Back to FAQ


NOTE: from unofficial posting to comp.lang.ada on May 16, 1995


remarks
by
the honorable emmett paige, jr.
assistant secretary of defense
(command, control, communications and intelligence)
to the
"global information explosion: threat to national security"  conference
national security industrial
association/national defense university foundation
fort mcnair, washington, d.c.
16 may 1995


	good morning.  it is, indeed, a pleasure for me to be here today.
i have been asked to share with you my views on the challenges facing us in
acquiring and protecting software and the steps the department of defense
is taking to meet these challenges.  i welcome this opportunity to address
so many of the information technology leaders and innovators from  industry,
academia, government and the media,  and of course that includes the "self
proclaimed experts"    or  "gadflys",  for i am certain that how we
will acquire and protect our software could be one of the cornerstones of
the information age, and we learn by having dialogues such as this. as we all
know, in this century, americans have had to travel great distances, by plane,
and ship, and motorized vehicle, to conduct the commerce and defense of our
nation.
	none of us should be  surprised,  when historians look back on this
time, and suggest that the foremost factor that influenced our national
economic and military wellness was our ability to maintain access to almost
unlimited supplies of oil, or as some of us call it "black gold."
	 i am equally convinced that our nations wellness in the next century
depends, primarily, not on oil, but, rather, on how we cope with the
opportunities and threats that we face in the electronics revolution to
include our  information systems. of course it is the availability of
modern worldwide communications connectivity that has created the challenges
for us in both the military and the commercial sector.
	 in the twenty first century, our economic competitors will gauge our
national strength, not only by the sales rung up at our malls and in the
international marketplace, but also by our cleverness and inventiveness in
the ways in which we harness the enormous power of software  and electronics
to serve both our domestic and foreign markets.
	 our potential military adversaries will not be deterred by our
qualitative strength in personnel or  conventional weapon systems as we know
them today  but you can be assured, that they will be deterred by what our
smart weapons mostly driven by software will do to them if they be so bold as
to challenge our national interests.
	today the united states is the world's greatest user of software in
any sector.
	 led by our robust software industry, a massive growth of
communications and computing technologies, networks and a host of
information appliances has created an information explosion that is having
a significant impact on every sector of american society.  but today's
dependence is only a mere foreshadowing of what will happen in the coming
decades when software will run our homes, our cars, and, our offices.
	in this software dependent future, we  will also become more
vulnerable to our adversaries than we ever have been before in our history,
as they too, regardless of size will have growing access to the same
commercial technologies that we are becoming more and more dependent upon.
	yes, there is a downside to our ubiquitous reliance upon software.
for while software is the key to our nation's future,  how we will acquire
and protect our software has become our preeminent national security challenge.
first, let us look at software acquisition.
	software is the key driver for the cost, schedule, and, performance of
our weapons, command and control, and information systems.  the efficient
acquisition  of software is thus the critical path to our ability to support
our warfighters.
	 it is ironic that at the exact moment in our nations history that
software is becoming our key economic and military driver and needs to be
reliable, flexible, reusable, available, and inexpensive, all too often our
software is predictable --predictably late, predictably too costly, and
predictably rigid. as we depend on more  and more commercial off the shelf
technology we will become more and susceptible to  the planting of   trap
doors by unsuspecting software programmers in software developed abroad.

	one approach that the department is taking to solve these software
acquisition problems is through the legislative arena.
	 we have been asked to provide input to several measures being
developed by congress that will affect software acquisition and we have
responded with several high payoff recommendations.
	to reduce software acquisition risks, we should use performance
measures and metrics to measure costs, schedule, benefits, and performance.
and, when a system fails to meet these measures, we must stop or cancel it.
	with reduced budgets, we must make every effort to acquire only
software that will help us do our business better.   therefore, we must use
business process reengineering to ensure that our functional processes are
validated and streamlined before software is developed or acquired.
	to reduce and control costs, we should reuse government developed
software systems, components and data elements in lieu of new development
everywhere it makes sense; acquire commercial-off-the-shelf hardware and
software in lieu of reinventing existing technology; and, initiate smaller
and more frequent contracts, to promote competition and provide access to
state-of-the-art technological developments.
	to further assure that the software we use will be finished on
schedule and work as described, we must get away from the classic "grand
design" systems, and instead, adopt the concepts of incremental and
evolutionary system development.   to succeed, we must always assure that
our projects are sized to manageable levels.
	while i have been pursuing many of these initiatives within the
department of defense, i fully recognize that there are other, more technical
inhibitors to software acquisition.
	no one is more aware than i am that software has been the achilles
heel of so many of our department of defense systems.  i am also aware that
one of the prime reasons behind this is that the fifty-year old u.s. software
industry is far from a mature engineering process.
	possibly, late in the first decade of the next century we will enter
the engineering stage of software development.  then, the development process
will be mechanized;  software will be built from off-the-shelf-parts; and,
interfaces built with self-contained artificial intelligence.  but how are
we in dod going to get to this new software "millennium."?
	first, we are going to change our culture.
	in 1994 the defense science board recommended in their study
"acquiring defense software commercially," that dod make immediate fixes to
our software acquisition culture by empowering program managers to use best
commercial practices; utilizing software system architecture as a management
tool; expanding educational requirements for personnel in software acquisition
management and development; focusing on expected results to define successful
performance; encouraging use and integration of commercial off-the-shelf
software where applicable; and, expanding the software technology
base to take advantage of commercial research and development.
	based on this dsb report, i, along with noel longuemare, mandated in
july of last year, the immediate adoption of software acquisition best
practices.
	to further respond to the dsb study, the department established a
"software management initiative" and to guarantee senior leadership
involvement in this initiative, we have set up a "software management
executive board" co-chaired by noel longuemare, pdusd (a&t) and myself.
	under this board, we established a "software management review
council" co-chaired by ousd (a&t) and my office.  it is in this arena that
the real implementation battles on changing the dod software acquisition
culture are being fought.
	four process action teams, each addressing specific dsb
recommendations in the areas of software acquisition best practices,
software acquisition education, software acquisition policy, and the
software technology base have been chartered.
	 these process action teams have recently made their initial
recommendations to the software management review council.  i am encouraged
by their progress but they still have a way to go.
	next, we are moving out smartly in the area of software reuse.  when
we spend dollars on software, we should be able to get maximum benefits from
its use -- and from its re-use.
	industry has experienced a 10 to 15 percent reduction in software
development cost from reuse.  the bigger payoff is in maintenance -- which
is the bulk of our software costs -- with a 2 to 5 times reduction in
maintenance costs.
	software reuse must be planned into our systems.  software modules
must be written so that the modules can be reused to meet other software
needs.  this modularity will not only decrease the maintenance costs of the
system originating the modules, but will also decrease -- substantially --
the development costs of future systems reusing the modules.
	the defense information systems agency is leading our software reuse
initiative.  they have recently completed a draft reuse strategic plan which
focuses on high payoff areas such as systematic, planned, not opportunistic,
reuse; the institutionalization of  reuse as a process, not an end-product;
and, the designation of ada as the foundation upon which to base reuse efforts.
	yes, in case any of you have been waiting for me to say something
about ada, wait no more.
	dod's policy on programming languages for both information and
weapons systems is clear.
	the direction is:  first, acquire commercial-off-the-shelf software
products.  it makes good business and common sense to use cots.  this means
the software will be maintained by the vendor and the government will buy
upgrades off-the-shelf, just like any other business entity.
	second, if the software is to be written or maintained by dod, we
will utilize the ada programming language and the software engineering
principles it supports.
	ada itself is still  maturing, and i look forward to the widespread
availability of the new features that are available with ada 95 to make it
easier to use and more amenable to working with modules written in other
languages.   this was recognized when ada 95 was approved by the national
and international standards bodies this year.
	ada and reuse are vital to providing information to users when they
need it, as they need it, no matter where they need it.  but i am here to
tell you that there are no silver bullets in software development and
acquisition and i do not believe there are any on the foreseeable horizon.
	we need a whole suite of things to support the development and use
of quality software.  our integrated computer aided software engineering
(i-case) acquisition provides us with an integrated set of commercial-off-
the-shelf case tools for developing and supporting quality software.  the
i-case procurement holds the promise of enabling software engineers to do
more things and to do them more quickly. again, case is no silver bullet.
	let me now shift gears to software security.
	all of these legislative and technical fixes that we are making will
be worthless if we are not able to protect our software today and in the future.
	the joint security commission, chartered by the secretary of defense
and the director of central intelligence, considered "the security of
information systems and networks to be the major security challenge of
this decade and possibly the next century...."  that is the bad news. i
am convinced that they did not overstate the  seriousness of the situation.
the situation that we find ourselves in with the systems in defense is the
result of 15 to 20 years of neglect. some people might say it was years of
"risk management" with the majority of our defense information systems being
unprotected because they are not considered to be classified.  so we can
accurately call them "open systems, meaning open to anyone who has a desire
to get into them.
	the good news is that, from secretary perry on down, the department
of defense is vigorously addressing this challenge.
	secretary perry has charged me with the responsibility for
establishing and maintaining information superiority for the department of
defense, in support of military operations and the national security strategy
of the united states.  software protection or the protection of our automated
systems  is one of my front-burning issues.
	while i must assure our commanders in the field the global,
interoperable connectivity; near real-time data collection, analysis, and
dissemination; and precise and timely targeting information for their smart
weapons that is essential to successful operations in a modern combat context,
i know that the information technologies we rely on to provide a military
advantage can also render us tremendously vulnerable if the information flow
can be exploited, modified, or disrupted.
	 i'm also aware that as we take greater advantage of commercial
information products and services to accomplish our missions and to reduce
the department's operating expenses, we assume the vulnerabilities of the
commercially owned, and largely unprotected, national information
infrastructure.  let there be no doubts that the overlap of military and
civil infospheres is a defense fact of life. today, tomorrow, and in the
future dod will depend on the civilian infosphere in both peace and war.
	as a result, the national information infrastructure, which moves
the information that is the economic, social,  and military backbone of the
nation, becomes a more attractive and high pay-off target for attack by
virtually anyone with a computer and modem.
	the end of the cold war has also revised our entire security
equation. the doctrine of the cold war era preserved this nation as a
sanctuary.  today, the threats to our nation are borderless and the
critical mass for attack has extended down to the individual.  our
assumption that the nation is a sanctuary is now invalidated.
	what are the steps we are taking to protect our software?
	first, we are modifying our entire national military doctrine to
reflect the emerging information age and its new vulnerabilities and
challenges.  we are calling this the new doctrine "defensive information
warfare".
	under defensive information warfare we will integrate and apply a
variety of operational and technical disciplines to ensure that software,
information and information systems that are important to the national
military strategy are designed and employed to afford appropriate protection
from exploitation, degradation, and denial.
	a subset of defensive information warfare pertains to information
systems security, or infosec.  under infosec, we have developed a goal
security architecture for the department that is driving and guiding our
security technology and product development and implementation programs.
	we are also supporting the development of a security engineering
capability maturity model that will help assure that security is addressed
as a integral part of our future systems and software design, not added later.
	we are investing in the development of affordable and commercially
compatible security products. and, we are establishing a security management
infrastructure that includes improved training and awareness and more
responsive security processes.
	security that is integral to specific defense systems will be
funded as part of those systems' costs, up front, and not as an afterthought.
	likewise,  resources for research and development, support services,
and process improvements critical to enhancing our security posture and
capabilities will be given high priority in our future information systems
security program requests. that does not equate to an assurance that we will
get all of the dollars we ask for, when we ask for them. affordability will
continue to be an issue for us and tradeoffs will have to continue to be made
with other weapon platforms.
	to respond to software security threats, we are pursuing a broad range
of research and product development efforts that will enhance our ability to
protect data, systems, and networks.
	in the near-term, we have targeted major elements of the defense
information infrastructure, such as the defense messaging system, the
transmission and switching systems which comprise the defense information
systems network, and the disa operated defense mega centers for security
enhancements.
	investing in protection against attacks, however, is only a part
of the solution. our ability to detect attacks and respond appropriately
is critical to our ability to maintain control of our information assets
and provide reliable services.  disa has taken the lead in this area,
consistent with its charter to protect the defense information infrastructure,
and is working with the military services to ensure that consistent and
effective procedures and operating policies are established across the dod.
	data integrity, data and system availability, strong identification
and authentication, and non-repudiation mechanisms are also being addressed.
	nsa and disa are working together on the multilevel information
systems security initiative (missi) that will provide a multilevel security
capability for networked automated information systems while ensuring that:
users can access only that information to which they are authorized;
information is protected from unauthorized modification; and users are
identified and authenticated.
	to facilitate the introduction of missi provided security
capabilities, i have recently mandated that all future workstations and
personal computers acquired by the department come equipped with a minimum
of two pcmcia type ii slots.  having this capability will allow us to deploy
nsa-developed fortezza pcmcia cards that will provide encryption/decryption
for e-mail and computer generated faxes and implement the  digital signature
standard for authentication.  follow-on increments of missi will provide
higher levels of security.
	this concludes my presentation.  i appreciate the time that you have
given me today.  should any of you have any questions, i would be glad to
entertain them at this time.