Mission Impact of Foreign Influence on DoD Software

From Cybersecurity Wiki
Jump to navigation Jump to search

Full Title of Reference

Report of the Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD Software

Full Citation

Def. Science Board Task Force, Dep't of Def., Mission Impact of Foreign Influence on DOD Software (2007). Web

BibTeX

Categorization

Overview: Government Reports

Threats and Actors: [Government Networks (.gov)]]; Military Networks (.mil); States; Terrorists

Issues: Cyberwar; Espionage; Supply Chain Issues

Key Words

Synopsis

Software has become the central ingredient of the information age, increasing productivity, facilitating the storage and transfer of information, and enabling functionality in almost every realm of human endeavor. However, as it improves the Department of Defense's (DoD) capability, it increases DoDs dependency. Each year the Department of Defense depends more on software for its administration and for the planning and execution of its missions. This growing dependency is a source of weakness exacerbated by the mounting size, complexity and interconnectedness of its software programs. It is only a matter of time before an adversary exploits this weakness at a critical moment in history.

The software industry has become increasingly and irrevocably global. Much of the code is now written outside the United States (U.S.), some in countries that may have interests inimical to those of the United States. The combination of DoDs profound and growing dependence upon software and the expanding opportunity for .adversaries to introduce malicious code into this software has led to a growing risk to the Nation's defense.

A previous report of the Defense Science Board, "High Performance Microchip Supply", discussed a parallel evolution of the microchip industry and its potential impact on U.S. defense capabilities. The parallel is not exact because the microchip fabrication business requires increasingly large capital formation - a considerable barrier to entry by a lesser nation-state. Software development and production, by contrast, has a low investment threshold. It requires only talented people, who increasingly are found outside the United States.

The task force on microchip supply identified two areas of risk in the off-shoring of fabrication facilities - that the U.S. could be denied access to the supply of chips and that there could be malicious modifications in these chips. Because software is so easily reproduced, the former risk is small. The latter risk of "malware," however, is serious. It is this risk that is discussed at length in this report.

Software that the Defense Department acquires has been loosely categorized as:

  • Commodity products - referred to as "commercial-off-the-shelf" (COTS) software;
  • General software developed by or for the U.S. Government - referred to as "Government-off-the-shelf" (GOTS) software; and
  • Custom software - generally created for unique defense applications.

The U.S. Government is obviously attracted by the first, COTS. It is produced for and sold in a highly competitive marketplace, and its development costs are amortized across a large base of consumers. Its functionality continually expands in response to competitive market demands. It is, in a word, a bargain, but it is also most likely to be produced offshore, and so presents the greater threat of malicious modification.

There are two distinct kinds of vulnerabilities in software. The first is the common "bug", an unintentional defect or weakness in the code that opens the door to opportunistic exploitation. The Department of Defense shares these vulnerabilities with all users. However, certain users are "high value targets", such as the financial sector and the Department of Defense. These high-value targets attract the "high-end" attackers. Moreover, the DoD also may be presumed to attract the most skilled and best financed attackers-a nation-state adversary or its proxy. These high-end attackers will not be content to exploit opportunistic vulnerabilities, which might be fixed and therefore unavailable at a critical juncture. Furthermore, they may seek to implant vulnerability for later exploitation. It is bad enough that this can be done remotely in the inter-networked world, but worse when the malefactors are in DoDs supply chain and are loyal to and working for an adversary nation-state -- especially a nation-state that is producing the software that the U.S. Government needs. The problem is serious, indeed. Such exploitable vulnerabilities may lie undetected until it is too late.

Unlike previous critical defense technologies which gave the U.S. an edge in the past, such as stealth, the strategic defense initiative, or nuclear weaponry, the U.S. is protected neither by technological secrets nor a high barrier of economic cost. Moreover, the consequences to U.S. defense capabilities could be even more severe than realized. Because of the high degree of interconnectedness of defense systems, penetration of one application could compromise many others.

In a perfect world there would be some automated means for detecting malicious code. Unfortunately, no such capability exists, and the trend is moving inexorably further from it as software becomes ever more complex and adversaries more skilled. Even if malicious code were discovered in advance, attributing it to a specific actor and/or knowing the intent of the actor may be problematic. Malicious code can resemble ordinary coding mistakes arid malicious intent may be plausibly denied. The inability to hold an individual accountable weakens deterrence mechanisms, such as the threat of criminal charges, or even separation of the individual or entity from the supply chain.

Task Force Conclusion

The Department of Defense faces a difficult quandary in its software purchases in applying intelligent risk management, trading off the attractive economics of COTS and of custom code written off-shore against the risks of encountering malware that could seriously jeopardize future defense missions. The current systems designs, assurance methodologies, acquisition procedures, and knowledge of adversarial capabilities and intentions are inadequate to the magnitude of the threat.

Additional Notes and Highlights