http://www.gcn.com/vol1_no1/daily-updates/27627-1.html
By Susan M. Menke
GCN Staff
10/13/04
The National Security Agency is revising its 2-month-old, 2,200-page
information assurance roadmap for the Defense Department.s Global
Information Grid, NSA's Daniel G. Wolf said today at the Microsoft
Security Summit East in Washington.
After incorporating feedback from government and industry, NSA will
release a three-phase architectural plan for secure worldwide data
sharing among and across military and intelligence agencies over the
next two decades.
Wolf, the agency's IA director, said producing the architectural plan
has taken 40 staff-years so far. It spells out no specific solutions
at this point, but it will ensure that IA is baked in. by
authenticating credentials, security clearances, roles and situational
awareness throughout the GIG, he said. Some form of user token will be
part of the security architecture.
It's not only architecture, it will be products and services,. he
said. For example, NSA will design the initial 1-Gbps backbone
encryptors for major GIG communications links. As envisioned, later
phases of the grid eventually could scale up to backbone rates of 40
Gbps and then 100 Gbps.
Although data traveling on the grid will be encrypted by two separate
suites of high-grade and top-secret algorithms including the Advanced
Encryption Standard, there still are potential risks from IPv6 packet
headers and traffic disruption. More than 160 military systems are
supposed to interact via the GIG, Wolf said.
As more and more IP-addressable devices.even some weapons.join the
grid, cell phone voice calls could use its transport capacity, he
said. The revised plan will identify the things to do, the timeframe,
and the products and services. We want to monitor and manage devices
over the network. with automatic updates and hardware and software
problem alerts.
Because NSA lacks the resources to evaluate increasingly complex
commercial software, Wolf has formed industry partnerships to make
safer software a top priority. He said NSA has taken advantage of
Microsoft Corp's offer to let governments examine its source code,
which grew from 6 million lines of code in Windows 3.1 to more than 30
million lines in XP.
Buffer overflows are a major source of failures and vulnerabilities.
in software, said Wolf, who has recruited 59 colleges and universities
to set up an IA curriculum and teach safe programming practices.
We have a cadre of IA students, he said. We hired about 30 graduates
this year. They understand IA and hit the ground running.
The Homeland Security Department has joined DOD as a joint sponsor of
the IA curriculum program, he said. Another initiative for which he
currently has no funding would be a high-assurance software office
that could drive standards and develop automated tools and metrics.
We need people interested in policy and business and international
relations, as well as programmers, he said. More than 50 percent of
custom development will go offshore by 2007. There are foreign
nationals developing software in the United States, and there are many
third-party utilities and drivers..
Wolf added, It's almost like the Manhattan Project. I see this as the
modern equivalent to the national labs set up under the threat of
thermonuclear war in the 1940s..
_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable -
http://www.osvdb.org/
