DOD seeks greater software assurance
Globalization of software development raises concerns among national security officials
- By Josh Rogin
- Mar 26, 2007
Foreign Influence on Software (.pdf)
Does overseas software development pose a national security risk? A recent think tank report and a forthcoming Defense Department study suggest that the globalization of software development puts the United States at risk. Both reports call for new policies and procedures to mitigate potential threats from software containing malicious code.
At one time, DOD, the intelligence community and U.S. companies wrote almost all the software code for our national security infrastructure. But the globalization of the defense sector, DOD’s expanded use of commercial software and the growth in offshore outsourcing all increase the likelihood that the government will become dependent on software developed overseas.
“It’s a very serious problem for which there is no silver bullet,” said Bob Lucky, chairman of the Defense Science Board’s Task Force on Foreign Influence on
DOD asked the Defense Science Board in October 2005 to study the risks from overseas software development and suggest policy solutions. The science board task force will issue a report in April recommending policies for improving the security of software developed overseas.
Real-world examples of software manipulation by foreign entities are highly classified, which makes the risk posed by foreign influence difficult to calibrate. But the amount of code developed offshore is significant and growing, Lucky said.
The Center for Strategic and International Studies released a report earlier this month on the foreign influence of software. It cites espionage, cyberattacks and malicious code as the main cyberthreats facing government and industry.
Both reports recommend new policies for strengthening software assurance and mitigating growing threats to software integrity.
Two steps the government could take to strengthen software assurance would be to gain greater awareness of the software supply chain and vet the companies doing software development, Lucky said.
The next step would be to test the code itself, which is difficult, Lucky said. Examining proprietary code protected by licensing agreements creates the risk of legal liability, but it is a necessary step, Lucky said.
The risk from foreign influences on software is greatest when software is written in countries that could be adversaries, he said.
“Location is one of the factors that could be considered, and I think it’s a fairly significant one,” Lucky said.
China, India and Russia have a high potential for added risk, Lucky said. But the science board report won’t identify any specific countries by name.
The CSIS report downplays the importance of location in assessing the risks of outsourcing software development. It concluded that choosing countries to blacklist would have no measurable security benefit and would likely spur retaliatory trade restrictions that would hurt the U.S. economy.
“The notion that the key metric would be geography alarmed everybody in the industry,” said Phil Bond, president of the Information Technology Association of America. ITAA staff members contributed ideas to the CSIS report.
Bond said any new software security policies should focus on how, not where, software is developed.
The CSIS report recommends improving software assurance processes and network security in the short term to defend against the threat of hidden malicious code. But as part of a long-term solution, it recommends that the United States invest more in IT development and education.
The number of U.S. companies using offshore software development grew 25 percent from 2003 to 2006, according to the CSIS report.
The Defense Science Board completed a related study in 2005 on the globalization of high-performance microchip supplies. That report concludes that the United States has lost the capacity to manufacture semiconductors. Without a trusted source of semiconductors, the United States faces alarming national security and economic risks, according to the report.
Industry experts say the risks from foreign influences on software are different from those posed by the United States’ dependence on foreign semiconductor manufacturers for those products. The country still has the capacity for developing software.
But given the growing complexity of software and the increasingly global
software development community, the United States and other countries can expect to face greater challenges to software security, said Prakash Ambegaonkar, chairman and chief executive officer of E-Lock Technologies.