FBI supplier puts finishing touches on secure Linux

Software company Trusted Computer Solutions (TCS) is currently beta testing a secure version of Linux, which will provide its customers with an alternative to Trusted Solaris to run its product line.

The company builds applications which allow information to be shared securely. Edward Hammersla, chief operating officer at TCS, told ZDNet UK that when the UK Ministry of Defense or NATO requires a piece of US intelligence, the data is often shared using TCS software. Its customers include the FBI, the US Defense Intelligence Agency and the US Office of Naval Intelligence.

At present TCS customers can only run applications on Sun Microsystems Trusted Solaris, as this is the only trusted operating system available on the market. To provide an alternative to Solaris, developers at TCS have built a custom version of Linux by extending the functionality of SELinux -- a security enhanced version of Linux developed by the US National Security Agency.

The product is targeted at certification under the US Common Criteria Evaluation at Evaluation Assurance Level 4 (CC-EAL4). Hammersla said that the CC-EAL4 certification is essential if TCS solutions on Linux are to be sold to the intelligence industry, and this is not be the only challenge that needs to be overcome.

"Intelligence agencies need to go through a number of approval bodies before they can buy anything -- which is a bit like the Olympics with 25 extra hurdles you don't expect," said Hammersla.

Hammersla claims there has been significant interest in the product, primarily for cost reasons. The Trusted Solaris operating system can only be used on Sun hardware, while Linux can be run on numerous hardware platforms including low-cost Dell and IBM systems.

TCS is not the only company working on secure Linux. At the end of September, ZDNet UK reported that a consortium, including French Linux vendor Mandrakesoft, had won a three year contract from the French Ministry of Defence to develop a secure version of Linux.

Francois Bancilhon, the chief executive officer of Mandrakesoft, said to ZDNet UK that he expects a beta version of this product in two years time. The consortium aims to get the software certified at CC-EAL5, one level higher than TCS's planned certification. He admits this will be challenging. "That level is a toughie -- few operating systems have reached this level of certification," said Bancilhon

But TCS's Hammersla is not convinced that reaching this extra level is worth it.

"EAL4 is the highest level for general purpose computing," said Hammersla. "Once you get beyond EAL4 you lose Windows, and point and click functionality. Instead you have to use command lines. Most EAL 5, 6 and 7 systems are embedded systems, for example, in planes."