DoD Asks: Who Really Wrote Your Code?

CYBERCON: Just because you bought software from a US company, that doesn’t mean all the code was written here, federal officials warned here this morning.

Software developers routinely subcontract work to foreign firms, download tools from open-source libraries, or just copy-and-paste lines of code from existing software – without checking who originally wrote what or even understanding it actually works.

The resulting rise of bugs and backdoors in recycled code is so worrying to the Pentagon that it’s developing tools to track down where software really came from.

“I hope to pilot something in FY ‘20,” said Michele Iversen, a former NSA and Army officer who’s now the director of risk assessment and operational integration for the Pentagon’s Chief Information Officer, Dana Deasy. That said, Iversen told reporters on the sidelines of the Fifth Domain CyberCon conference here, “we’re under a continuing resolution so everything is a little bit [unclear] when we get money.”

What Iversen is talking about is a “decision support tool.” In essence, she wants to buy software that tells you whether software you want to buy is trustworthy. So, the question is, who watches the watchmen? How do you ensure the vetting system is itself well-vetted?

“There’s a plethora of commercially available capabilities out there,” Iversen said. She and her staff spent a whole “market analysis day” recently meeting with potential vendors and still didn’t get to see everyone they wanted.

It turns out there’s a whole emerging industry of reputable private-sector companies with “amazing” capabilities to trace your supply chain down tier after tier to the smallest building blocks, Iversen said. Better yet, she added, these firms are doing this due diligence by combing through publicly available data, which anyone can cross-check, and which can be very revealing if you look in the right places – and which you can share freely across the Defense Department without violating any security regulations.

But these private-sector services aren’t free. “I have seen program offices buy some of these tools themselves,” Iversen said, and her office is working on pilot projects on supply chain security with multiple acquisition programs. But small acquisition efforts with limited budgets, manpower, and time – especially when they’re trying to move fast to acquire something constantly changing, such as software – can’t afford high-end vetting services on their own.

So Iversen’s idea, which is still evolving, is essentially for the Pentagon CIO shop to subscribe to one or more of the leading vetting services, then provide at least basic information on demand to all comers from across the Defense Department. Which services they’ll use is TBD – “obviously this will be a competitive bid,” Iversen said – but it’s more attractive to go with companies that charge you for each piece of software you want to vet, rather than for each user that gets the vetting information, because the Defense Department will have lots of users asking about the same programs.

The decision tool will focus on widely used, commercially available “commodity products” rather than customized software purpose-built for major programs, Iversen said. “When you’re doing something like purchase cards or doing simplified acquisitions, you can go to this service and be able to look up something and say, oh, Market Leader #1 has this provenance; Market Leader #2, here’s its provenance.”

“Then you can make those decisions. ..do I want to take the risk?” Iversen said. Different programs can and should have different tolerances for risk, and even different functions with the same program will require greater or higher security. If Russia or China gets into your travel-management app, for example, that’s bad, but not nearly as bad as them getting access to a satellite or nuclear weapons.

It’s essential to do a serious analysis of what’s really critical and sensitive rather than try to protect everything equally. Then, she said, acquisition officials can make well-informed decisions – and write high standards for supply chain security into their criteria for who wins a contract.