Auditors warn of foreign risks to weapons software

The Defense Department's control of the source of weapons software came under fire today in a report issued by the General Accounting Office, which said overseas production of software creates an unacceptable security environment.

"DOD acquisition and software security policies do not fully address the risk of using foreign suppliers to develop weapon system software," auditors wrote in the report. "The current acquisition guidance allows program officials discretion in managing foreign involvement in software development, without requiring them to identify and mitigate such risks. Moreover, other policies intended to mitigate information system vulnerabilities focus mostly on operational software security threats, such as external hacking and unauthorized access to information systems, but not on insider threats, such as the insertion of malicious code by software developers."

The report said military officials recently adopted initiatives that could curb the threat, but they have not yet implemented the initiatives throughout the department.

Auditors cited weapons development as a particular concern, given the potential ramifications should an enemy infect software with a malicious code or a Trojan horse, the report said.

"Unless program officials provide specific guidance, contractors may favor business considerations over potential software development security risks associated with using foreign suppliers."

As the amount of software on weapon systems increases, it becomes more difficult and more costly to test every line of code. Although DOD has several software tests through which an application must pass, the possibility that stray code can pass through is always a concern.

"The program manager must know more about who is developing software and where early in the software acquisition process, so that it can be included as part of software source selection and risk mitigation decisions," the report said.

Outsourcing software development has been a hot-button topic for more than five years, as vendors are forced to balance the cost savings with the potential security risks. A section in the House version of the 2005 Defense authorization bill offers up to $50 million in grants to DOD contractors to develop strategies to avoid outsourcing jobs, including technology development.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.