Defense panel worries about foreign software development

to an appendix to the board report. About twenty-seven million lines of source code used in FCS are either COTS code or open source. Note that the FCS program office has determined there is a “low-to-moderate risk that malicious code could be inserted into the FCS Master Software Baseline and exploited,” but, the report added, the Army has decided to handle the problem of potentially malicious code by assuming that the “profit motive will assure clean code in ‘shrink wrapped’ [consumer] software.”

Berwin writes that the Army also has decided to accept foreign software for areas not critical to the performance of the FCS System of Systems Common Operating Environment, according to the report, and plans to make blind buys of software so the vendor does not know it has been purchased for use in FCS. The report said the Army has no automated tools that can detect all malicious code and line-by-line inspection in FCS is not feasible. Philip Coyle, senior adviser with the Center for Defense Information, a security policy research organization in Washington, D.C., said the only reason the Army is not conducting line-by-line inspection of code is because Boeing, the FCS lead systems integrator, “doesn’t want to do it, and the Army doesn’t want to have to pay them to do it. “For the Army to say it is not feasible is nonsense,” said Coyle, who served as assistant secretary of defense and director of its operational test and evaluation office from 1994 to 2001. “Of course it’s feasible. Tedious? Yes, but they’re going to have to do it eventually when problems develop in FCS software that was assembled from a wide variety of sources that turn out not to work effectively together in the overall system-of-systems.” Coyle added, “Boeing will need to examine supplier source codes from the start. Waiting until U.S. soldiers on the battlefield can prove that a supplier has failed will be too late.” Boeing officials declined to answer a query about inspecting FCS software code, deferring to the Army due to the “sensitivity” of the issue.

Ed Hammersla, chief operating officer of Trusted Computer Solutions in Herndon, Virginia, which supplies software used across Defense and the intelligence community, said automated tools can help the Army examine its FCS software. In addition, he said, TCS writes all its code in the U.S. and makes a profit. The board report said the ability to examine COTS software source code would be a big help in detection of malware, but pointed out that such an approach would be expensive and could pose a risk a vendor’s intellectual property. The board’s task force also recommended that Defense gain insight into the processes vendors use to develop COTS software so it has meaningful assurance that software code isn’t being tampered with. The board called for a product evaluation regime that is capable of reviewing vendor development processes and rendering a judgment about the ability of the vendor to produce secure software. The report also said the department must assess the tools vendors use to identify vulnerabilities and allow Defense personnel to interview developers.

Scott Charney, Microsoft corporate vice president, says developing and using processes such as Microsoft’s Security Development Lifecycle (SDL) policies and tools to reduce software vulnerability underscore the fact that software security has less to do with where it is written than how it is written. “Both secure and less secure software can be written anywhere,” he said. “Because the goal is to produce more secure software, it is critically important that vendors leverage the best talent available and that talent may be located both inside and outside the United States.” ITAA’s Bond agreed that Defense needs more insight into software vendors’ development processes, but not to the extent that impedes the ability of software vendors to innovate. Bond said any risks inherent in offshore development need to be balanced against global software innovations, which have “tremendously improved” U.S. warfighting capabilities.