Since the modern military runs on networks, DARPA funds various programs to make networks better and more secure. One of these was CHATS. Here is the business case taken from the DARPA budget justification: ------ The Composable High Assurance Trusted Systems (CHATS) program is developing the tools and technology that enable the core network services to be protected from the introduction and execution of malicious code or other attack techniques and methods. These tools and technologies will provide the security services needed to achieve comprehensive-secure, highly distributed, mission-critical information systems for the DoD. A unique feature of CHATS is that these system capabilities will be developed by engaging the open-source community in security functionality for existing open-source operating systems. Additionally, DARPA will engage the open-source community in a consortium-based approach to create a ?neutral?, secure operating system architecture framework. This security architecture framework will then be used to develop techniques for composing OS capabilities to support both servers and clients in the increasing network-centric communications fabric of the DoD. In FY 2003 the CHATS program will move to project ST-24 in this program element. ------ For a time, DARPA even funded the ongoing work of the OpenBSD team but political disagreements over the Iraq war scuttled that work. In roughly the same time frame, there was a project called LSAP (Linux Security Audit Project) that attenmpted to extend the methodology of OpenBSD to Linux. This was succeeded by Sardonix which attempted to create a register of all audited open source software. For various reasons both of these projects fizzled. So why did OpenBSD succeed in their rigorous audit process? I believe it is because there was a firm hand at the helm who was able to keep them focused on their non-profit goal, namely secure operating software. Now corporations do share one characteristic with OpenBSD which should allow them to be able to succeed in the same way. They have firm hands at the helm. However, they also have the profit motive and it is often possible for corporations to avoid security issues in their systems and make profits anyway. That's where NANOG comes in. We are the customers of the router and switch manufacturers. We have the ability to tie the corporate profit motive together with a security imperative. I know that people on this list would rather talk about how to tweak the boxes and protocols to do the best with what we have available, but I think times have changed. The global community of hackers is our Al Qaeda, a leaderless mob that wants to break the network and control the network. If we want to prevent this, then we have to work as hard and as smart as the many people who are tackling Islamist terrorist cells. It's no longer good enough to just do the best we can with the boxes that vendors give us when those boxes are so easily compromised and when there is a community of people who are specifically targetting those boxes, unlike in the past. --Michael Dillon