The Pentagon, the National Security Agency, and private organizations have developed security standards and a software program to help users of Microsoft’s Windows 2000 configure their computer systems for maximum security against hackers and thieves.

Similar solutions for other operating systems will be coming soon, government officials said. The standards and software are available free to anyone who wants to use them.

The government’s software program probes computers for known security flaws and makes suggestions on how to eliminate holes used by hackers.

The unprecedented effort is expected to have immediate impact. All Defense Department computers have to meet the standards immediately, and the White House is considering requiring the rest of the federal government to follow suit.

Experts say the keys to success will be extending the standards to school, business, and home users, making the security principles simple enough for the public to understand, and ensuring that the security software stays ahead of increasingly sophisticated computer attackers.

“If it’s just government, it won’t have as much value as it will if it’s government and the private sector,” said Richard Clarke, President Bush’s computer security adviser.

The government’s partners in the private sector intend to broaden the security standards to other operating systems, including those Windows products most commonly used at home.

Maintaining the security of home computers is “a massive problem,” said Clint Kreitner, head of the Center for Internet Security (CIS), a nonprofit partnership of companies and American and Canadian government agencies. “[Consumers] slap their systems on the net and get ready to go, then wonder why they get breached in the next 10 minutes.”

The effort has brought together some of the biggest names in business, including computer chipmaker Intel Corp., Chevron, and Visa—part of the group that helped create the standards and is encouraging their use.

Microsoft, which is embarking on its own efforts to make its software more secure, has reviewed the standards and made suggestions.

The standards have developed slowly, in part because security in the past frequently has been handled through technical security bulletins written for engineers.

“You’d give a 200-page document to a system administrator, and say, ‘Have a nice day’,” Clarke said. “So no one did it.”

The breadth of the problem is staggering. The technology research firm Gartner recently projected that through 2005, 90 percent of computer attacks will use known security flaws for which a solution is available but not installed.

Most recent attacks were written and released by bored kids testing their skills, officials said, but the government is becoming more concerned about organized attacks against federal computers from terrorists or foreign governments.

Several government agencies have had their own security standards for some time. What’s new about this July 17 announcement is that the various agencies have agreed on a single standard—a difficult accomplishment that occurred about three months ago.

Experts at the CIS, the NSA, and the Commerce Department’s National Institute for Standards and Technology had three different candidates for standards at first. On April 18, the authors met in a room at NIST offices in Maryland.

“They were told they could leave as soon as they came to an agreement,” said Alan Paller of the Sans Institute, a research and education group involved in the announcement. That night, they had a document several hundred pages long describing how to make Windows 2000 secure, but still usable.

That was only half the battle. Clarke, the White House adviser, said they wanted to make it easy for federal network engineers to make the changes.

To fix that, the government created the software tool that grades computer security so that everyone, from the engineers to top executives, understands how secure their computers are. The tool then recommends changes.

“Security is a critical, yet often overlooked problem in education IT settings,” said Bob Moore, executive director of IT Services for the Blue Valley School District in Kansas. “School districts typically lack expertise in the area, and security services and tools are geared to the private sector. We face a paradox in education in that our primary customers, students, can also be our biggest security threats.”

Moore added, “In trying to provide greater access to all kinds of information to our students, staff, and parents, any tool that can help us shore up our security would be helpful.”

Although educators like Moore welcome these new network security standards and software, they say it’s best if schools develop their own network security policies.

Said Marc B. Liebman, superintendent of Marysville Joint Unified School District in California: “The idea of the standards is great, but each entity, including school districts, needs to develop its own security plan and monitor it for effectiveness. We have our own software to detect security flaws and leaks and as a result, though hackers have tried to get into our system, we have not had a major breech in the four years I have been in the district.”


Center for Internet Security

National Security Agency