Wampum

More interesting tidbits from the May 12th report by the Senate Committee on Armed Services.

Assured funding for certain information security and information assurance programs of the Department of Defense (sec. 214)

The National Security Agency (NSA) and the Assistant Secretary of Defense for Network and Information Integration (ASD/NII) have attempted for a number of years to persuade the Office of Management and Budget to establish a budget line item for information assurance anticipatory development within the Department of Defense (DOD). While these efforts have not been successful, the committee believes that the arguments in favor of such a program are compelling.

The information technology (IT) industry is the most vibrant and rapidly evolving industry in the world. The Department attempts to acquire or make use of these commercial IT advances to achieve efficiencies and improved operational effectiveness. However, DOD cannot effectively adopt this technology if it cannot be used securely, yet the Department has no appropriate mechanism for keeping pace with the march of technology development.

There is, for example, an outstanding requirement for a very high speed Internet Protocol encryption capability, but NSA has almost no resources with which to respond. The executive branch recently had to launch a satellite that lacked encryption for a key wideband downlink. The Advanced Extremely High Frequency Satellite program was delayed because of a belated encryption subsystem development effort. These types of requirements can be anticipated and, with modest funding, security solutions can be developed to match acquisition schedules.

The committee recommends a provision that would impose a permanent 1 percent tax on the Department's information systems security program, other information assurance programs, and the non-National Intelligence Program-funded cyber security initiative to finance this new program.

The committee directs that the program be executed by NSA's Information Assurance Directorate unless otherwise specified by the ASD/NII. The ASD/NII shall review and approve expenditures under this program. The committee urges the administration to vitiate the need for this statute-based funding mechanism by submitting its own budget request for this activity.

Cyber attack mitigation technologies

The budget request included $109.5 million in PE 62702F for applied research on command, control, and communications technologies. The September 2007 Defense Science Board study entitled `Mission Impact of Foreign Influence on DOD Software' highlighted the need for `programs to advance the state-of-the-art in vulnerability detection and mitigation in software and hardware.' In support of this finding, the committee recommends an increase of $2.5 million for the development of systems to detect and defeat malicious software on military networks and information systems.

Reconfigurable securing computing

The budget request included $56.9 million in PE 63203F for development of advanced aerospace sensors. The Air Force and Department of Defense have set cybersecurity as a high technology priority. To support these efforts at the tactical level and reduce the costs for the development of security systems, the committee recommends an increase of $2.0 million to develop reconfigurable secure computing technologies for advanced sensor systems.

Emphasis added. Apparently the USAF and USDoD are fielding distinct, bespoke, fixed-configuration secure computing technologies for sensor systems, and "malicious software" is getting through the unclassified and classified defenses. I recall when the CO at the NPGS decreed that, for cost savings, under his watch, all student (mid-grade USN officers) computers would run Windows.

When the USG relaxed the Federal Information System Procurement Standards, eliminating the POSIX barriers to Microsoft's propriatary operating system product, it created the Microsoft monopoly. There won't be a non-monopoly until there's a market for competing product -- hardened *nix in the base USG FIPS mix. Until then, another $2.5 million plus or minus random budget and defense policy walk, for bandaids for recurring road rash from pervasive use of a (single, shared fate) wobbly trike.

I'm amused by the launch-sans-crypto outcome, and the additional amounts sought, 1% and $2.5 million and $2.0 million for anticipatory capability, monitoring development, and operational agility are oddly small, given the size of the overall cybersecurity budget previous post) of $17.0 billion.