Feds must get serious about checking commercial software for threats

Agencies must develop methods to make sure the commercial software they purchase isn't secretly loaded with viruses that could expose sensitive information stored on government networks, federal and industry technologists said on Tuesday.

In the last decade, agencies have migrated from writing their own software programs to purchasing more commercial off-the-shelf software. COTS can be deployed quickly, typically costs less, and is easier to integrate with other computer applications.

But relying more on commercial products also increases vulnerabilities to cyberattacks.

"The risk is that our systems have essentially been subverted through the sourcing of the systems themselves," as products are acquired from developers and resellers from around the globe and deployed onto critical computer networks, said Mitchell Komaroff, assistant secretary of Defense for networks and information integration. He also is director of Defense's Globalization Task Force, which was formed in 1999 to address risks associated with the worldwide telecom and information technology markets.

"The environment where systems can come under attack is a full life-cycle problem," said Komaroff, who participated on a panel at the Symantec Government Symposium in Washington. "[Agencies] need to look at life-cycle approaches to managing the full collection of risks in the face of a sophisticated threat."

In its Cyberspace Policy Review released May 29, the White House said the incoming cybersecurity chief should define procurement strategies that create market incentives for vendors to integrate information security into their product development process and work with industry to identify best practices for managing risk.

In September 2008, the Homeland Security Department and Defense launched the Enduring Security Framework, a joint effort to "engage U.S.-based global companies to consider standards of practice for a secure supply chain, whether for software development, hardware manufacturing, employee vetting, or any other touch points along the production and distribution process," said Gregory Garcia, who served as assistant secretary of cybersecurity and telecommunications at DHS during the Bush administration, in an interview with Nextgov.

"Any federal agencies that are buying technology from contractors or equipment vendors need assurances that those products don't phone home or inject corrupt code when they're plugged into federal networks," said Garcia, who founded the information security consulting firm Garcia Strategies.

The risk is more extensive than many agencies realize, said Jim Flyzik, president of the Flyzik Group, a government consulting firm and an adviser to former Homeland Security Secretary Tom Ridge.

"When we were looking to secure Treasury, we tried to identify who we relied upon to meet our mission objectives," said Flyzik, a former chief information officer at the Treasury Department. "There were thousands of entities, all interconnected. Any weak leak could potentially have devastating impacts."

To control risk, agencies must identify which parts of computer systems are highly sensitive and apply stricter security controls to prevent malicious code from being installed. The focus should be less on the risks associated with where the products come from and more on the sensitivity of the computer systems where the products will be installed.

"We're hobbled by the fact that software is just a little too easy," said Jack Danahy, chief technology officer of Ounce Labs, a software vendor that specializes in source code analysis. The smallest manipulation of code can introduce a multitude of vulnerabilities.

Agencies "have to be more responsible, a little more careful," he said. "Each one of these products should be vetted for what it's going to do, because regardless of postmark, you can't be certain."

Defense is working with technology companies and the International Organization for Standardization to develop guidelines commercial companies can follow to better manage risk. "Given the sheer complexity of integrated [software], we're not going to be able to test our way out of it," Komaroff said. "It is going to require a multidimensional solution."