Risk
4/9/2010
10:46 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NSA Details Information Assurance Spending

The National Security Agency plans to spend $902 million on information assurance in fiscal 2011, funding everything from advanced encryption to cyber warfare training.

The National Security Agency will spend $902 million on information assurance next year, according to an NSA budget request posted on a Department of Defense Web site, providing a rare insight into a sliver of the secretive intelligence agency's spending.

The request covers spending from the NSA's Information Assurance Directorate, which provides products and services to secure national security systems -- think cybersecurity for military command and control and weapons systems, among numerous things. The Department of Defense, naturally, is the IAD's largest customer, though other agencies can request its services on a case-by-case basis.

The NSA is decreasing its spending on information assurance from $972 million last year to $915 million this year and $902 million next year, though those decreases come as the military ramps up its own spending on information assurance. About half of the NSA's budget will be spent on research, development, and testing, while much of the other half will be spent on operations. The little left over will be spent on procurement.

The document lays out the NSA's information assurance efforts and plans across a number of categories, including computer network defense, encryption, identity, access management, and workforce development, and goes into some specifics in a few of those areas.

For example, the NSA plans to spend $112 million in fiscal 2011 on cryptographic systems, including those integrated into combat systems and nuclear command and control, secure voice and data links, and a program it calls "space cryptography." NSA plans to spend an additional $46 million on cryptographic key management.

NSA's public key infrastructure spending includes the addition of new protocol support for its certificate validation services, development of biometrics support, a monitoring capability for Red Hat Certificate Management Systems, and the capability for NSA-developed PKI to interoperate with other systems across the government and private sector.

The NSA will also spend $18.6 million training cyber warriors working at the DoD. "Providing a continuum of learning activities is fundamental for recruitment and retention of highly qualified cyber warriors," the document says. "Their work roles require ensuring effective development to perform proactively or in response to executed threats and to ensure accomplishment of operationally assigned tasks."

NSA is continuing work on what's known as the High Assurance Platform, which it has referred to as "a framework for the development of the next generation of secure computing platforms." HAP includes enabling such capabilities as multiple security domains -- and therefore, for example, potential access to multiple levels of classified information -- on the same client using virtualization. IBM and VMware have both publicly announced their support as contractors for the HAP program. In fiscal 2011, NSA will operationalize the second generation of HAP and begin work on the third generation.

NSA is also continuing advanced research on secure hardware. "The Advanced Computing Research program will continue to promote ideation in the creation of new chip multiprocessor technologies that will benefit the missions of NSA in cryptology, digital signal processing, filtering and selection, intrusion detection, knowledge discovery, voice recognition, natural language machine translation, and event simulation," the document says.

Despite the details, in many places, the information assurance efforts the NSA carries out for the DoD are outlined in largely broad strokes, so it's difficult to tell what's actually going on at the program level. Further, many of the line items in the budget are labeled either "N/A" or "Classified and Intelligence," so, other than the general category of spending (e.g., "IA Engineering and Development") and the total dollar figures attached, it's impossible to know much more about their details.

Not included in this spending is a large data center NSA is constructing at Camp Williams in Utah to support the partially classified Comprehensive National Cybersecurity Initiative. NSA is requesting $398 million to continue construction on that project, which according to another DoD budget document, is expected to be completed by May 2014.

However, the request does detail a few of the NSA's accomplishments from last fiscal year, including: the development of a tool called USBDetect that reports unauthorized use of USB thumb drives and other external storage devices; the development of a smartphone called SME-PED that protects voice communications classified up to Top Secret and data connectivity classified up to Secret; the development of next-generation encryption through a program called programmable objective encryption technologies; and the installation of POET technologies into bombers, reconnaissance planes, and the Air Force's command and control systems, among other places.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.