DOD Report to Detail Dangers of Foreign Software
Task force says U.S. adversaries may sabotage code developed overseas
November 27, 2006 12:00 PM ETComputerworld -
A U.S. Department of Defense task force early next year plans to warn the Pentagon of a growing threat to national security from adversaries who could insert malicious code in software developed overseas.
The Defense Science Board, a military/civilian think tank within the DOD, will issue a report that calls for a variety of prevention and detection measures but stops short of recommending that all software procured by the military be written in the U.S., said the head of the task force that has been studying the so-called foreign influence issue.
The possibility that programmers might hide Trojan horses, trapdoors and other malware inside the code they write is hardly a new concern. But the DSB will say in its report that three forces — the greater complexity of systems, their increased connectivity and the globalization of the software industry — have combined to make the malware threat increasingly acute for the DOD.
"This is a very big deal," said Paul Strassmann, a professor at George Mason University in Fairfax, Va., and a former CIO at the Pentagon. "The fundamental issue is that one day, under conditions where we will badly need communications, we will have a denial of service and have billion-dollar weapons unable to function."

Robert Lucky, chairman, Defense Science Board task force
“The problem is we have a strategy now for net-centric warfare — everything is connected. And if the adversary is inside your network, you are totally vulnerable,” said Lucky, who is an independent IT consultant and engineer.
The private sector faces similar threats and has already begun to adopt some of the practices the DSB is likely to recommend to the Pentagon, said John Pescatore, an information security analyst at Gartner Inc. The same risks also apply to software developed in the U.S., he added.
“This is a major concern, but not just when it goes offshore,” Pescatore said. He called the focus on offshore developers “xenophobia” but said the software security concerns raised by the DOD should serve as a useful wake-up call for all organizations that buy software.
Lucky agreed that a risk exists with U.S.-developed software but said it is greater when code is written overseas. The goal for users should be to make informed trade-offs between the level of risk and the economics of developing software, he said. For example, malware risks could be greatly reduced by having only people with U.S. security clearances write software, but that would boost software development costs by three to 10 times, according to Lucky.
DOD
Additional Resources



White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

