By Cheryl Gerber
Military Information Technology
Volume: 12 Issue: 2
Feb 28, 2008
Although the global outsourcing of software development and the
expanding use of commercial software have dropped the price and often
boosted the quality of software, the practices have also raised the rate
of malicious code attacks. That has presented a potential national
security risk that the Department of Defense and a number of companies
are battling with multiple technologies.
Two reports last year corroborated the nature of the risk and made
recommendations to mitigate it. In March 2007, the Center for Strategic
and International Studies (CSIS) issued a report citing malicious code,
cyber-attacks and espionage as top threats facing the DoD and defense
industry today, resulting primarily from software developed overseas,
and to a lesser extent, from the global use of commercial software. The
report also contended, however, that new software security policies
ought to focus more on how, rather than where, software is developed.
In September, the report of the Defense Science Board Task Force,
entitled, Mission Impact of Foreign Influence on DoD Software, came to
similar conclusions and proposed processes and strategies to reduce the
Both reports recommended new policies for improving software assurance
and network integrity. The CSIS report noted that the number of U.S.
companies outsourcing software development overseas had grown 25 percent
from 2003 to 2006.
The DSB report warned that the risk of software supply chain exploits
will escalate as adversaries gain more access through global
outsourcing. It distinguished between the risks in COTS and higher risks
of mission-critical custom software, pointing out that while COTS
development environments are more porous to attack than those of DoD
custom development environments, subversion of the latter is more likely
to achieve adversarial objectives.
Hundreds of millions of people look at commercial code, such as Windows,
whereas critical custom code does not receive the daily scrutiny, does
not have as many eyeballs on it, rendering it more vulnerable, pointed
out Dr. Robert Lucky, chairman of the DSB task force that wrote the
Security software experts agree that when it comes to vetting software,
the larger the talent pool, the better the result. You want to make
algorithms public because they cant be trusted unless they are, and you
get enormous benefit from the public attacking it, said Dan Geer, chief
scientist and vice president of Verdasys, a security software firm.
Concurrently, opponents wielding malicious code have grown more
sophisticated. This is no longer hobbyists doing it for fun and games.
Its playing for keeps. The skill level is increasing. Now its a job paid
for out of revenue, said Geer. Instead of trying to put a mole in the
CIA, they try to put a mole in software.
As such, cyber-attacks are now more devious and focused. Theyre getting
good enough at it that they now favor stealth over persistence. Many
attacks are now targetednot blanketed, shot-in-the-dark viruses, said
Subscribe to InfoSec News