[ISN] NSA plots software center

InfoSec News isn at c4i.org
Mon Oct 18 02:23:56 EDT 2004


By Florence Olsen 
Oct. 15, 2004

The National Security Agency's top information security official
disclosed plans this week for a government-funded research center
devoted to improving the security of commercial software, calling the
initiative a modern-day Manhattan Project.

Comparing the proposed high-assurance software initiative to the
famous atomic bomb research project of the 1940s, NSA's director for
information assurance, Daniel Wolf, said the research would focus on
tools and techniques for writing secure software and detecting
malicious code hidden in software.

Before NSA officials can create the center, the Defense secretary must
approve the concept and find money for the project, Wolf said. He gave
the keynote address at the Microsoft Corp. Security Summit East in
Washington, D.C., earlier this week. The quality and trustworthiness
of commercial software has become a matter of increasing concern to
NSA officials, who are responsible for the security of Defense
Department and intelligence software. NSA officials anticipate that
many companies on whose software DOD and intelligence users rely will
be moving significant portions of their commercial software
development overseas within a few years.

NSA officials cannot force companies to develop software a certain
way, Wolf said, "but we would like to get them to a point where they
are producing commercial products that meet the needs of our users."  
About 95 percent of the agency's desktop PCs run Microsoft's Windows
operating system, Wolf said.

The high-assurance software center would have a small staff of
researchers who would work with other researchers at NSA, the Defense
Advanced Research Projects Agency, the Homeland Security Department,
the National Institute of Standards and Technology, federally funded
research centers, academic institutions, and corporations. "We talk
about something like a Manhattan Project because of the magnitude of
what we're trying to do," Wolf said.

Creating commercial software of high quality and trustworthiness is
immensely difficult using existing tools and techniques, he said. "You
want software that does all the things that it is supposed to do and
nothing more," he said. It is especially difficult to know whether
commercial software contains hidden malicious code. Current detection
tools produce too many false positives, he said.

As an agency, NSA has 50 years' experience with writing cryptographic
code, Wolf said. "What we bring to the table is the ability to analyze
software and find vulnerabilities," he said.

More information about the ISN mailing list