Auditors warn of foreign risks to weapons software

The Defense Department's control of the source of weapons software came under fire today in a report issued by the General Accounting Office, which said overseas production of software creates an unacceptable security environment.

"DOD acquisition and software security policies do not fully address the risk of using foreign suppliers to develop weapon system software," auditors wrote in the report. "The current acquisition guidance allows program officials discretion in managing foreign involvement in software development, without requiring them to identify and mitigate such risks. Moreover, other policies intended to mitigate information system vulnerabilities focus mostly on operational software security threats, such as external hacking and unauthorized access to information systems, but not on insider threats, such as the insertion of malicious code by software developers."

The report said military officials recently adopted initiatives that could curb the threat, but they have not yet implemented the initiatives throughout the department.

Auditors cited weapons development as a particular concern, given the potential ramifications should an enemy infect software with a malicious code or a Trojan horse, the report said.

"Unless program officials provide specific guidance, contractors may favor business considerations over potential software development security risks associated with using foreign suppliers."

As the amount of software on weapon systems increases, it becomes more difficult and more costly to test every line of code. Although DOD has several software tests through which an application must pass, the possibility that stray code can pass through is always a concern.

"The program manager must know more about who is developing software and where early in the software acquisition process, so that it can be included as part of software source selection and risk mitigation decisions," the report said.

Outsourcing software development has been a hot-button topic for more than five years, as vendors are forced to balance the cost savings with the potential security risks. A section in the House version of the 2005 Defense authorization bill offers up to $50 million in grants to DOD contractors to develop strategies to avoid outsourcing jobs, including technology development.