Risk
4/9/2010
10:46 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NSA Details Information Assurance Spending

The National Security Agency plans to spend $902 million on information assurance in fiscal 2011, funding everything from advanced encryption to cyber warfare training.

The National Security Agency will spend $902 million on information assurance next year, according to an NSA budget request posted on a Department of Defense Web site, providing a rare insight into a sliver of the secretive intelligence agency's spending.

The request covers spending from the NSA's Information Assurance Directorate, which provides products and services to secure national security systems -- think cybersecurity for military command and control and weapons systems, among numerous things. The Department of Defense, naturally, is the IAD's largest customer, though other agencies can request its services on a case-by-case basis.

The NSA is decreasing its spending on information assurance from $972 million last year to $915 million this year and $902 million next year, though those decreases come as the military ramps up its own spending on information assurance. About half of the NSA's budget will be spent on research, development, and testing, while much of the other half will be spent on operations. The little left over will be spent on procurement.

The document lays out the NSA's information assurance efforts and plans across a number of categories, including computer network defense, encryption, identity, access management, and workforce development, and goes into some specifics in a few of those areas.

For example, the NSA plans to spend $112 million in fiscal 2011 on cryptographic systems, including those integrated into combat systems and nuclear command and control, secure voice and data links, and a program it calls "space cryptography." NSA plans to spend an additional $46 million on cryptographic key management.

NSA's public key infrastructure spending includes the addition of new protocol support for its certificate validation services, development of biometrics support, a monitoring capability for Red Hat Certificate Management Systems, and the capability for NSA-developed PKI to interoperate with other systems across the government and private sector.

The NSA will also spend $18.6 million training cyber warriors working at the DoD. "Providing a continuum of learning activities is fundamental for recruitment and retention of highly qualified cyber warriors," the document says. "Their work roles require ensuring effective development to perform proactively or in response to executed threats and to ensure accomplishment of operationally assigned tasks."

NSA is continuing work on what's known as the High Assurance Platform, which it has referred to as "a framework for the development of the next generation of secure computing platforms." HAP includes enabling such capabilities as multiple security domains -- and therefore, for example, potential access to multiple levels of classified information -- on the same client using virtualization. IBM and VMware have both publicly announced their support as contractors for the HAP program. In fiscal 2011, NSA will operationalize the second generation of HAP and begin work on the third generation.

NSA is also continuing advanced research on secure hardware. "The Advanced Computing Research program will continue to promote ideation in the creation of new chip multiprocessor technologies that will benefit the missions of NSA in cryptology, digital signal processing, filtering and selection, intrusion detection, knowledge discovery, voice recognition, natural language machine translation, and event simulation," the document says.

Despite the details, in many places, the information assurance efforts the NSA carries out for the DoD are outlined in largely broad strokes, so it's difficult to tell what's actually going on at the program level. Further, many of the line items in the budget are labeled either "N/A" or "Classified and Intelligence," so, other than the general category of spending (e.g., "IA Engineering and Development") and the total dollar figures attached, it's impossible to know much more about their details.

Not included in this spending is a large data center NSA is constructing at Camp Williams in Utah to support the partially classified Comprehensive National Cybersecurity Initiative. NSA is requesting $398 million to continue construction on that project, which according to another DoD budget document, is expected to be completed by May 2014.

However, the request does detail a few of the NSA's accomplishments from last fiscal year, including: the development of a tool called USBDetect that reports unauthorized use of USB thumb drives and other external storage devices; the development of a smartphone called SME-PED that protects voice communications classified up to Top Secret and data connectivity classified up to Secret; the development of next-generation encryption through a program called programmable objective encryption technologies; and the installation of POET technologies into bombers, reconnaissance planes, and the Air Force's command and control systems, among other places.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.