Back to FAQ
remarks by the honorable emmett paige, jr. assistant secretary of defense (command, control, communications and intelligence) to the "global information explosion: threat to national security" conference national security industrial association/national defense university foundation fort mcnair, washington, d.c. 16 may 1995 good morning. it is, indeed, a pleasure for me to be here today. i have been asked to share with you my views on the challenges facing us in acquiring and protecting software and the steps the department of defense is taking to meet these challenges. i welcome this opportunity to address so many of the information technology leaders and innovators from industry, academia, government and the media, and of course that includes the "self proclaimed experts" or "gadflys", for i am certain that how we will acquire and protect our software could be one of the cornerstones of the information age, and we learn by having dialogues such as this. as we all know, in this century, americans have had to travel great distances, by plane, and ship, and motorized vehicle, to conduct the commerce and defense of our nation. none of us should be surprised, when historians look back on this time, and suggest that the foremost factor that influenced our national economic and military wellness was our ability to maintain access to almost unlimited supplies of oil, or as some of us call it "black gold." i am equally convinced that our nations wellness in the next century depends, primarily, not on oil, but, rather, on how we cope with the opportunities and threats that we face in the electronics revolution to include our information systems. of course it is the availability of modern worldwide communications connectivity that has created the challenges for us in both the military and the commercial sector. in the twenty first century, our economic competitors will gauge our national strength, not only by the sales rung up at our malls and in the international marketplace, but also by our cleverness and inventiveness in the ways in which we harness the enormous power of software and electronics to serve both our domestic and foreign markets. our potential military adversaries will not be deterred by our qualitative strength in personnel or conventional weapon systems as we know them today but you can be assured, that they will be deterred by what our smart weapons mostly driven by software will do to them if they be so bold as to challenge our national interests. today the united states is the world's greatest user of software in any sector. led by our robust software industry, a massive growth of communications and computing technologies, networks and a host of information appliances has created an information explosion that is having a significant impact on every sector of american society. but today's dependence is only a mere foreshadowing of what will happen in the coming decades when software will run our homes, our cars, and, our offices. in this software dependent future, we will also become more vulnerable to our adversaries than we ever have been before in our history, as they too, regardless of size will have growing access to the same commercial technologies that we are becoming more and more dependent upon. yes, there is a downside to our ubiquitous reliance upon software. for while software is the key to our nation's future, how we will acquire and protect our software has become our preeminent national security challenge. first, let us look at software acquisition. software is the key driver for the cost, schedule, and, performance of our weapons, command and control, and information systems. the efficient acquisition of software is thus the critical path to our ability to support our warfighters. it is ironic that at the exact moment in our nations history that software is becoming our key economic and military driver and needs to be reliable, flexible, reusable, available, and inexpensive, all too often our software is predictable --predictably late, predictably too costly, and predictably rigid. as we depend on more and more commercial off the shelf technology we will become more and susceptible to the planting of trap doors by unsuspecting software programmers in software developed abroad. one approach that the department is taking to solve these software acquisition problems is through the legislative arena. we have been asked to provide input to several measures being developed by congress that will affect software acquisition and we have responded with several high payoff recommendations. to reduce software acquisition risks, we should use performance measures and metrics to measure costs, schedule, benefits, and performance. and, when a system fails to meet these measures, we must stop or cancel it. with reduced budgets, we must make every effort to acquire only software that will help us do our business better. therefore, we must use business process reengineering to ensure that our functional processes are validated and streamlined before software is developed or acquired. to reduce and control costs, we should reuse government developed software systems, components and data elements in lieu of new development everywhere it makes sense; acquire commercial-off-the-shelf hardware and software in lieu of reinventing existing technology; and, initiate smaller and more frequent contracts, to promote competition and provide access to state-of-the-art technological developments. to further assure that the software we use will be finished on schedule and work as described, we must get away from the classic "grand design" systems, and instead, adopt the concepts of incremental and evolutionary system development. to succeed, we must always assure that our projects are sized to manageable levels. while i have been pursuing many of these initiatives within the department of defense, i fully recognize that there are other, more technical inhibitors to software acquisition. no one is more aware than i am that software has been the achilles heel of so many of our department of defense systems. i am also aware that one of the prime reasons behind this is that the fifty-year old u.s. software industry is far from a mature engineering process. possibly, late in the first decade of the next century we will enter the engineering stage of software development. then, the development process will be mechanized; software will be built from off-the-shelf-parts; and, interfaces built with self-contained artificial intelligence. but how are we in dod going to get to this new software "millennium."? first, we are going to change our culture. in 1994 the defense science board recommended in their study "acquiring defense software commercially," that dod make immediate fixes to our software acquisition culture by empowering program managers to use best commercial practices; utilizing software system architecture as a management tool; expanding educational requirements for personnel in software acquisition management and development; focusing on expected results to define successful performance; encouraging use and integration of commercial off-the-shelf software where applicable; and, expanding the software technology base to take advantage of commercial research and development. based on this dsb report, i, along with noel longuemare, mandated in july of last year, the immediate adoption of software acquisition best practices. to further respond to the dsb study, the department established a "software management initiative" and to guarantee senior leadership involvement in this initiative, we have set up a "software management executive board" co-chaired by noel longuemare, pdusd (a&t) and myself. under this board, we established a "software management review council" co-chaired by ousd (a&t) and my office. it is in this arena that the real implementation battles on changing the dod software acquisition culture are being fought. four process action teams, each addressing specific dsb recommendations in the areas of software acquisition best practices, software acquisition education, software acquisition policy, and the software technology base have been chartered. these process action teams have recently made their initial recommendations to the software management review council. i am encouraged by their progress but they still have a way to go. next, we are moving out smartly in the area of software reuse. when we spend dollars on software, we should be able to get maximum benefits from its use -- and from its re-use. industry has experienced a 10 to 15 percent reduction in software development cost from reuse. the bigger payoff is in maintenance -- which is the bulk of our software costs -- with a 2 to 5 times reduction in maintenance costs. software reuse must be planned into our systems. software modules must be written so that the modules can be reused to meet other software needs. this modularity will not only decrease the maintenance costs of the system originating the modules, but will also decrease -- substantially -- the development costs of future systems reusing the modules. the defense information systems agency is leading our software reuse initiative. they have recently completed a draft reuse strategic plan which focuses on high payoff areas such as systematic, planned, not opportunistic, reuse; the institutionalization of reuse as a process, not an end-product; and, the designation of ada as the foundation upon which to base reuse efforts. yes, in case any of you have been waiting for me to say something about ada, wait no more. dod's policy on programming languages for both information and weapons systems is clear. the direction is: first, acquire commercial-off-the-shelf software products. it makes good business and common sense to use cots. this means the software will be maintained by the vendor and the government will buy upgrades off-the-shelf, just like any other business entity. second, if the software is to be written or maintained by dod, we will utilize the ada programming language and the software engineering principles it supports. ada itself is still maturing, and i look forward to the widespread availability of the new features that are available with ada 95 to make it easier to use and more amenable to working with modules written in other languages. this was recognized when ada 95 was approved by the national and international standards bodies this year. ada and reuse are vital to providing information to users when they need it, as they need it, no matter where they need it. but i am here to tell you that there are no silver bullets in software development and acquisition and i do not believe there are any on the foreseeable horizon. we need a whole suite of things to support the development and use of quality software. our integrated computer aided software engineering (i-case) acquisition provides us with an integrated set of commercial-off- the-shelf case tools for developing and supporting quality software. the i-case procurement holds the promise of enabling software engineers to do more things and to do them more quickly. again, case is no silver bullet. let me now shift gears to software security. all of these legislative and technical fixes that we are making will be worthless if we are not able to protect our software today and in the future. the joint security commission, chartered by the secretary of defense and the director of central intelligence, considered "the security of information systems and networks to be the major security challenge of this decade and possibly the next century...." that is the bad news. i am convinced that they did not overstate the seriousness of the situation. the situation that we find ourselves in with the systems in defense is the result of 15 to 20 years of neglect. some people might say it was years of "risk management" with the majority of our defense information systems being unprotected because they are not considered to be classified. so we can accurately call them "open systems, meaning open to anyone who has a desire to get into them. the good news is that, from secretary perry on down, the department of defense is vigorously addressing this challenge. secretary perry has charged me with the responsibility for establishing and maintaining information superiority for the department of defense, in support of military operations and the national security strategy of the united states. software protection or the protection of our automated systems is one of my front-burning issues. while i must assure our commanders in the field the global, interoperable connectivity; near real-time data collection, analysis, and dissemination; and precise and timely targeting information for their smart weapons that is essential to successful operations in a modern combat context, i know that the information technologies we rely on to provide a military advantage can also render us tremendously vulnerable if the information flow can be exploited, modified, or disrupted. i'm also aware that as we take greater advantage of commercial information products and services to accomplish our missions and to reduce the department's operating expenses, we assume the vulnerabilities of the commercially owned, and largely unprotected, national information infrastructure. let there be no doubts that the overlap of military and civil infospheres is a defense fact of life. today, tomorrow, and in the future dod will depend on the civilian infosphere in both peace and war. as a result, the national information infrastructure, which moves the information that is the economic, social, and military backbone of the nation, becomes a more attractive and high pay-off target for attack by virtually anyone with a computer and modem. the end of the cold war has also revised our entire security equation. the doctrine of the cold war era preserved this nation as a sanctuary. today, the threats to our nation are borderless and the critical mass for attack has extended down to the individual. our assumption that the nation is a sanctuary is now invalidated. what are the steps we are taking to protect our software? first, we are modifying our entire national military doctrine to reflect the emerging information age and its new vulnerabilities and challenges. we are calling this the new doctrine "defensive information warfare". under defensive information warfare we will integrate and apply a variety of operational and technical disciplines to ensure that software, information and information systems that are important to the national military strategy are designed and employed to afford appropriate protection from exploitation, degradation, and denial. a subset of defensive information warfare pertains to information systems security, or infosec. under infosec, we have developed a goal security architecture for the department that is driving and guiding our security technology and product development and implementation programs. we are also supporting the development of a security engineering capability maturity model that will help assure that security is addressed as a integral part of our future systems and software design, not added later. we are investing in the development of affordable and commercially compatible security products. and, we are establishing a security management infrastructure that includes improved training and awareness and more responsive security processes. security that is integral to specific defense systems will be funded as part of those systems' costs, up front, and not as an afterthought. likewise, resources for research and development, support services, and process improvements critical to enhancing our security posture and capabilities will be given high priority in our future information systems security program requests. that does not equate to an assurance that we will get all of the dollars we ask for, when we ask for them. affordability will continue to be an issue for us and tradeoffs will have to continue to be made with other weapon platforms. to respond to software security threats, we are pursuing a broad range of research and product development efforts that will enhance our ability to protect data, systems, and networks. in the near-term, we have targeted major elements of the defense information infrastructure, such as the defense messaging system, the transmission and switching systems which comprise the defense information systems network, and the disa operated defense mega centers for security enhancements. investing in protection against attacks, however, is only a part of the solution. our ability to detect attacks and respond appropriately is critical to our ability to maintain control of our information assets and provide reliable services. disa has taken the lead in this area, consistent with its charter to protect the defense information infrastructure, and is working with the military services to ensure that consistent and effective procedures and operating policies are established across the dod. data integrity, data and system availability, strong identification and authentication, and non-repudiation mechanisms are also being addressed. nsa and disa are working together on the multilevel information systems security initiative (missi) that will provide a multilevel security capability for networked automated information systems while ensuring that: users can access only that information to which they are authorized; information is protected from unauthorized modification; and users are identified and authenticated. to facilitate the introduction of missi provided security capabilities, i have recently mandated that all future workstations and personal computers acquired by the department come equipped with a minimum of two pcmcia type ii slots. having this capability will allow us to deploy nsa-developed fortezza pcmcia cards that will provide encryption/decryption for e-mail and computer generated faxes and implement the digital signature standard for authentication. follow-on increments of missi will provide higher levels of security. this concludes my presentation. i appreciate the time that you have given me today. should any of you have any questions, i would be glad to entertain them at this time.