Auditors warn of foreign risks to weapons software

The Defense Department's control of the source of weapons software came under fire today in a report issued by the General Accounting Office, which said overseas production of software creates an unacceptable security environment.

"DOD acquisition and software security policies do not fully address the risk of using foreign suppliers to develop weapon system software," auditors wrote in the report. "The current acquisition guidance allows program officials discretion in managing foreign involvement in software development, without requiring them to identify and mitigate such risks. Moreover, other policies intended to mitigate information system vulnerabilities focus mostly on operational software security threats, such as external hacking and unauthorized access to information systems, but not on insider threats, such as the insertion of malicious code by software developers."

The report said military officials recently adopted initiatives that could curb the threat, but they have not yet implemented the initiatives throughout the department.

Auditors cited weapons development as a particular concern, given the potential ramifications should an enemy infect software with a malicious code or a Trojan horse, the report said.

"Unless program officials provide specific guidance, contractors may favor business considerations over potential software development security risks associated with using foreign suppliers."

As the amount of software on weapon systems increases, it becomes more difficult and more costly to test every line of code. Although DOD has several software tests through which an application must pass, the possibility that stray code can pass through is always a concern.

"The program manager must know more about who is developing software and where early in the software acquisition process, so that it can be included as part of software source selection and risk mitigation decisions," the report said.

Outsourcing software development has been a hot-button topic for more than five years, as vendors are forced to balance the cost savings with the potential security risks. A section in the House version of the 2005 Defense authorization bill offers up to $50 million in grants to DOD contractors to develop strategies to avoid outsourcing jobs, including technology development.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.