Putting security first

What’s your core mission?

Anteon is a systems integrator for the federal government. I would say our company can be easily divided into two areas: information technology and systems engineering implementations. About 50 percent of the company does IT; about 50 percent of the company does systems engineering. We support the military, Department of Defense, Army, Navy, Air Force, as well as a variety of civilian agencies.

People tend to bandy the term “security” around like it’s a tool or a product rather than a discipline and a thought process. Where are we in terms of security as it relates to technology these days?

I agree with your assessment that we sometimes think of implementing security as buying a product and bolting it on. There [are] many facets of security. We do some computer security work at Anteon. But mainly we subcontract it out to specialists who actually specialize in doing the penetration testing, the vulnerability testing, the forensics, analysis, and such. I think it’s going to be difficult to fully build … systems that are going to be secure as well as user-friendly. We could add security encryption in the communications, [but] it makes it a little harder to use. Maintaining the encryption keys is a difficult thing.

Is there always a trade-off? No matter what you do on the security side, are you always introducing some level of inconvenience?

Yes, there’s always that level of more process in order to provide the higher level of security. And maybe someday someone will have a real good solution that’s easy as well as secure. We’ve seen systems that are getting closer to that, but I have yet to see one that I can install on my notebook PC and I can have a guaranteed secure pipe and communications link to another server or to another PC without having to share digital certificates … or encrypt the [run/start] special tools that start as a VPN pipe to a server, etc. It just isn’t easy yet.

Is there any new security technology coming down the pike that you’re going to go implement aggressively or that you’re excited about?

I think there are some things that are in the works, but the jury is still out on them. Two years ago, the wireless LANs became a very popular implementation, and then we found that the wireless encryption protocol was not as secure as we originally thought it was. So now vendors have been upgrading their wireless LAN access points with proprietary encryption, which are much more secure than the ones that were WEP[Wired Equivalent Privacy]-enabled. The 802.11i working group is in the process of coming up with a new wireless encryption protocol. The hope is that that will be a much better protocol than the last one. If it works as they are claiming it will work, I think that might be the next good thing in our technology.

How did the unfortunate events of Sept. 11 change the nature of the IT systems integration landscape and the government?

That’s a good question. Prior to September 2001, the government was looking to acquire systems that provided egov-type solutions, Internet-enabled protocols, getting rid of the old client/server and putting multitiered Web servers in, browser access with encryption between the firewall and the client. And there was a big move to put data online. Since September 2001, since 9/11, there’s been quite a change in the government. Now it’s homeland security, now it’s transportation security agency, and it’s lots of products that could be added into an end-to-end homeland security solution. One of them is wireless video. We see another one is perimeter containment, better security in network communications. So it almost seems as though the Web portals, the e-buy, the e-gov solutions, the first-gov solutions of a year ago are all on the back burner. The government is spending lots of money and lots of time and lots of rhetoric on security — on physical security, data security, [and] network security.