DOD moves on mobile code

[William Knowles <wk () C4I ORG>]

http://www.fcw.com/fcw/articles/2000/1106/web-code-11-09-00.asp

BY George I. Seffers
11/09/2000

The Pentagon chief information officer approved a highly anticipated
policy Nov. 7 governing the militarys use of mobile code, which can be
used for cyberattacks.

Mobile code is widespread throughout the Defense Department and other
government agencies, according to the policy letter signed by Art
Money, the Pentagons CIO.

"Mobile code is a powerful software tool that enhances cross-platform
capabilities, sharing of resources and Web-based solutions," Money
stated. "Its use is widespread and increasing in both commercial and
government applications. In DOD, mobile code is employed in systems
supporting functional areas ranging from acquisition to intelligence
to transportation.

"Mobile code, unfortunately, has the potential to severely degrade DOD
operations if improperly used or controlled," Money continued. "To
protect DOD systems from the threat of malicious or improper use of
mobile code, we must assess and control the risks imposed on the
technology."

The new policy defines mobile code as "software obtained from remote
systems outside the enclave boundary, transferred across a network,
and then downloaded and executed on a local system without explicit
installation or execution by a recipient."

Microsoft Corp.s ActiveX is one of many items listed in the new policy
as potentially dangerous. Others include Java applets and other Java
code, LotusScript and Shockwave/Flash.

ActiveX allows programs hostile or not to be e-mailed to a computer
and automatically interfaced with other programs, according to Navy
Capt. David Meadows, information assurance division chief with the
Joint Chiefs of Staff.

"One of the biggest challenges in mobile code as identified by a lot
of the commercial information assurance people is ActiveX," Meadows
said. "When it downloads into your system, it allows that product that
it brought with it to interact with every program you have in your
system, regardless of what the program is or how it was designed. You
can see for yourself that ActiveX can also be malicious."

The policy places mobile code technologies into one of three
categories based on the threat they pose to DOD systems, with Category
One mobile code being the most dangerous, in part because those
technologies are easy to activate and have no known countermeasures.

The document also lists a number of emerging mobile code technologies,
which have not been review for categorization and will be "blocked by
all means available."

The policy has been in the making for more than a year and has proved
controversial within the military, according to Meadows.

"There are a lot of smart people out there who were members of this
mobile code [policy] group, and every one of them had a different
opinion on what it meant and how it operated. It was just as dynamic
as being in a room full of Air Force and Navy pilots discussing air
power vs. carrier power. Youd have to bring in the [military police]
to separate the two," Meadows said.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".