Article 43


Monday, November 27, 2006

DOD Report to Detail Dangers of Foreign Software

Task force says U.S. adversaries may sabotage code developed overseas
By Gary Anthes
November 27, 2006

A U.S. Department of Defense task force early next year plans to warn the Pentagon of a growing threat to national security from ADVERSARIES who could insert malicious code in software DEVELOPED OVERSEAS.

The Defense Science Board, a military/civilian think tank within the DOD, will issue a report that calls for a variety of prevention and detection measures but stops short of recommending that all software procured by the military be written in the U.S., said the head of the task force that has been studying the so-called FOREIGN influence issue.

The possibility that programmers might hide Trojan horses, trapdoors and other malware inside the code they writeis hardly a new concern. But the DSB will say in its report that three forces the greater complexity of systems, their increased connectivity and the globalization of the software industry ח have combined to make the malware threat increasingly acute for the DOD.

“This is a VERY BIG DEAL,” said Paul Strassmann, a professor at George Mason University in Fairfax, Va., and a former CIO at the Pentagon. “The fundamental issue is that one day, under conditions where we will badly need communications, we will have a denial of service and have billion-dollar weapons unable to function.”

Robert Lucky, the chairman of the DSB task force, said this month that all the code the DOD procures is at risk, from business software to so-called mission software that supports war-fighting efforts.

The problem is we have a strategy now for net-centric warfare everything is connected. And if the adversary is inside your network, you are totally vulnerable, said Lucky, who is an independent IT consultant and engineer.

The private sector faces similar threats and has already begun to adopt some of the practices the DSB is likely to recommend to the Pentagon, said John Pescatore, an information security analyst at Gartner Inc. The same risks also apply to software developed in the U.S., he added.

“This is a major concern, but not just when it goes OFFSHORE," Pescatore said. He called the focus on offshore developers xenophobia but said the software security concerns raised by the DOD should serve as a useful wake-up call for all organizations that buy software.

Lucky agreed that a risk exists with U.S.-developed software but said it is greater when code is written overseas. The goal for users should be to make informed trade-offs between the level of risk and the economics of developing software, he said. For example, malware risks could be greatly reduced by having only people with U.S. security clearances writesoftware, but that would boost software development costs by three to 10 times, according to Lucky.

The DSB task force, which was commissioned by the Pentagon in October 2005, has been deliberating in secret. However, its report will be unclassified and is scheduled to be made available to the public soon after the first of the year.

Protective Measures

Lucky declined to comment on what the task force will recommend. But in response to industry fears he said that it won’t call for all of the software used by the DOD to be developed in the U.S.

Meanwhile, he cited the following measures as worthwhile protective steps:

* Requiring peer reviews in which multiple programmers review code and test results. However, that increases development costs, Lucky noted.
* Running scan tools that look for dangerous code hidden in software. But they’re imperfect, Lucky said. “They cant find everything.”
* Enforcing industry standards that can contribute to quality software code for example, the Common Criteria standards, officially known as ISO 15408, for evaluating information security.

“Its almost an insolvable problem to think you can findall the possible problems with code,Ҕ Lucky said. What you can do, though, is raise the bar. Through inspection and testing and so forth, you can eliminate a certain percentage of problems.”

A spokesman for the DOD said it couldnt comment on the upcoming report last week. The report was requested by Kenneth Krieg, undersecretary of defense for acquisition, technology and logistics, who wrote in a memo last year that the DOD needed a better understanding of how much ғforeign-influenced software is embedded in its systems and the risks the military would face if code were compromised.

Ira Winkler, author of the book Spies Among Us (Wiley, 2005), a former analyst at the National Security Agency and a Computerworld columnist, said that the kinds of measures outlined by Lucky may be useful but that there is a much more obvious step.

“If there is one line of code written overseas, thats one line too many,” Winkler said. Developing it in the U.S. is not perfect, but we are talking about an exponential increase in risk by moving it overseas.

Winkler said the U.S. government typically buys systems that bundle the hardware, an operating system, a database and other components in addition to the application code. You can put back doors and Trojans in any layer of that environment, not just in the custom code,” he warned.

Indeed, the upcoming report is a follow-on to one released last year that detailed the risks of procuring microchips from foreign suppliers. The DSB called that practice directly contrary to the best interest of the DOD and wrote that opportunities for adversaries to clandestinely manipulate technology used in critical U.S. microelectronics applications are enormous and increasing.”

However, the buy American solution isnt as simple as it once would have been. With the globalization of the IT industry, many U.S. software vendors have set up overseas operations, and many have citizens of other countries working for them in the U.S. In addition, some software is based on integrated sets of components that are developed in different countries and would be difficult to tease apart if a U.S.-only procurement policy were adopted.

Phillip Bond, president of the Information Technology Association of America, said he expects the DSB task force to recommend that the Pentagon assign varying risk levels to software, with different procurement rules for each level.

The danger would be if they deem too risky most commercial software, because in almost any software, there is some piece, some lines of code, written somewhere else around the world, he said.

Bond said the ITAA has commissioned the Center for Strategic and International Studies in Washington to conduct its own examination of the risks posed by overseas software development. The ITAA expects that study to be completed at about the same time the DSB issues its report.

Pescatore recommended that the DOD and other users deploy tools that scan software for vulnerabilities and perform fuzz testing, in which programs are deluged with streams of random data intended to evoke every possible response they can make.

But no single measure is likely to completely safeguard software, Lucky cautioned. There are very clever things that can be done, he said. And were talking about complexity that boggles the mind. It’s so enormous that no one can truly understand a program with millions of lines of source code.


Posted by Elvis on 11/27/06 •
Section General Reading
View (0) comment(s) or add a new one
Printable viewLink to this article
Page 1 of 1 pages


Total page hits 9762308
Page rendered in 2.1996 seconds
40 queries executed
Debug mode is off
Total Entries: 3222
Total Comments: 337
Most Recent Entry: 05/04/2020 08:41 am
Most Recent Comment on: 01/02/2016 09:13 pm
Total Logged in members: 0
Total guests: 13
Total anonymous users: 0
The most visitors ever was 172 on 12/25/2019 07:40 am

Email Us


Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

I don't know with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. - Albert Einstein


Advanced Search



July 2020
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Must Read

Most recent entries

RSS Feeds

Today's News

ARS Technica

External Links

Elvis Picks

BLS Pages


All Posts



Creative Commons License

Support Bloggers' Rights