the station," he said. "There's a point at which you just have to step up and say there's new technology, it does help, and for all the lack of security, we have to do the right things."
LATEST AND GREATEST
A new wireless security standard published earlier this month by the Wi-Fi Alliance will help ease agencies' security concerns and spur adoption of wireless networks in government, according to experts. Dubbed Wi-Fi Protected Access 2 (WPA2), the standard incorporates encryption approved by the National Institute of Standards and Technology to protect data that is transmitted wirelessly.
Ronald Jost, director of wireless at the Defense Department, told conference attendees that the department would be asking for WPA2 certified solutions when it procured wireless networks. That, according to the Wi-Fi Alliance's managing director Frank Hanzlik, is a ringing endorsement.
"If it makes sense for DOD, it should make sense for other government agencies," he said. "There's been overwhelming support for WPA2. Now that we have something that's government grade, the reception has been positive."
|  |
The Wi-Fi Alliance is a nonprofit industry group established to standardize wireless networking technologies around the Institute of Electrical and Electronic Engineers' 802.11 specification. The alliance, which includes heavyweights such as AT&T Corp., Cisco Systems Inc., IBM Corp., Intel Corp. and Motorola Inc., tests and certifies products to ensure they meet its standards and are compatible with other Wi-Fi solutions.
Until now, Wi-Fi certification was important to commercial users, but meant little to government agencies, which take their cues on wireless implementation requirements from NIST.
"NIST is in the driver's seat for standards in the federal government, and rightly so," West said.
At the core of NIST's information security program are the Federal Information Processing Standards, most importantly FIPS 140-2, which describes how data must be encrypted to remain secure in a wireless network.
Until WPA2, no Wi-Fi standard met FIPS 140-2 requirements. That didn't stop more that 600 products from earning Wi-Fi certification based on the earlier WPA security standard and an encryption scheme called Temporal Key Integrity Protocol (TKIP).
Most of those products worked well, but they couldn't earn NIST's blessing. Some agencies that wanted to build wireless networks and comply with FIPS 140-2 ended up installing special FIPS-compliant security appliances behind their wireless access points, such as the AirFortress line of gateways from Fortress Technologies Inc. of Oldsmar, Fla.
Today's WPA2 incorporates the Advanced Encryption Standard (AES), which uses stronger, 128-bit keys to encrypt data and became a NIST standard in November 2001. The wireless industry has also begun adopting a method of employing AES called counter mode and CBC-MAC (CCM), which meets NIST's approval.
"Only now are we able to take a WPA product through FIPS because of the way AES is being used," said David Cohen, senior product marketing manager of Broadcom Corp. and chairman of the Wi-Fi Alliance Security Task Group.
EIGHT MONTHS TO PREPARE
To date, only eight products have earned WPA2 certification, although Hanzlik said there should be a steady flow of WPA2-certified solutions in the coming months. The alliance has beefed up the number of labs that can perform Wi-Fi testing, which normally takes only a few days.
| |
Ann Sun, senior manager for wireless and mobility marketing at Cisco, said all the company's wireless infrastructure products would incorporate WPA2-certified technology by the end of the year.
Experts said WPA2 certification wouldn't necessarily speed up the process of achieving FIPS compliance, not that there's any need to rush things.
WPA-2 certified products could take eight months to make their way through the FIPS approval process, said Eric Hall, systems architect for wireless service development at EDS Corp.
Agencies should be using that time to plan wireless network deployments so they're ready to move when the FIPS-certified products become available, he said.
"The lag in government adoption was due largely to a lack of encryption that met FIPS 140-2 standards," Hall said. "It's been going on under the covers, but agencies can really start working on it now."
Hall said integrators should not expect to see a lot of new wireless networking contracts to bid on. The work will likely be performed under other networking or IT infrastructure vehicles. "Many of the relevant contracts are already in house," he said.
But Hanzlik said he encourages agencies to specify WPA2-certified products in future requests for proposal.
"A quarter of products fail Wi-Fi testing the first time through," Hanzlik said. "The risks are high when an agency doesn't look for certified solutions."
Staff Writer Brad Grimes can be reached at bgrimes@postnewsweektech.com.
