According to a report in ComputerWorld, the Defense Science Board (of which TRC’s CEO/President is a member) will issue a report early in 2007 that will warn the Department of Defense (DoD) about the threat posed by software developed overseas. The Defense Science Board believes that the threat from software outsourcing is exacerbated by three factors.

First, as systems become more complex, it will be easier for adversaries to insert malicious code or backdoors into software produced for the DoD.

Second, as systems become more connected, an infection in one system will be able to cause more damage via its connection to other systems.

Third, the globalization of the software industry increases the likelihood that software procured by the DoD will be developed overseas.

These conclusions match some of the conclusions drawn by a May 2004 Government Accountability Office (GAO) report that stated that the DoD was potentially vulnerable to software developed by foreign companies.

Is Outsourcing Really a Threat?

The insertion of malicious code into software used by DoD is a concern because it may allow an adversary to steal, manipulate, or deny access to sensitive information. However, the DoD need not focus too much attention on the possibility that a terrorist group or hostile nation-state will insert a cadre of IT professional into an overseas software development company responsible for producing code for the US military. Frankly, this type of scenario is likely too cumbersome for a terrorist group or a hostile nation-state. Rather, a hostile actor is better served and may see results more quickly by simply creating exploits for the never-ending stream of vulnerabilities that exist in today?s commercial off-the-shelf software. Unfortunately, much of the commercial software produced today is unintentionally riddled with vulnerabilities and is exploited by hostile actors. For example, according to Websense, a software security vendor, 2006 has seen more zero-day exploits than any previous year.

Case Study: Titan Rain

The ongoing ?Titan Rain? (WAR Report, WAR Report) attacks offer a good case in point. ?Titan Rain? is the US government official designation for a series of seemingly coordinated cyber attacks on US military and defense contractor computer networks. Many of the attacks were traced to Guangdong province of China . Security professionals believe these attacks are a coordinated espionage campaign by the Chinese government. “Of course, it’s the [Chinese] government. Governments will pay anything for control of other governments’ computers. All governments will pay anything. It’s so much better than tapping a phone,? said SANS director Allan Paller.

While targeting the software that runs critical infrastructure holds the potential to carry out a crippling and destructive attack, installing a Trojan into standard commercial software is equally dangerous, as it allows a malicious actor to gather important intelligence on an adversary. This intelligence can be used for a multitude of nefarious purposes. It is, therefore, curious that extra attention is paid to the threat of a terrorist group or hostile nation-state inserting malicious code into software when there are already pre-existing vulnerabilities in popular commercial software. Accordingly, the security community would be better served by first securing the multitude of vulnerabilities in commonly used commercial software before spending valuable resources on the remote possibly of hostile actors inserting malicious code into software responsible for the administration of components of the nation’s critical infrastructure.