Defense panel worries about foreign software development

Here is an interesting, and thought-provoking, report from Govexec’s Bob Berwin: Software developed in foreign countries and used by the Defense Department and other agencies pose serious risks for federal information systems, as these systems may be hacked and compromised, according to a recent report issued by Defense’s top advisory board. The report, released last month by a Defense Science Board task force, warns that “globalization of software development where some … U.S. adversaries are writing the code that … [Defense] will depend upon in war creates a rich opportunity to damage or destroy elements of the [U.S.] warfighter’s capability.” The U.S. Department of Defense relies heavily on commercial off-the-shelf (COTS) and custom-built software developed in countries such as India, China, and Russia. The government believes this allows government departments to take advantage of the latest advances designed for global markets rather than relying solely on U.S. developers. The task force’s report, “Mission Impact of Foreign Influence on DoD Software,” concluded, however, that relying on software developed in other countries “presents an opportunity for threat agents to attack the confidentiality, integrity and availability of operating systems, middleware and applications that are essential to operations of U.S. government information systems and the DoD.” The report emphasized that “the most direct threat is foreign corruption of software: insertion by the developer of malware, backdoors and other intentional flaws that can later by exploited.”

The fear that software developed in foreign countries and which U.S. government agencies use in information systems may contain backdoors or programs which allow hackers to steal information or take down systems is not new. In the late 1990s, for example, there were similar worries when federal agencies hired foreign contractors to rewrite code to keep systems from malfunctioning when the date changed to the year 2000. Berwin writes that the Defense Science Board report is the first formal acknowledgment since 1999 at the top levels within Defense that such a security risk exists and highlights the seriousness of that risk. A 1999 Defense Science Board task force report titled “Globalization and Security” stated, “DoD’s necessary, inevitable and ever increasing reliance on commercial software — often developed offshore by software engineers who have little, if any allegiance to the United States — is likely amplifying DoD vulnerability to information operations against all such systems incorporating such software.

The 2007 task force report should remind