The following text is copyright 2004 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
NSA Projects, Manhattan and otherwise
By Scott Bradner
The U.S. National Security Agency (NSA) does not see its mission as being limited to peering through keyholes. In addition to trying to figure out what "the other guys" (for various meanings of 'other guys') are up to, the NSA also tries to protect our cyber shores from attack. This part of NSA's mission is far from new but it got some interesting, and maybe confused, press recently.
NSA has been telling people how to think about computer security at least since the early 1980s. The original "Trusted Computer System Evaluation Criteria" (also known as the "Orange Book") (http://www.dynamoo.com/orange/) was published in 1983 and ever since the NSA has been publishing various documents to help people evaluate the security of systems or to configure systems in the most secure way that can be done considering the underlying operating system. For example, the NSA has an on-line repository (under the umbrella of the NSA's "Central Security Service") of more than 70 guides for configuring personal computers, routers, switches, firewalls etc. (http://www.nsa.gov/snac/) The latest batch of guides includes one for configuring Apple OSX systems - something that I found interesting and well done. (http://www.nsa.gov/snac/os/applemac/osx_client_final_v.1.pdf)
In mid October, Daniel G. Wolf, the NSA's Information Assurance Director, spoke at the Microsoft Security Summit East. The Microsoft Security Summit is a traveling road show focusing on security in Microsoft products. (http://www.microsoft.com/seminar/securitysummit/default.msp) I went to the one in Boston and found it generally useful, even more so because my Apple OSX bias has left me without as much personal experience with Windows security issues as many of you have. In a keynote speech, Mr. Wolf talked about a number of things but different ears seem to have focused on different things he said or maybe over interpreted his words.
The official NSA press release (http://www.nsa.gov/releases/relea00084.cfm) focused on Mr. Wolf's enthusiasm for vendor's "progress and future plans to enhance the security of operating systems and desktop applications" and the fact that "the onus is now on the users" to do their part by "applying the latest patches and software updates." This report says that Mr. Wolfe also mentioned two of the national and international efforts that the NSA is engaged in to promote the development of security criteria (http://www.commoncriteriaportal.org/) and for security testing (http://www.niap.nist.gov). The latter project has tested and ranked the security of a large number of products. From their reports, its not all that sure that the reporters from Federal Computer Week (http://wwwfcw.com) and Government Computer News (http://gcn.com) went to the same talk as the NSA press release talked about or that they both went to the same talk, whatever talk it was even though they both wrote about a mid October talk by NSA's Mr. Wolfe.
The reporter from the Government Computer News focused on the NSA development of a "three-phase architectural plan for secure worldwide data sharing" among intelligence agencies and the military. She also mentioned in passing a possible, but yet unfunded, office to push high-assurance software that she quoted Wolfe as saying would be a modern equivalent of the World War II Manhattan Project. The reporter for Federal Computer Week made the unfunded office the focus of her report. She said that the office would be a government-funded research center "devoted to improving the security of commercial software." She also included mention of government concern over the offshore development of much of the next generation of commercial software.
So, maybe the NSA is planning a new Manhattan Project and maybe it is not, in any case, it continues to crank out useful work (at least the work we are permitted to see).
disclaimer: Harvard's expansion into Allison might be almost as expensive, in non-constant dollars, as the original Manhattan Project but it will be no where as secret (at least going forward) but the above commentary is my own.