Risk
4/9/2010
10:46 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NSA Details Information Assurance Spending

The National Security Agency plans to spend $902 million on information assurance in fiscal 2011, funding everything from advanced encryption to cyber warfare training.

The National Security Agency will spend $902 million on information assurance next year, according to an NSA budget request posted on a Department of Defense Web site, providing a rare insight into a sliver of the secretive intelligence agency's spending.

The request covers spending from the NSA's Information Assurance Directorate, which provides products and services to secure national security systems -- think cybersecurity for military command and control and weapons systems, among numerous things. The Department of Defense, naturally, is the IAD's largest customer, though other agencies can request its services on a case-by-case basis.

The NSA is decreasing its spending on information assurance from $972 million last year to $915 million this year and $902 million next year, though those decreases come as the military ramps up its own spending on information assurance. About half of the NSA's budget will be spent on research, development, and testing, while much of the other half will be spent on operations. The little left over will be spent on procurement.

The document lays out the NSA's information assurance efforts and plans across a number of categories, including computer network defense, encryption, identity, access management, and workforce development, and goes into some specifics in a few of those areas.

For example, the NSA plans to spend $112 million in fiscal 2011 on cryptographic systems, including those integrated into combat systems and nuclear command and control, secure voice and data links, and a program it calls "space cryptography." NSA plans to spend an additional $46 million on cryptographic key management.

NSA's public key infrastructure spending includes the addition of new protocol support for its certificate validation services, development of biometrics support, a monitoring capability for Red Hat Certificate Management Systems, and the capability for NSA-developed PKI to interoperate with other systems across the government and private sector.

The NSA will also spend $18.6 million training cyber warriors working at the DoD. "Providing a continuum of learning activities is fundamental for recruitment and retention of highly qualified cyber warriors," the document says. "Their work roles require ensuring effective development to perform proactively or in response to executed threats and to ensure accomplishment of operationally assigned tasks."

NSA is continuing work on what's known as the High Assurance Platform, which it has referred to as "a framework for the development of the next generation of secure computing platforms." HAP includes enabling such capabilities as multiple security domains -- and therefore, for example, potential access to multiple levels of classified information -- on the same client using virtualization. IBM and VMware have both publicly announced their support as contractors for the HAP program. In fiscal 2011, NSA will operationalize the second generation of HAP and begin work on the third generation.

NSA is also continuing advanced research on secure hardware. "The Advanced Computing Research program will continue to promote ideation in the creation of new chip multiprocessor technologies that will benefit the missions of NSA in cryptology, digital signal processing, filtering and selection, intrusion detection, knowledge discovery, voice recognition, natural language machine translation, and event simulation," the document says.

Despite the details, in many places, the information assurance efforts the NSA carries out for the DoD are outlined in largely broad strokes, so it's difficult to tell what's actually going on at the program level. Further, many of the line items in the budget are labeled either "N/A" or "Classified and Intelligence," so, other than the general category of spending (e.g., "IA Engineering and Development") and the total dollar figures attached, it's impossible to know much more about their details.

Not included in this spending is a large data center NSA is constructing at Camp Williams in Utah to support the partially classified Comprehensive National Cybersecurity Initiative. NSA is requesting $398 million to continue construction on that project, which according to another DoD budget document, is expected to be completed by May 2014.

However, the request does detail a few of the NSA's accomplishments from last fiscal year, including: the development of a tool called USBDetect that reports unauthorized use of USB thumb drives and other external storage devices; the development of a smartphone called SME-PED that protects voice communications classified up to Top Secret and data connectivity classified up to Secret; the development of next-generation encryption through a program called programmable objective encryption technologies; and the installation of POET technologies into bombers, reconnaissance planes, and the Air Force's command and control systems, among other places.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.