NSA plots software center

The National Security Agency's top information security official disclosed plans this week for a government-funded research center devoted to improving the security of commercial software, calling the initiative a modern-day Manhattan Project.

Comparing the proposed high-assurance software initiative to the famous atomic bomb research project of the 1940s, NSA's director for information assurance, Daniel Wolf, said the research would focus on tools and techniques for writing secure software and detecting malicious code hidden in software.

Before NSA officials can create the center, the Defense secretary must approve the concept and find money for the project, Wolf said. He gave the keynote address at the Microsoft Corp. Security Summit East in Washington, D.C., earlier this week. The quality and trustworthiness of commercial software has become a matter of increasing concern to NSA officials, who are responsible for the security of Defense Department and intelligence software. NSA officials anticipate that many companies on whose software DOD and intelligence users rely will be moving significant portions of their commercial software development overseas within a few years.

NSA officials cannot force companies to develop software a certain way, Wolf said, "but we would like to get them to a point where they are producing commercial products that meet the needs of our users." About 95 percent of the agency's desktop PCs run Microsoft's Windows operating system, Wolf said.

The high-assurance software center would have a small staff of researchers who would work with other researchers at NSA, the Defense Advanced Research Projects Agency, the Homeland Security Department, the National Institute of Standards and Technology, federally funded research centers, academic institutions, and corporations. "We talk about something like a Manhattan Project because of the magnitude of what we're trying to do," Wolf said.

Creating commercial software of high quality and trustworthiness is immensely difficult using existing tools and techniques, he said. "You want software that does all the things that it is supposed to do and nothing more," he said. It is especially difficult to know whether commercial software contains hidden malicious code. Current detection tools produce too many false positives, he said.

As an agency, NSA has 50 years' experience with writing cryptographic code, Wolf said. "What we bring to the table is the ability to analyze software and find vulnerabilities," he said.

Featured

  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/Shutterstock.com)

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected