NSA plots software center

The National Security Agency's top information security official disclosed plans this week for a government-funded research center devoted to improving the security of commercial software, calling the initiative a modern-day Manhattan Project.

Comparing the proposed high-assurance software initiative to the famous atomic bomb research project of the 1940s, NSA's director for information assurance, Daniel Wolf, said the research would focus on tools and techniques for writing secure software and detecting malicious code hidden in software.

Before NSA officials can create the center, the Defense secretary must approve the concept and find money for the project, Wolf said. He gave the keynote address at the Microsoft Corp. Security Summit East in Washington, D.C., earlier this week. The quality and trustworthiness of commercial software has become a matter of increasing concern to NSA officials, who are responsible for the security of Defense Department and intelligence software. NSA officials anticipate that many companies on whose software DOD and intelligence users rely will be moving significant portions of their commercial software development overseas within a few years.

NSA officials cannot force companies to develop software a certain way, Wolf said, "but we would like to get them to a point where they are producing commercial products that meet the needs of our users." About 95 percent of the agency's desktop PCs run Microsoft's Windows operating system, Wolf said.

The high-assurance software center would have a small staff of researchers who would work with other researchers at NSA, the Defense Advanced Research Projects Agency, the Homeland Security Department, the National Institute of Standards and Technology, federally funded research centers, academic institutions, and corporations. "We talk about something like a Manhattan Project because of the magnitude of what we're trying to do," Wolf said.

Creating commercial software of high quality and trustworthiness is immensely difficult using existing tools and techniques, he said. "You want software that does all the things that it is supposed to do and nothing more," he said. It is especially difficult to know whether commercial software contains hidden malicious code. Current detection tools produce too many false positives, he said.

As an agency, NSA has 50 years' experience with writing cryptographic code, Wolf said. "What we bring to the table is the ability to analyze software and find vulnerabilities," he said.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.