Congress Can Help Pentagon Secure The Vulnerable Software “Supply Chain”

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest
Share on pocket
Pocket
Share on whatsapp
WhatsApp
Congress Can Help Pentagon Secure The Vulnerable Software “Supply Chain”

Ten years ago, after the Senate Armed Services Committee warned that military supply chains were deluged with counterfeit parts, the Pentagon began to force contractors to account for the source of all the various widgets and chips they used to build military equipment.  

That burst of Congressional interest led, in time, to improvements. Although the system in place today is far from perfect, contractors are beginning to use a range of sophisticated incentives, protocols and databases, all to validate the integrity of their supply chains. But technology has evolved over the past decade, and now, it is the software, rather than just the hardware, that dominates. If the software fails, the mission fails too. 

Congress can do more to focus on securing the Pentagon’s software “supply chain”. But a new report is not needed; the warnings have already been published. In January 2021, Robert F. Behler, the Director of Operational Test and Evaluation, noted that in his Annual Report for Fiscal Year 2020, that “62 percent of test plans noted cybersecurity testing limitations,” and warned, “our ability to assess and protect software, though improving, is not keeping pace with our reliance on it or our adversaries’ ability to compromise it.”  

The challenge is that software, unlike hardware, is far harder to secure. As a “living” entity, always being updated and tweaked, software security is more complex than just simply looking at the source. Just as pilots constantly monitor fuel status, real-time measures of mission-critical software stability and integrity are becoming just as important. 

Don’t Wait For Another Report

America has little time to dither. After the Cold War, as the Pentagon pressed to employ lower-cost commercial-off-the-shelf solutions, Chinese organizations wasted no time in interpreting and exploiting the Pentagon’s requirements. Sensing an opportunity, a number of Chinese companies started salvaging and repurposing old electronics, sending the refurbished gear back to Pentagon suppliers. The only problem was that the recycled parts were usually relabeled, sold as brand new, “genuine” components ready for mission-critical systems. 

By 2011, the problem was so pervasive that Congressional researchers identified some 1,800 cases where counterfeit parts were used aboard Navy helicopters, surveillance aircraft and Air Force planes. The Senate’s concerns were re-emphasized two years later, after a Navy subcontractor was arrested for sending the U.S. government counterfeit parts for use in submarines. 

In response to those threats—and the additional money unreliable counterfeit parts were costing the U.S. military in accelerated maintenance, Pentagon contracting rules were changed, forcing government contractors to source parts back to the original manufacturer or dealer, documenting their supply chains or testing those parts that couldn’t be adequately identified as a genuine, tested component. 

But the focus was solely on hardware. Software or electronic firmware was left out, and, as cybersecurity becomes an increasingly critical concern and a part of the larger national security discussion. The software that backs these parts are likely just as compromised by dubious code, generated less by make-a-buck mom-and-pop e-waste recyclers but by centralized planners, systematically building out backdoors meant to interfere, degrade and destroy gear just when America needs it most. The old-school hardware-based compliance framework, where risk and fiscal penalties for supply chain verification failures is devolved from the prime contractor down to subcontractors, may no longer be sufficient for software-based threats to the Pentagon’s supply chain.

Software is a growing peril. “In most cases prime vendors and government customers don’t know what’s inside the boxes and switches or lines of code they are purchasing,” says Peter Kassabov, co-founder and Chairman of Fortress Information Security. With years of experience in securing critical infrastructure and helping the energy sector to identify suspect foreign hardware and risky software, Kassabov knows the risk. 

For the national security sector, Kassabov and other leaders in the supply-chain security business worry that fears of lost profit or over-optimism based on early progress have lulled the defense sector into a false sense of security. “We need leadership across government and industry now more than ever—top-down scrutiny, public-private partnerships and, if needed, accountability—across both hardware and software purchases and updates.” 

Fortress and other cybersecurity companies are encouraging Congress to consider having software purveyors employ a similar accountability framework used to ensure hardware accountability. Making software developers responsible for the overall security of their products is one step, while breaking software down into more easily verifiable “components” is another. Ultimately, with better software screening, bad actors or bad code would be more easily identified and subsequently avoided.

Time Is Already Short:

To start controlling the problem of counterfeit parts, the Pentagon needed more than five years to develop and enact new procurement regulations. Today, far less time is available. Not only are tensions higher and the risk of conventional conflict increasing, but cyber-meddling in civil and military systems is becoming an accepted tool in international relations. 

With software becoming a battlefield, it may well be irresponsible to have certain foreign-sourced code enmeshed in computing systems. Software with Russian, Chinese or other characteristic patterns may be at risk of blowback as more and more entities start to engage in their own efforts to exploit or degrade rivals. For example, a relatively limited effort to degrade militarily critical supervisory control and data acquisition systems in, say, Iran, might also accidently end up degrading critical civilian pumping systems a half-world away. Efforts to continuously monitor and test software can help identify and prevent the emergent operational risks posed by more active cyber competition by both rivals and friends. 

Expressing the threat from cybersecurity is a constant challenge. Computer code is abstract. In the past, government staffers could place orders for counterfeit gear, and show that equipment to skeptical decision-makers. Cyber does not make for a good visual. Much of it is also proprietary or highly classified, making policy discussions even more difficult. But when Dr. Raymond O’Toole, the Acting Director of Operational Test and Evaluation, appeared before Congress in April 2021 to note that, of all the programs DOT&E assessed in FY 2020, “virtually none were survivable against relevant cyber threats,” the message cannot be more urgent. The cyber threat is real, and America needs to get busy.

Source link

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest
Share on pocket
Pocket
Share on whatsapp
WhatsApp

Related News

Never miss any important news. Subscribe to our newsletter.

Recent News

Editor's Pick