The US Defense Advanced Research Projects Agency (DARPA) has decided to classify a major research programme aimed at building defences against computer worms. The move has angered scientists who argue that both universities and the military would benefit if some of the project's results were published openly.

The $30.4-million programme is intended to counter the rising threat of worms that could hit every vulnerable machine on a network within seconds (see Nature 425, 3; 2003). It aims to develop techniques that will automatically identify new worms and quarantine them before they can spread.

Initial discussions on the programme included the protection of civilian computer networks, according to several participants. But when it was announced in March, the project was restricted to military networks, although elements of it were to be unclassified, enabling university researchers to participate. DARPA has now decided to classify the entire programme.

Stuart Staniford, president of Silicon Defense, a computer-security firm in Eureka, California, says he appreciates the need to classify the design details of secure systems. But he criticizes the decision to classify the whole programme, pointing out that this will exclude academics, as most of them don't have security clearance to do classified work. Those who do have clearance are not allowed to do the work on campus.

Several academics echo his complaints. “The growth of unclassified research in worm technology will be slower than it would otherwise have been,” says one, who did not want to be named. One DARPA official privately agrees that it is “a challenge” for the agency to fund academic research in classified areas, and that it tries to “identify long-term problems that can be researched in an unclassified setting by the academic community”.

DARPA's director, Tony Tether, hinted at greater classification of computer-security research in testimony given on 14 May to the House Committee on Science. He said that although DARPA's research in the area had proved useful in both commercial and military systems, the focus now had to be on “specific problems the Department of Defense needs solved for network-centric warfare”.

But one scientist at a leading US university, who wants to remain anonymous, says: “Once you start classifying, it shuts down that field of inquiry.” The worm programme, he says, contained “tons” of basic research that could have remained unclassified.

Researchers say that fresh, unclassified awards for computer security at DARPA have almost dried up, and that other agencies which might support the work — such as the Department of Homeland Security and the National Science Foundation (NSF) — have yet to step into the void. Congress has approved a measure that would allow the NSF and the National Institute of Standards and Technology to spend $880 million over five years on computer-security research, but this needs to be passed by appropriations committees in Congress before it becomes available.

Carl Landwehr of the NSF's computer-science directorate points out that DARPA's primary concern will always be military needs, adding that “if they find it appropriate to classify, they will”.