Defense panel worries about foreign software development

us of the 1999 warnings about the potential of malicious code in commercial software threatening Defense systems. The 1999 report concluded, “Malicious code, which would facilitate system intrusion, would be all but impossible to detect through testing, primarily because of software’s extreme and ever increasing complexity. … Increased functionality means increased vulnerability.” As Berwin notes, the latest warnings come with hard evidence that Defense systems already have been infiltrated. In his introductory letter for the 2007 report, Robert Lucky, the task force chairman and a former vice president of Telcordia Technologies (formerly Bell Labs), wrote: “Low level malicious technologies have been employed to successfully penetrate sensitive, unclassified DoD systems despite efforts by DoD to maintain information security and assurance.”

The board also reported that Defense faces a security threat from “foreign adversaries’ corruption of the supply chain. Commercial development processes make no guarantees about the purity (or lack of corruption) of the supply chain, nor could they reasonably do so. The overall opaqueness of the software development supply chain and the complexity of software itself make corruption hard to detect.” Defense faces “a difficult quandary in its software purchases in applying intelligent risk management, trading off the attractive economics of COTS and of custom code written offshore against the risks of encountering malware that could seriously jeopardize future defense missions,” the board concluded in the report. “Current systems designs, assurance methodologies, acquisition procedures and knowledge of adversarial intentions “are inadequate to the threat.”

These concerns notwithstanding, the board task force recommended that Defense continue to “procure from, encourage, and leverage the largest possible global competitive marketplace consistent with national security.”

Realities of the marketplace dictate the globalization of information technology, which provides Defense with cost saving and market innovation, and the board pointed out that the greatest threat to Defense systems comes from custom code written for specific projects or programs, not COTS software packages from companies such as Microsoft. The board’s task force said Defense and the intelligence community need to develop polices and procedures to ensure the integrity of software used in critical information systems, but warned that “the problem of detecting vulnerabilities is deeply complex, and there is no silver bullet on the horizon.” Ensuring the integrity of code in complex Defense systems, such as the Army’s Future Combat Systems (FCS), which will use millions of lines of code to stitch together multiple battlefield systems, presents a particular challenge, according