Auditors warn of foreign risks to weapons software

The Defense Department's control of the source of weapons software came under fire today in a report issued by the General Accounting Office, which said overseas production of software creates an unacceptable security environment.

"DOD acquisition and software security policies do not fully address the risk of using foreign suppliers to develop weapon system software," auditors wrote in the report. "The current acquisition guidance allows program officials discretion in managing foreign involvement in software development, without requiring them to identify and mitigate such risks. Moreover, other policies intended to mitigate information system vulnerabilities focus mostly on operational software security threats, such as external hacking and unauthorized access to information systems, but not on insider threats, such as the insertion of malicious code by software developers."

The report said military officials recently adopted initiatives that could curb the threat, but they have not yet implemented the initiatives throughout the department.

Auditors cited weapons development as a particular concern, given the potential ramifications should an enemy infect software with a malicious code or a Trojan horse, the report said.

"Unless program officials provide specific guidance, contractors may favor business considerations over potential software development security risks associated with using foreign suppliers."

As the amount of software on weapon systems increases, it becomes more difficult and more costly to test every line of code. Although DOD has several software tests through which an application must pass, the possibility that stray code can pass through is always a concern.

"The program manager must know more about who is developing software and where early in the software acquisition process, so that it can be included as part of software source selection and risk mitigation decisions," the report said.

Outsourcing software development has been a hot-button topic for more than five years, as vendors are forced to balance the cost savings with the potential security risks. A section in the House version of the 2005 Defense authorization bill offers up to $50 million in grants to DOD contractors to develop strategies to avoid outsourcing jobs, including technology development.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.