When last we left Peter Mell, he was working at the National Institute of Standards and Technology's Computer Security Division - assisted by four part-time interns, including a high school student - to develop crucial "differential diagnosis" software. The idea: to make it possible to search for specific security vulnerabilities in computer systems and locate appropriate databases, fixes and patches.

Mell called the program ICAT, an apparent acronym that actually stands for nothing, though the home page of the ICAT Web site sports an illustration of three felines. It took Mell's tiny ad-hoc team only eight weeks and less than $50,000 to develop ICAT. The result is a Web-based program with a continuously updated, searchable index of known software vulnerabilities. The project can substantially benefit the tens of thousands of people charged with keeping the nation's computers, Web sites and e-mail servers running 24 by 7.

Mell estimates it would cost $60,000 per year to maintain the program, an indiscernible pittance in government terms. Yet no federal agency would agree to pay it. That's because in the bureaucratic mindset, power equals the dollars you spend, not how much you save.

There's no glory in covering a $60,000 project, but ask for $60 billion - the kind of money needed to finance the "Star Wars" Strategic Defense Initiative - and agencies scramble for a piece of the action. Who cares if it works?

By those standards, ICAT is twice cursed: It's cheap, and it's of great value to businesses. There are five basic reasons: Economy. If you're a start-up e-business in fast-growth mode, more software usually means more opportunities for bugs, vulnerabilities and other security concerns. But how do you get an honest assessment of these problems? Certainly not by asking the manufacturers.

Using ICAT, you can learn about the vulnerabilities of the brands and even the versions of the software before you buy. Efficiency. ICAT provides a one-stop shop that can direct you to the right databases of known problems to avoid if you are, say, using a standard configuration for your servers, but running different software on computers within the system.

Security. Your information technology manager or systems guru insists an extra person is needed because the system's expansion means there's a greater likelihood that someone will try to break in; you're far more likely to approve the extra expense if he or she shows you evidence from ICAT that the software programs your company must run are vulnerable to any computer-literate thief.

Standardization. You're afraid of a buffer overflow problem because that's the one thing that can open your system to hackers and maybe even put your company out of business, but that very common problem can be buried in myriad terms you might never dream of searching. Search for "buffer overflow" in ICAT, and no matter what term the software maker or security company has used to describe it, you're able to get the information you need.

Forensics. If someone broke into your computer, ICAT's index offers a good chance that you'll be able to determine how it was done. That's the first crucial step in answering some fundamental questions: What did the intruder do? What privileges did he or she gain? What could the intruder have changed or deleted? This is the kind of evidence the FBI and its computer cops at the National Infrastructure Protection Center are supposed to gather, but often don't.

Though Mell declined to say which federal agencies turned down funding for ICAT, other sources made it clear that the FBI was one of several three-letter federal agencies that profess concern about computer intrusions, spies and thieves, yet refused to finance the project.

It's hard to believe their multibillion-dollar budgets couldn't stand an additional $60,000.

The sun breaks through

As I was struggling to understand the bureaucratic mindset, I was directed to a group known as System Administration, Networking and Security and to its director of research, Alan Paler. SANS is a powerful educational research organization, responding to the needs of roughly 100,000 systems administrators, security professionals and computer network folks. It publishes alerts, supports research and publications, and provides education and certification. Both the organization and Paler are highly respected, which is why he was invited to the White House for a meeting on Internet security with President Bill Clinton and his Cabinet.

Paler was surprisingly forthcoming in explaining why Mell's program wasn't financed. "Three things are high-risk in the federal agencies and in organizations," he said. "First, sharing the fact that one has been hacked. Second, telling people how to avoid being hacked. And third, telling people that you have avoided being hacked."

An agency that admits it has been hacked invites criticism and ridicule, as evinced by the aftermath of hackers vandalizing the Web sites of the Department of Justice and the FBI.

Telling people how to avoid being hacked carries a different threat. "The government agency that offers that kind of advice may not be legally liable," Paler said, but if an agency so advises a company and that company ends up being hacked anyway, "the agency runs the risk of being thought of as foolish."

Finally, Paler said, to brag about not being hacked is "to paint a bull's-eye on yourself."

Yet the more we discussed Mell's ICAT program, the more interested Paler became. "The guys who should be drooling over this," he said, "are the defenders and maybe the technical forensics guys, but also the systems administrators who live and die by this information."

The day after we talked, Paler went to the National Institute of Standards and Technology and initiated a plan to support an expanded ICAT. The new program will start in three weeks.

If they can ever be made to understand that the agencies charged with computer security can't handle the job, our elected officials might consider creating a dedicated computer security agency. If so, I know just the person to run it - and just the person to head up the R&D.