Federal Office for Information Security The Role of the BSI in the German IT-Security Market Challenges in the Information Age Office History, Tasks and Services Information & Awareness Programme Baseline Security Product Certification Projects with Industry on IT-Security Bernd Kowalski Bundesamt für Sicherheit in der Informationstechnik (BSI) Federal Office for Information Security San Francisco, February 23rd 2004 Bernd Kowalski 23.02.2004 Folie 1 Challenges in the Information Age ICT changes social and commercial structures ICT gets major impact on national economy. Business infrastructures depend on reliability of ICT. e-business and e-government redefine relationship to business partners, customers and citizens. Electronic Funds Transfer and e-payment replace banknotes and other traditional payment systems. Smartcards & Biometrics push electronic passport-management. ICT is essential to manage all national critical infrastructures like traffic, energy, chemical, healthcare, telco, emergency etc. Providing reliability and control of national ICT-infrastructures will be a question of national security and sovereignty. Bernd Kowalski 23.02.2004 Folie 2
Challenges in the Information Age Threats to National ICT Infrastructures Security weaknesses in IT-Systems. Difficulty to detect attacks and attackers. Security investments jeopardize commercial success. More than 80% of critical IT-infrastructures are private. Difficulty of national regulations in a global competitive environment. IT-infrastructures are highly interdependent, e.g.: Weaknesses of customers`/citizens` systems may be used to attack industrial or governmental systems (DDoS). Bernd Kowalski 23.02.2004 Folie 3 Challenges in the Information Age German Government Initiatives Define Security of information systems as a part of national security. Rules for the certification and approval of IT-Security systems. Provide services for the security of government IT-systems. Support industry and citizens to increase their IT-Security level. Commit to Public Private Partnerships (PPP`s) to increase the security of critical national IT-infrastructures. Provide for a strong and independent IT-Security industry. Bernd Kowalski 23.02.2004 Folie 4
Office History and Structure History and Figures Office founded by law in 1991. Associated with the Federal Ministery of Interior. Annual budget: 45 Mio. Employees: 380. Location: Bonn. The BSI is the German Federal IT Security Authority associated with national and international partners in the field of Cryptography, Internet-Security and Certification. Bernd Kowalski 23.02.2004 Folie 5 Tasks and Services Tasks by Law Analysis of IT-threats and -risks. Improve national IT-Security in cooperation with industry. Security Evaluation and Certification of IT systems. Provide the protection of classified information. Operation of central security services like Keymanagement. Bernd Kowalski 23.02.2004 Folie 6
Tasks and Services BSI as a part of the national IT-Security Environment Federal Government Suppliers Directives National IT-Infrastructure Deliverables Initiatives Services Citizens, Public Sector, Industry Partners Bernd Kowalski 23.02.2004 Folie 7 Services: Tasks and Services Citizens (consuming IT-Security) Webportal service www.bsi-für-bürger.de, information about Internet security issues Gov`t & Industry: (consuming IT-Security) baseline security standard Grundschutz, for corporate IT-infrastructures with medium-level requ. Critical Information Infrastructure Protection: provide means for extraordinary security events. Warning & Alerting services in case of security events: Federal-CERT serving the German Federal Gov`t. Devices & services to protect classified communication in gov`t & industry. Counter-eavesdropping services&standards for Fed.Gov`t, incl. physical -, emission -, mobile security Manufacturers & Service Prov`s: (offering IT-Security) Security Certification&Approval of IT-Products&Systems Bernd Kowalski 23.02.2004 Folie 8
Information & Awareness Programme IT security: Situation in Germany IT-Market Total Market: 12 Bio. Security: 1,2 Bio. Government: 25% each IT-penetration: 52% households have a PC 44% have an internet access 32 Mio. people are online IT-Threats: increasing IT-dependency data privacy viruses & spam computer crime: 57.000 cases in 2002 (BKA-Federal Bureau of Criminal Investigation) Bernd Kowalski 23.02.2004 Folie 9 Information & Awareness Programme Citizen Awareness Programme BSI provides information for different target groups: citizens (general): www.bsi-fuer-buerger.de = Webportal + CD-ROM children & teens: (new project) Partner Communication Channels: other print & online media manufacturers like Fujitsu-Siemens D21 PPP-programme Bernd Kowalski 23.02.2004 Folie 10
Mechanismenstärke hoch mittel niedrig Architektur E1 E-Stufen und Mechanismenstärke E2 Quellcode Tests der Mechnismen E3 E4 E5 Feinentwurf Konfigurations- kontrollsystem Tests enger Zusam- menhang Sicherheits- zwischen modell Feinentwurf und semiformale Quellcode Entwicklungs- methoden formale Endwick- lungsmethoden E6 E-Stufe Information & Awareness Programme Small & Medium Enterprises and Administrations public administration: e-government manual www.e-government-manual.de private businesses: IT baseline protection manual www.bsi.bund.de/gshb Bernd Kowalski 23.02.2004 Folie 11 Vertrauen Funktionalität Funktionalität IT Baseline Protection Introduction Problems and motivation: Increasing number of IT-Security incidents with loss of business. Limited corporate IT-budgets and -competence, esp. in SMEs. Business partners want to check the IT-security level of cooperating institutions by an independant method. Traditional risk analysis methods are complex & not reusable. Objectives: IT-Sec.guidelines applicable & affordable for standard IT- Method: infrastr. Define standard types of IT-components, threats & safeguards. Give practical advice how to implement these safeguards. Result: Modular concept: threat & safeguard catalogue per component. Applicable to common IT-infrastr. in public & private sectors. Bernd Kowalski 23.02.2004 Folie 12
IT Baseline Protection Tools General Guideline Overview and awareness program for CEOs. Handbook Available in CD, Online and printed format. Software Toolkit Menu-based planning tool. Gets you to your individual security soluition. Web Tutorial Provides an overview on baseline protection. Introduces the concept of the SW-Toolkit. Available on the Web. www.bsi.bund.de/gshb Bernd Kowalski 23.02.2004 Folie 13 Objectives Product Certification Evaluation of security features of IT-Products. Improve both security and quality of IT-infrastructures. Independant and trustworthy product evaluation and certification. Consideration of national security requirements. Strategic support for national IT-Security industry. Legal Framework BSI is the national authority for the German certification scheme. No general legal obligation to purchase certified products. Except: approval of products for the processing of classified information. Bernd Kowalski 23.02.2004 Folie 14
Product Certification Why should manufactures apply for a certificate? Improve product quality and security. Use public product certificate for product marketing. Government requirements in certain areas: German Signature Law, EU- and NATO-Directives etc. Why should Buyers request for a certified product? Product has been evaluated by an independant, accredited body. Manufacturer is responsible for evaluation expenses not the buyer. Certificate may help to provide evidence for resistance against certain threats. Bernd Kowalski 23.02.2004 Folie 15 History Kriterien für die Bewertung der Sicherheit von Systemen der Informationstechnik (ITSEC) Juni 1991 Product Certification Certification Criteria 1985: US-Orange Book IT-Security acquisition requirements from the US DoD for special systems. 1989: The BSI Greenbook for Germany. 1991: European Information Technology Security Evaluation Criteria (ITSEC). Common Criteria for Information Technology Security Evaluation Part I: Introduction and general model May 1998 Version 2.0 CCIB-98-026 1999: Common Criteria (CC) V2.1 - the first agreed international certification standard published under ISO/IEC 15408 Bernd Kowalski 23.02.2004 Folie 16
Certificate producing and accepting nations Product Certification The Common Criteria Community Certificate accepting nations DSD Australia/ Newsealand BSI Germany DCSSI France CESG United Kingdom CSE Canada USA NIAP CCRA = Common Criteria - Recognition Arrangement Hungary Finland Greece Israel Italy Netherlands Norway Spain Sweden Austria Turkey Bernd Kowalski 23.02.2004 Folie 17 Product Certification Contributors in the Certification procedure Manufacturer: requests for a certificate provides complete product documentation Evaluation Facility: design evaluation, penetration tests audits in development and production evaluation report to certification body Certification body: develop certif. criteria together with CCRA-partners accept evaluation report, issue product certificate Bernd Kowalski 23.02.2004 Folie 18
Product Certificates recently issued by the BSI: Infineon Smartcard-Controller (Smart Card IC SLE66CX322P) Gemplus Smart Card Betriebssystem(GemXpressoPro E64PK) SuSE Betriebssystem (Linux) IBM Betriebssysteme, Directory-Server, Tivoli Microsoft Firewall GeNUA Firewall Product Certification Utimaco PC-Sicherheitsprodukte Renesas (Hitachi) Smartcard-Controller (AE43C Version 01) Philips Smartcard-Controller (P16WX064V0C) G + D Tachosmart Card (STARCOS 2.4 Tach.Card Applic.) Bernd Kowalski 23.02.2004 Folie 19 Product Certification European Projects with obligations to apply CC-Certification: EU Commission: NATO: Multilateral Defense: UN: Digital Tachograph: legally binding Directive several activities several projects Principles on Critical Infrastructure Protection D: Several governmental projects, German Digital Signature Law Bernd Kowalski 23.02.2004 Folie 20
Product Certification US-Government Obligations to use CC-Certification: FACT SHEET NSTISSP No. 11 National Information Assurance Acquisition Policy By July 2002 - the acquisition of all COTS IA and IA-enabled IT products to be used on systems specified, shall be limited only to those which have been evaluated and validated [acc to CC, NIST/NSA/NIAP or FIPS program]. CCRA Legend: COTS: Commercial of the shelf IA: Information Assurance NST/ISSP: National Security Telco and Info Systems Security Policy The US-Directive #11 might have a significant future impact on the global IT market. Bernd Kowalski 23.02.2004 Folie 21 Projects with Industry on IT-Security Selected Projects from the National PPP-Programme IVBB voice & data network for the federal government. Root Certification Authority (CA) for German Governments. European Bridge CA for secure communication between Government and Industry. Federal CERT Community with Large and Medium Enterprises. Others on Smartcards, Biometrics etc. Bernd Kowalski 23.02.2004 Folie 22
Contact Thank You for Your Attention! Bernd Kowalski Bundesamt für Sicherheit in der Informationstechnik Godesberger Allee 185-189 53175 Bonn Phone: +49 0 228 9582-700 Fax: +49 0 228 9582-455 Bernd.Kowalski@bsi.bund.de www.bsi.de Bernd Kowalski 23.02.2004 Folie 23