F-Secure Talks Government Security
The top SSH vendor explains what its government customers need
F-Secure Inc., headquartered in Helsinki, Finland, is an anti-virus, file encryption, and SSH software company that counts 90 percent of U.S. government agencies—Homeland Security, U.S. Treasury, NASA, FBI, among others—as customers for its fortified version of secure shell (SSH) software.
Network administrators use SSH to get remote access to computers. It’s one of the most widely used protocols for encrypting data sent over networks and phone lines. Under the hood, SSH is a Unix-based command interface and protocol for accessing computers remotely, though technically it is actually a combination of three different utilities (which are secure versions of older Unix utilities).
F-Secure’s version includes support for PKI, extended testing and additional fortifications.
To get a feel for what government customers demand of SSH, and what’s fueling the drive for more encryption, Security Strategies spoke with Bo Sorensen, F-Secure’s VP of sales and marketing for North America.
Q. What are your government customers seeking with SSH?
A. Over the years, [for them] we've implemented additional support for PKI, smart cards, stronger authentication, and on top of that, for government requirements, we've assured that our products are certified. For us, it was important for us to be able to sell to the U.S. government. Thus we have invested a lot of time and effort to make sure that we get those certifications.
Q. What’s driving the U.S. government’s increased use of all kinds of encryption?
A. We've seen an increased emphasis on file encryption since 9/11. People are starting to realize that you have a lot of confidential information on handhelds and desktops that could very easily be lost or given to outsiders. After all, if I just think of my own PC, I’ve got our companies sales prospects, internal memos, a telephone list, and I certainly wouldn't want that to fall into the hands of, say, our competitors. And similarly, the U.S. government handles a lot of confidential information that truly should remain confidential.
Just as a small sideline here—we have statistics that in the first half of last year,in London, 60,000 mobile phones were lost in taxis. It shows how easy it is to forget things, and mobile phones especially. I have a Compaq iPaq, it's got 64 MB of memory, and unless you protect that, you could potentially lose a lot of information that you want to save.
Q. What are legal factors driving government encryption?
A. The legal framework is changing. The government no longer gets so much leeway for its data. They have to comply with more laws. For the new medical system [the U.S. military’s medical TRICARE system] that they've created, [for example], they use SSH to get access to the services.
Q. Are government budgets freer than they were before?
A. It's difficult to say, but I think, as we said, after 9/11, security has generally been a buzzword, and as part of that, I think money has been shared from other areas into this area.
Q. Where does buying SSH come in to the equation?
A. Most government agencies realize that they have to take away the unsecured parts of an OS. There was a story [some] weeks back on Web site defacements—the hackers or Web activists are going in to change the content on a Web page. We estimate that about 20,000 Web pages were changed around the start of the war without companies realizing [it]. It's interesting to see that the U.S. government Web sites have not been as attacked as we feared, and I would like to believe that we had a small part in all that.
Q. Has the need for remote administration driven SSH adoption?
A. I think the Net and the whole interconnection of computer systems have made it more difficult for people. Now, also, the government centralized things, and clearly they have more computers than they ever had before, so SSH is the de facto system for remote access—not just for Unix but also for Windows.
Q. What was used before if not your version off SSH?
A. Insecure SSH, Telnet, FTP. And there's certainly been a large number of installations that have not had the level of security that is required today, so we have been able over the past six years or so to sell our product into all parts of government. NASA, who's actually our first customer, but today—DOD, DOJ, DOE, virtually any agency.
Q. How much does SSH evolve?
A. We are constantly updating the features. We're also constantly ensuring that every new version is better than the previous one, because, unfortunately, hackers out there get smarter about the systems, and they find new ways of exploiting holes in computers.
Q. What are product differentiators?
A. Some of the key things I find in this area are certifications—they gives users the extra assurance that the product they buy is the product they install.
Q. Talk about certification a bit.
A. The government clearly understands the need for having products that are security certified, and whenever they handle classified data, it also needs to be transferred in encrypted form.
Q. Does certification require a third party?
A. There is a third party together with NISP [The National Industrial Security Program] for the certification. So once we have handed over the product, we have no inkling over the process. You can find a list of all the companies that have FIPS-certified products on the NISP Web site. [link: http://www.dss.mil/infoas/]
Certification has been part of our success in the government space. We want to be out there as the first SSH provider with the [new] FIPS 140 standard.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.