Knowing exactly what’s in the software that runs and interacts with key national security platforms or sources of data is more important than ever.
‘What is in the sausage?’ This simple question has been the cause of great controversy and consternation over the years. For many of us the response is reflexively, “I don’t want to know,” but for others the fascination is just too much, and they are keen to learn about every gory detail.
Fortunately, for those of us in the ‘I don’t want to know’ camp, we enjoy the comfort of knowing the sausage, and for the most part, our larger food chain, is safe regardless of what they put in it. The same cannot be said for our technical and industrial supply chains.
Since Upton Sinclair’s The Jungle was released in 1905, the U.S. has built a regulatory regime and correspondingly robust ‘farm to table’ supply chain that ensures everything we eat is largely safe for consumption.
When, on rare occasions, something bad makes it through all the inspections unnoticed the CDC, FDA, and other government agencies quickly declare a recall preventing the further spread of illness. As a result, America scores amongst the very best in global food quality and safety.
While we have done an amazing job improving our food supply chain over the last 115 years, we have woefully neglected national security critical software and hardware supply chains. Perhaps the most troublesome being the software supply chain.
The dirty secret of the tech world is that the vast majority of the software we buy and trust has ingredients from completely unknown and untrustworthy sources. Even more troublesome is this systemic issue is not simply confined to consumer products. From $100M fighter jets to $50 insulin meters, America’s most important industries like defense, power generation, and medicine are relying on software without a clue of what it takes to create it.
The current system looks something like this: A major manufacturer tells its software development team to build the code for a new product. This team is consistently overworked and must adhere to shortened timelines because sales or the C-suite has promised their shareholders and/or client base that the new product will be ready by a given date. This new product could be your grandma’s pacemaker or the logic controller inside a power plant that keeps the place from going BOOM!
Rather than building this code from scratch, the software development team makes a decision to utilize an open-source code as the basis for what they are building. Open-source code is defined as code that is freely available on the internet from commercial sites. It is often built anonymously and contributed to from community sources. Regrettably, the software team does not have a clue who created this code or the totality of who has contributed.
For the most part development teams thoroughly review the open-source code to maintain dependability and minimize unforeseen issues. These folks are professionals and want to do right by their company and customer base. But, what about the development team that is under extreme pressure to meet deadline or cost goals? Often it is only the consumer that realizes steps were missed or quality was off–after they have been hacked.
Whether it is open-source or custom-built code, every American depends on software to keep our lights on, our water running, and our military operational. There is not a single pillar of our civilization that is not completely dependent on software and the bad guys know it.
From Vladimir Putin to Xi Jinping, the leaders of America’s adversaries are driving more and more resources into penetrating our software supply chain. They understand that they will never have to face our military on the field, in the air, or at sea if they can manipulate our most critical systems long before the shooting starts.
We have arrived at a crucial point in our information security sausage-making process—a deaf ear and a blind eye to system shortcuts and vulnerabilities will no longer suffice. We need sensible regulation that safeguards our national security and way of life. America’s inventors and entrepreneurs have already created much of the technology needed to get control over the situation, but without a regulatory regime to match–few companies by themselves will take all the steps needed to secure the vulnerable software supply chain.
Our adversaries are working this very hard–we owe it to our future survivability and success to spend time, money, and effort to clean up the software jungle.
John Cofrancesco is the Vice President Of Business Development at Fortress Information Security.
