This is a two-part story with a two-part theme: how our government works, and how it doesn't. How it recruits the best and brightest, then deliberately frustrates and stymies them. In other words, how the government giveth and how the government taketh away. It starts in the heart of federal bureaucracy, where an ingenious project was conceived, realized, nearly murdered and finally . . . well, stay tuned. Peter Mell's mission - part one

It was a typical day at the National Institute of Standards and Technology, Peter Mell recalls. "I was browsing through hacker Web sites."

A soft-spoken Southern man with degrees in computer science and mathematics from Vanderbilt University and the University of California at Davis, Mell is well-regarded by his peers as an expert in "intrusion detection." In other words, he studies how people break into computers. That's why he was, on taxpayers' money, browsing though such sites, wondering, he says, "What is the distribution of hacker attacks? There are thousands of them out there. Could I make any sense of them? What are the statistics? Are there any trends in computer attacks?"

It was not an unusual task for someone at NIST. NIST's role is to create laboratory-based research programs that enhance the competitiveness of American industry and speed the commercialization of new technology. In short, it sees itself as beholden to customers, not bureaucracy. So the culture is different from other government agencies, where the rule of thumb is take no risks and keep your head down.

"We're encouraged around here," Mell says, "that if we think we have a good idea, we can take 10 [percent] to 20 percent of our time trying it out."

Mell thought what he was studying - computer attacks - was an important issue, because there appeared to be thousands of methods, flaws, bugs and vulnerabilities being exploited in countless attacks on computers. The question was: Shouldn't there be one place where systems administrators and others concerned about computer security and safety can go to get information about the kinds of attacks they find, and how such attacks can be avoided or stopped? Of course there should.

Mell began by looking at the work of Mitre, a nonprofit corporation that claims to be "working in the public interest." Its board could almost double as the directors of the military industrial complex. Just looking at the director's list on the company's Web site - retired admirals, generals and former cabinet secretaries - makes one want to stand and salute.

But Mitre would like to shed some of that military image. It wants to be thought of as a kinder, gentler place, and now devotes some of its think-tank energies to improving the quality of the U.S. Customs Service and e-business, while maintaining its overall dedication to the improvement of war-fighting capabilities.

In that vein, Mitre came up with a simple idea for fighting software vulnerability. It started with the premise that the software industry makes more mistakes per square micron than any other industry, but hates to talk about it. It turns out no one from the software industry, the federal government, academia or the computer security industry was using the same words to describe software vulnerabilities and problems.

You say "tomato" and I say "tomahto"; you say "buffer overflow in POP [point-of-presence] servers" and I say "buffer overflow in ToolTalk database server." Let's shut the whole thing down.

Instead, Mitre said it would develop a standard name for each known vulnerability, so everybody would know what everybody else was talking about. Eureka! It came up with a "dictionary" of vulnerabilities and security exposures, collated by an "editorial board" from academia, software makers, vendors, incident response teams and information providers. All agreed to assign a name and code number to each problem.

Befitting a company that's spent too much time working with the Pentagon, Mitre came up with a sexy, easy to remember name for its dictionary: Common Vulnerabilities and Exposures - a name that just trips off the tongue . . . kind of like National Infrastructure Initiative.

What was missing

Mitre's list contained valuable information, but one that a single systems security person might find only with the greatest difficulty. Under "software vulnerabilities," AltaVista lists 593,290 Web pages.

Mell set out to simplify Mitre's dictionary by combining all the major vulnerability databases and advisories on one central Web page. His gathering of data would be refined by category:

Vendors - which manufactured the software, any sources for information.

Severity of the attack - high, medium or low.

Range of exploit - remote or local, denial-of-service, penetration.

Consequences - information theft, machines shut down, data changed, control of machine.

Vulnerability type - buffer overflow, configuration, etc.

Operating system - Windows, Unix, etc.

Mell's program, called ICAT - pronounced "eye-cat" and an acronym for nothing - would provide search capability at a fine granularity while offering links to information about fixes and patches. In other words, ICAT would offer probabilities. It would say that, given your description, there's a 91 percent chance that it's a Brand X problem and here's where to go to find a page that can help. Or it's likely a Brand Y problem, and here's where you can go to get the patch. In medicine, this type of analysis is called a "differential diagnosis."

In a relatively short period of time by government standards - about eight weeks, using part-time, student workers - the ICAT project was ready. It was developed for less than $50,000, and would be extraordinarily useful to hundreds of thousands of computer systems administrators in and out of government.

Success?

Is it working? In the next column we'll find out which multibillion-dollar government agencies refused to spend $60,000 per year to implement the project that would provide immense benefit to government, business and the world's 110 million Americans using computers. And we'll find out if this potentially disastrous refusal to spend a Pentagon pittance was rectified.