NSA plots software center
- By Florence Olsen
- Oct 15, 2004
The National Security Agency's top information security official disclosed plans this week for a government-funded research center devoted to improving the security of commercial software, calling the initiative a modern-day Manhattan Project.
Comparing the proposed high-assurance software initiative to the famous atomic bomb research project of the 1940s, NSA's director for information assurance, Daniel Wolf, said the research would focus on tools and techniques for writing secure software and detecting malicious code hidden in software.
Before NSA officials can create the center, the Defense secretary must approve the concept and find money for the project, Wolf said. He gave the keynote address at the Microsoft Corp. Security Summit East in Washington, D.C., earlier this week. The quality and trustworthiness of commercial software has become a matter of increasing concern to NSA officials, who are responsible for the security of Defense Department and intelligence software. NSA officials anticipate that many companies on whose software DOD and intelligence users rely will be moving significant portions of their commercial software development overseas within a few years.
NSA officials cannot force companies to develop software a certain way, Wolf said, "but we would like to get them to a point where they are producing commercial products that meet the needs of our users." About 95 percent of the agency's desktop PCs run Microsoft's Windows operating system, Wolf said.
The high-assurance software center would have a small staff of researchers who would work with other researchers at NSA, the Defense Advanced Research Projects Agency, the Homeland Security Department, the National Institute of Standards and Technology, federally funded research centers, academic institutions, and corporations. "We talk about something like a Manhattan Project because of the magnitude of what we're trying to do," Wolf said.
Creating commercial software of high quality and trustworthiness is immensely difficult using existing tools and techniques, he said. "You want software that does all the things that it is supposed to do and nothing more," he said. It is especially difficult to know whether commercial software contains hidden malicious code. Current detection tools produce too many false positives, he said.
As an agency, NSA has 50 years' experience with writing cryptographic code, Wolf said. "What we bring to the table is the ability to analyze software and find vulnerabilities," he said.