DOD Report to Detail Dangers of Foreign Software

Task force says U.S. adversaries may sabotage code developed overseas

By Gary Anthes

November 27, 2006 12:00 PM ET

Recommended

Computerworld - A U.S. Department of Defense task force early next year plans to warn the Pentagon of a growing threat to national security from adversaries who could insert malicious code in software developed overseas.

The Defense Science Board, a military/civilian think tank within the DOD, will issue a report that calls for a variety of prevention and detection measures but stops short of recommending that all software procured by the military be written in the U.S., said the head of the task force that has been studying the so-called foreign influence issue.

The possibility that programmers might hide Trojan horses, trapdoors and other malware inside the code they write is hardly a new concern. But the DSB will say in its report that three forces — the greater complexity of systems, their increased connectivity and the globalization of the software industry — have combined to make the malware threat increasingly acute for the DOD.

"This is a very big deal," said Paul Strassmann, a professor at George Mason University in Fairfax, Va., and a former CIO at the Pentagon. "The fundamental issue is that one day, under conditions where we will badly need communications, we will have a denial of service and have billion-dollar weapons unable to function."

Robert Lucky, chairman, Defense Science Board task force

Robert Lucky, the chairman of the DSB task force, said this month that all the code the DOD procures is at risk, from business software to so-called mission software that supports war-fighting efforts.

“The problem is we have a strategy now for net-centric warfare — everything is connected. And if the adversary is inside your network, you are totally vulnerable,” said Lucky, who is an independent IT consultant and engineer.

The private sector faces similar threats and has already begun to adopt some of the practices the DSB is likely to recommend to the Pentagon, said John Pescatore, an information security analyst at Gartner Inc. The same risks also apply to software developed in the U.S., he added.

“This is a major concern, but not just when it goes offshore,” Pescatore said. He called the focus on offshore developers “xenophobia” but said the software security concerns raised by the DOD should serve as a useful wake-up call for all organizations that buy software.

Lucky agreed that a risk exists with U.S.-developed software but said it is greater when code is written overseas. The goal for users should be to make informed trade-offs between the level of risk and the economics of developing software, he said. For example, malware risks could be greatly reduced by having only people with U.S. security clearances write software, but that would boost software development costs by three to 10 times, according to Lucky.

Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

DOD

Additional Resources

WHITE PAPER

EFD vs. HDD - What You Need to Know

Enterprise flash drives provide a new Tier 0 storage layer capable of delivering high I/O performance at a very low latency. Proper use of EFDs in an Oracle environment can deliver increased performance compared to fibre channel drives. Read the recommendations for identification of the best DB components for EFDs.

WHITE PAPER

Gartner Research Report: Magic Quadrant for Application Delivery Controllers, 2009

The market for products to improve the delivery of application software over networks remains dynamic and innovative. Vendors focused on solving enterprises' most-pressing application problems have become the top players.

WHITE PAPER

Eight Criteria for Server Load Balancing

Server load balancers are a simple yet highly effective means to scale an application environment while ensuring its availability. Today's solutions should also address application performance and security. Read about the top eight criteria you should consider when choosing a server load balancer and how Citrix NetScaler meets those requirements.

White Papers & Webcasts

Death to PST Files
Download Now

Four Ways to Improve Your TSM Environment with a SEPATON VTL
Watch Now

The Tangled Web: Silent Threats & Invisible Enemies
Download Now

Tape Killed the IT Guy
Watch Now

Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now

BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!

What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now

Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".

eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!

Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

All White Papers | All Webcasts