The controversy over the management of email systems by former Secretary of State Hillary Clinton has been in the spotlight since March. More recently, in October, the CIA director acknowledged that his personal email had been hacked.
Both situations highlight the continuing vulnerability of email, whether personal or professional.
That’s why theNational Institute of Standards and Technology has launched an initiative to help both public and private organizations improve email security. A key element of NIST’s initiative is to engage the private sector for assistance.
In the Internet’s early days, researchers were more interested in sharing information than securing it. Today, securing email, the most widely used medium for business communication, is a full-time job for many researchers and IT specialists, NIST said.
Public -Private Cooperation
One component of that effort is to offer businesses the opportunity to partner with NIST and the National Cybersecurity Center of Excellence in a Cooperative Research and Development Agreement, or CRADA, to improve email security through a domain name system platform.
Most server-based email security mechanisms are vulnerable to attacks on the integrity of the cryptographic implementations they depend on, NIST said.
A current DNS-based protocol is designed to securely associate domain names with cryptographic certificates and related security information so that they can’t be modified or replaced fraudulently to breach the security of Internet exchanges, the agency noted.
Despite the dangers of failing to authenticate the identities of network devices, adoption and deployment of the protocol has been slow, NIST said.
The objective of the proposed CRADA is to demonstrate a proof-of-concept security platform composed of off-the-shelf components that would provide trustworthy mail-server-to-mail-server exchanges across organizational boundaries. The DNS-associated protocol, known as DANE, will be used to authenticate servers and certificates.
The secure email project will involve the composition of a variety of components provided by a number of vendors. Collaborators are being sought to provide both components and expertise for DNS-related security and validation aspects of the program.
Businesses and others interested in participating must submit an expression of interest via a NIST-provided template mechanism. NIST will select participants on a rolling basis beginning as early as Thursday.
Requirement Covers Multiple Components
The contributions of participants to the collaborative effort will include assistance in establishing necessary interface functionality, connection and setup capabilities, and procedures, NIST said.
Other support components will include demonstration harnesses, environmental and safety conditions for use, integrated platform user instructions, and demonstration plans and scripts required to demonstrate the desired capabilities.
Participants will train NIST personnel to operate their products in capability demonstrations.
Following successful demonstrations, NIST will publicly issue a description of the security platform and its performance characteristics sufficient to permit other organizations to develop and deploy security platforms that meet the security objectives of the “Domain Name System-Based Security for Electronic Mail Building Block.” The document will explain how to employ and build a platform to meet federal and industry security and privacy requirements using commercially available tools and components.
Unlike government contract awards, the CRADA partnerships do not include payments to participants, NIST cybersecurity standards and technology advisor Curt Barker said.
“The projects must be of mutual interest to the collaborators. Participation is voluntary and not directly compensated,” he told the E-Commerce Times.
“Private entities that develop or maintain email-related components such as mail servers, mailbox providers and mail clients are welcome, as well as providers of infrastructure components used in email such as DNS servers and clients, cryptographic components, identity management solutions and certificate management solutions,” NIST Computer Scientist Scott Rose said.
“Basically, any component that an enterprise would need to provide email as a service to their employees or customers” would be appropriate for the CRADA project, he told the E-Commerce Times.
“Creating an alliance between the public and private sectors will serve to be a very worthwhile engagement. The benefit of this type of alliance will serve in gathering perspectives from experts that have to be held accountable for the protection of intellectual property, personally identifiable information, and identity information for employees and customers alike — just to name a few,” said Joseph Pizzo, engineering manager atNorse.
“Bringing in experts from a variety of private sector industries, technology companies and security experts, and then combining them with the experts at NIST, solid solutions that address the majority of problems can be quickly developed,” he told the E-Commerce Times.
Threat Assessment Recommended
“NIST is on the right track. Domain authentication, digital signing and encryption are a good thing for validation and the privacy of communication. However, these are not the only elements. I would add threat intelligence into the solution,” Pizzo said.
“Adding this type of intelligence would enhance the NIST requirement by providing additional validation of communications beyond just signing, encrypting and validating email domains for email communication. Threat intelligence would aid in identifying threats in real time and prove an early-warning system for both inbound and outbound communications that are outside of email communication alone,” he said.
“NIST itself recognizes that in the early days of the Internet, the primary focus was sharing information and not securing it. This is an excellent point, because here we see that needs change over time. That’s important to remember but difficult to plan for regarding technology,” said Joshua Cannell, intelligence analyst atMalwarebytes.
“For example, did most people imagine they would be carrying a computer in their pocket 10 years ago? No, but today everyone has some form of smartphone or tablet, and these devices also bring their own security concerns,” he told the E-Commerce Times.
“This is why, regarding the NIST project involving collaboration from security experts, it’s important to not only address the current threats, but try to make reasonable inferences on what future threats might be,” Cannell said.
In conjunction with the cooperative email project, NIST issued a draft document that provides guidelines to enhance trust in email. The agency is seeking comment on the draft by Nov. 30.
The National Cybersecurity Center of Excellence is a partnership of NIST, the state of Maryland and Maryland’s Montgomery County. A goal of the center is to advance rapid adoption of practical, standards-based cybersecurity solutions for businesses and public organizations using commercially available and open source technologies.