Defense groups offer free software to foil hackers

The Pentagon, the National Security Agency, and private organizations have developed security standards and a software program to help users of Microsoft Corp.’s Windows 2000 configure their computer systems for maximum security against hackers and thieves.

Similar solutions for other operating systems will be coming soon, government officials said. The standards and software are available free to anyone who wants to use them.

The government’s software program probes computers for known security flaws and makes suggestions on how to eliminate holes used by hackers.

The unprecedented effort is expected to have immediate impact. All Defense Department computers have to meet the standards immediately, and the White House is considering requiring the rest of the federal government to follow suit.

Experts say the keys to success will be extending the standards to school, business, and home users, making the security principles simple enough for the public to understand, and ensuring that the security software stays ahead of increasingly sophisticated computer attackers.

“If it’s just government, it won’t have as much value as it will if it’s government and the private sector,” said Richard Clarke, President Bush’s computer security adviser, of the initiative.

The government’s partners in the private sector intend to broaden the security standards to other operating systems, including those Windows products most commonly used at home and in schools.

The effort has brought together some of the biggest names in business, including computer chipmaker Intel Corp., Chevron, and Visa—part of the group that helped create the standards and is encouraging their use.

Microsoft, which is embarking on its own efforts to make its software more secure, has reviewed the standards and made suggestions.

The standards have developed slowly, in part because security frequently has been handled in the past through technical security bulletins written for engineers.

“You’d give a 200-page document to a system administrator and say, ‘Have a nice day,'” Clarke said. “So no one did it.”

The breadth of the problem is staggering. The technology research firm Gartner Inc. recently projected that through 2005, 90 percent of computer attacks will use known security flaws for which a solution is available but not installed.

Most recent attacks were written and released by bored kids testing their skills, officials said, but the government is becoming more concerned about organized attacks against federal computers from terrorists or foreign governments.

Several government agencies have had their own security standards for some time. What’s new about this July 17 announcement is that the various agencies have agreed on a single standard—a difficult accomplishment that occurred about three months ago.

Experts at the Center for Internet Security, a nonprofit partnership of companies and government agencies, as well as NSA and the Commerce Department’s National Institute for Standards and Technology had three different candidates for standards at first. On April 18, the authors met in a room at NIST offices in Maryland.

“They were told they could leave as soon as they came to an agreement,” said Alan Paller of the SANS Institute, a research and education group involved in the announcement. That night, they had a document several hundred pages long describing how to make Windows 2000 secure, but still usable.

That was only half the battle. Clarke, the White House adviser, said they wanted to make it easy for network engineers to make the changes.

To fix that, the government created the software tool that grades computer security so that everyone, from the engineers to top executives, understands how secure their computers are. The tool then recommends changes.

“Security is a critical, yet often overlooked problem in education IT settings,” said Bob Moore, executive director of IT Services for the Blue Valley School District in Kansas. “School districts typically lack expertise in the area, and security services and tools are geared to the private sector. We face a paradox in education in that our primary customers—students—can also be our biggest security threats.”

Moore added, “In trying to provide greater access to all kinds of information to our students, staff, and parents, any tool that can help us shore up our security would be helpful.”

Although educators like Moore welcome these new network security standards and software, they say it’s best if schools develop their own network security policies as well.

See these related links:

National Security Agency

Center for Internet Security For more on “School Management,” visit our FREE archives of over 3,500 articles. Go to

Want to share a great resource? Let us know at