Slashdot Mirror
Does Offshoring Threaten Combat Software?
PreacherTom writes, "Pentagon officials report that 'maliciously placed code' could compromise the security of the Defense Department and, ultimately, hurt its ability to fight wars. The culprits: offshore programmers. While the Pentagon has stepped up its vendor screening and software testing of late, it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. The task force assigned to this issue will be soon presenting its report, and most likely will determine that offshoring presents too great a risk."
Offshoring will save costs,m and ensure that overseas developers, often with considerably greater knowledge of these systems will be able to develop them. the risks are totalyl negligible. I say we petition the government to offshore more development.
Yours - Cylon number 6
FTA:"We're happy to use Microsoft"
Some people never learn.
Maybe they could just ask to see the source code and audit it themselves, or just use software with the source code available. Its not as though they need to write it themselves, just be able to examine the source code. If they don't want to, well, they get what they deserve.
"We are all geniuses when we dream"
- E.M. Cioran
"Pentagon officials report that 'maliciously placed code' could compromise the security of the Defense Department and, ultimately, hurt its ability to fight wars. The culprits: offshore programmers. While the Pentagon has stepped up its vendor screening and software testing of late, it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. The task force assigned to this issue will be soon presenting its report, and most likely will determine that offshoring presents too great a risk."
Blaming "offshoring" is a neat wave of the bloody shirt, but I don't think it's relevant to the problem. Take the word "offshoring" out of that quote, and replace it with "outsourcing." Does it still make sense? Let's see:
"Pentagon officials report that 'maliciously placed code' could compromise the security of the Defense Department and, ultimately, hurt its ability to fight wars. The culprits: offshore programmers. While the Pentagon has stepped up its vendor screening and software testing of late, it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. The task force assigned to this issue will be soon presenting its report, and most likely will determine that outsourcing presents too great a risk."
Looks like it does.
If the problem is that there aren't enough resources (including time) to do a sufficiently thorough audit of all the code, then it doesn't matter where the code was written, does it? Do we really suppose that a malicious actor would have that much harder a time getting a job for a DoD contractor in the US than overseas? Do we really suppose that it would be that much more difficult to suborn a programmer overseas than here?
Or, more accurately, is it enough more difficult in either case for us to be confident of code written inside the country as opposed to outside?
It's not that I do think that offshored code is trustworthy, it's that I don't think "onshored" code is. And if we can't trust either, what does offshoring have to do with anything?
Reality has a conservative bias: it conserves mass, energy, momentum...
...from offshore programmers, using homeland patriots won't make us any safer. These results seem convenient justification for the anti-globalists, but I would feel no safer. Without proper oversight, it won't matter where the physical location of a programmer is.
P.S. Los Alamos is onshore.
What scares me the most is the fact that they even gave offshoring a consideration!!!
...what if they'd offshored WOPR?
"How about a nice game of Chinese Checkers?"
FATMOUSE + YOU = FATMOUSE
I am all for cutting costs where need be, but there should be a line drawn somewhere. Send the web app that tracks sales of a company offshore. Dont send software that the department of defense uses offshore. At the very least, you buy 'accountability'. I dont know how easy it would be to track down the person who worked on the program in a difference country.
I'm glad the Pentagon finally woke up to reality, where maybe it's not such a hot idea to pay some Indian contract programmers a few bucks an hour to write the firmware for your cruise missiles.
I'm not sure of the exact law, but I believe there is one which basically says, all U.S. defense procurement must come from domestic sources, unless it's some exceptional item that can only be purchased abroad. Maybe we need a law like that for government contracting and outsourcing. Unless there's a demonstratable reason for having to do it offshore, it shouldn't be.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I imagine they were probably more concerned with other issues like foreign programmers who could easily be hired to work on other military projects for rivals. They'd even have large parts of the source available while programming on such systems and even if they didn't create backdoors they could still try and hack the system later if there was a change in their situation.
the more they over-think the plumbing the easier it is to stop up the pipe
I certainly hope we do not come to trust offshore programming in our military systems. The risks are far to numerous to even consider the use of that code. Instead of buying the software and looking at every function, why not just code everything yourself? Anything produced in-house could be checked as its being made and be much easier to work with. Who knows, the military is often the entity that spurs advancements things they need and use and they could possibly help the commercial sector with whatever they end up doing.
Invexi - a Phoenix, AZ based web design and web development company.
...there has never been anyone located in the United States that has worked on a sensitive project and worked to compromise its success and otherwise betray the US to enemies. So, obviously, offshoring is the only concern, not the complete inadequacy of the testing and verification procedures at the Pentagon.
There used to be a policy that all military suppliers had to have a second source. Because the US electronics industry was strong, there was no problem finding American suppliers. If the commies bombed one capacitor factory, there was always another one somewhere to keep the army supplied with capacitors. That changed. I remember one system that used tubes (the transistor version was coming 'next year' for about twenty years). By the end of the system's life the only supplier of tubes was the USSR.
m bassy.htm They had to tear it down because the Soviets managed to build bugs into almost every room.
I think it is wise that the military can identify every line of code it uses and, if necessary, talk directly to its author. The extent to which foreign spies will go is almost infinite. My favorite example is the US embassy in Moscow. http://www.fas.org/irp/congress/1990_cr/h901026-e
If you don't check the programming you can't trust it. And even if you do check the programming you still can't 100% trust it. If anyone has looked at obfuscation code contests they would know what I mean.
Ummm... And where the company is located that coded it is not good enough to think that the code will be safer if in the US. It all has to do with the intent of the programmers and company. You could have a US company that is financed by a foreign group or people could relocate to america and join the US company. Didn't they learn anything from 911? We trained the pilots!
So basically just check the code multiple times with different reviewers and cross your fingers.
It's not clear to me what software the Government is outsourcing or has outsourced or is considering. But it does seem they have at least dabbled in weapons systems and other software related to warfare being offshored. I can think of reasons this isn't a good idea...
That's a small list, there's plenty more. However, the building of reliable and secure software is fraught with pitfalls no matter where it's written. There's no reason enemies couldn't get on staff with local software writing.
I think as the software becomes increasingly complex the problem expands geometrically... and we probably have more to worry about from plain and simple code errors than malicious activity. The clear and present danger is knowing the software top to bottom with virtual certainty of its behavior in every conceivable circumstance.
I wish I knew where the article was, but I remember reading about NASA and their approach -- the amazing thing was they (NASA) produced code with almost unmeasurable defects. Their approach was to keep things simple and straightforward -- to the extent that the engineers and software developers interviewed described the process as almost boring. But, hey, if that gives us safe military software...
As for where the Government goes with this, the article started out sounding like they had some people on the ball. But, in the last paragraph, they lost me with (emphasis mine):
Hold on a second, if an indian program has the firmeware or a some calcluation processer that I need to run a cruise missle then why shouldn't I be allowed to buy it. The overseas developer doesn't have to know the application for the system. In fact, if a good system engineer wrights good requirements, the engineer could hide the application in a flying toaster.
Oh yeah, the defense producrment thing ensures that a doemestic middle man gets his cut- great job there.
And this software which we are not allowed to review may have been written by offshore programmers who will know perfectly well that they are doing the job because they are cheaper, and have absolutely no patriotic investment in the US?
I wonder how many other global empires have been brought down by the desire to make a quick buck?
Pining for the fjords
From:offshoreprogrammers@US-Tanks.gov Subject:"cI4lis cHeAp"
i support the right to offend.
That worked in a small company that was a subcontractor for security related software, I promise you the prime contractors have outsourced big software projects to far-off lands.
s sroom/press_releases/2004/PR02690.halliburton06170 4.html
The PHB's on the prime contractor's side don't know and won't care until a big contractor gets a very public hanging for it.
The beauty of the prime contractor outsourcing strategy is they pass the blame onto a sub-contractor of their choosing.
FYI:
Prime Contractor: The company that wins public agency contracts and packages the sub-contractor's work.
Sub Contractor: The one that does some/most/all of the grunt work.
Sadly, I can only post AC. I like my former employer and they followed the rules very closely as opposed to most of the primes and subs in the same field.
Yes ladies and gentlemen, the $600 toilet seat is still in production. Now, it's in software contracts and "homeland security" projects.
http://www.senate.gov/~schumer/SchumerWebsite/pre
Starting with the government. I'm sure China could do a much better job of managing the nation's affairs.
When I watched the first episode of Battlestar Gallactica (new version), I could not help but think a scenario which the US may end up in a similar situation. As more software and hardware being developed overseas (and less techies in this country to screen the imported items), how would we know if "The Enemy" does not do the same to us. Consider a carrier battlegroup which is becoming more network/computer centric... then blammo! Everything stops. Comms, wifi type systems, control systems, etc.
Then there is more offshoring bank account information so The Enemy can then compromise US accounts and then you have a large portion of this country's citizens spending considerable time trying to straightenout their accounts.
Mike
Not doing complete testing the the bane of all software projects. Those with full test plans that are carried out with each release are always much better products. If your goal is not testing every line (even if you don't meet that goal) then you fail very often.
There is an old military saying that goes something like, "Do not worry about your weaknesses, the Enemy will be more than happy to demonstate them to you." - Unknown
a maliciously place car can kill someone, too. So maybe we should remove all cars?
Simply put, don't use offshore devs --- its all in the contracts. you know the ones that result in tolit seats costing thousands of dollars....
If defence programming is going to be open to companies anywhere in the world, then what exactly are you defening against?
Maliciously placed software code is already weakening our military and hurting its ability to effectively fight wars. And that code was developed by Diebold right here in the USA.
Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508
WinNT did not fail. On a test platform, not an operational ship, running non-release versions of software: A client application accepted incorrect input. A server application accepted this bad data, performed a bad calculation, and corrupted it's database. Client apps that tried to use this database crashed. These events are OS independent, the same thing would have happened under MacOS X or Linux. The publisher of the original article that blamed WinNT later distanced themselves from the article calling it "early speculation".
h tml
t own.html#Schwartz1
The chief engineer on the ship at the time, and the developer of the application software, seem to say that the problem was not with WinNT:
http://www.sciam.com/1998/1198issue/1198techbus2.
"Others insist that NT was not the culprit. According to Lieutenant Commander Roderick Fraser, who was the chief engineer on board the ship at the time of the incident, the fault was with certain applications that were developed by CAE Electronics in Leesburg, Va. As Harvey McKelvey, former director of navy programs for CAE, admits, "If you want to put a stick in anybody's eye, it should be in ours." But McKelvey adds that the crash would not have happened if the navy had been using a production version of the CAE software, which he asserts has safeguards to prevent the type of failure that occurred."
The captain at the time does further debunking:
http://www.jerrypournelle.com/reports/jerryp/york
In a letter to the "Comment and Discussion" department, published in the Aug 98 _Naval_Institute_Proceedings_, page 22, Captain Richard T. Rushton, then-CO of _Yorktown_, categorically states, "The _Yorktown_ was never towed as a result of any Smart Ship initiative. During my command, we lost propulsion power twice while using the new technology. Each time, we knew what caused the interrupt and were underway again in about 30 minutes. The September 1997 incident was caused by incorrect data insertion by a well-trained crewman. The _Yorktown_ returned to port using two FFG-7 emergency control units that specifically had been requested by me, and supported by other commands as a risk reducer. We knew there were some risks in the engineering development model propulsion-control system installed under a rapid prototyping development effort. The bottom line: The data field safeguards found in production-level systems were not installed yet in the _Yorktown_ by intention, until complete wring-out was accomplished."
Its probably just that they hired BAD coders, let alone what nationality they are. Sure its possible, but if they're spending such large amounts of money and expect good results they better be hiring good programmers who won't screw things up.
Of course offshoring combat software opens a greater likelihood of threat! Duh! That doesn't mean that home grown coders won't ever betray trust either, but if we can spend billions of dollars on rockets and bombs, then surely we can spend what it takes to use our own developers to write and test combat software! The very thought of important defense software being written in foreign countries, that may or may not remain friendly, is patently absurd. There are just some things you should do for yourself.
To the making of books there is no end, so let's get started
The basic liberal (in the commonly used sense) position on globalization isn't that it is bad in principle. It is just bad when it connects us to places with very low standards for human and labor rights.
While we have our own home grown terrorists (Timothy McVeigh, Richard Reid, Ted Kaczynski et al), the condition of human rights and economic development in low wage, low cost countries poses a particular security concern, not only for military contracting but for commercial espionage. I'm not concerned about countries like India, but there are other countries which shall remain nameless where there already have been sources of economically motivated commercial espionage, and are great sources of international instability that are playing the outsourcing game too.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
It shoudn't matter where the code was written. However good design priciples need to be followed, specifically modularity, unit testing, and testing of corner cases. The actual coding should probably be broken up among several entities working on different modues with strict interface standards. That way only the DoD has access to the big picture and the degree of obfuscation halps cover any vulnerabilities that do manage to be slipped in.
Yes, in fact we can be more confident of US code. When the US Goverment subcontracts to someone in the US, there are two dynamics in our favor...
1. The US does not have kind of economic forces that encourage the kind of high turnover that is typically seen in places like India (as an example). As a former employee of an embedded-systems company, I heard all about the rampant problems that our foreign outsourcing partners had... including competitors who would wave a few more rupees at them and they immediately flee (taking our proprietary knowledge with them).
So, how does this contribute to this discussion about hidden backdoors in Government software? The problem is that higher turnover means less incentive for the contracting company to do their due diligence on the next guy... knowing that at a significant portion of them will be gone within months. It also means an easier time for say an Iranian or Pakistani with a grudge to start working for the same company...
2. It is much easier to ensure you are getting good background checks in the US... the Feds can audit the contractors employees backgrounds... much harder to do on foreign soil.
Here's what scares me: The Intelligent Platform Management Interface (IPMI) and the Remote Management and Control Protocol. (RMCP). Many machines in the field implement these protocols in the network controller, independent of the operating system.
These are UDP-based protocols, on port 623. They can be sent from anywhere on the Internet; not just local machines. They provide total power over the target computer. Functions include:
-
Change boot device for next boot, including boot from network.
-
Turn machine on, off, or reboot.
- Disable keyboard and user on/off switch.
Now that's control.Supposedly machines come out of the factory with an empty set of IPMI remote management passwords in their nonvolatile memory. Supposedly. All it would take would be to slip in a password load somewhere before the machine reaches the customer, and the customer would never notice that they're 0wned. Even a complete reload of the OS won't fix this. You can switch the machine from Windows to Linux and still be 0wned. Or worse, the IPMI hardware could have a built-in password (perhaps for "factory test") that you couldn't even detect unless you knew it. Because all this remote management stuff is already there, it takes a very minor change to make large numbers of machines very vulnerable.
Run IPMItool and find out what machines will talk to you. Try not to reboot your whole server farm by mistake.
Made in Taiwan, Developed in India and Delivered by USA... I am actually for a global economy, but you just got to draw the line somewhere - it's not like the Pentagon has investors its trying to appease... Besides, if you were a foreign company, would you really want to be developing software that might be used by a foreign military against you or your friends?
Why doesn't the DOD hire them?
"Technology.....the knack of so arranging the world that we don't have to experience it." Max Firsch
I really, REALLY hope this pisses you Americans off, because it's got me pretty fuming. If this makes it to CNN or something otherwise, I'll write my reps, but seeing as midterms are next week, I won't do it just now. My state is about to have a lame duck or two.
Let's see the issues here.
- The government took jobs away from Americans to try and save money.
Then, since they didn't think it through,
- The government failed to adequately protect its people by allowing foreigners, possibly enemies, to write code for its own weapons systems. I don't feel safe.
But they actually figured it out. Hence,
- The government failed to be accountable with its cost cutting practices, and is now going to cause even more tax burden on the Americans that are now with (less) jobs.
Do not expect them to hire any new programmers or get any new contracts to test this code, I'm going to assume (jokes about assumption aside) from the above 3 points that the government will be taking their good old, expensive time with this, and will not correct the problem.
I work for a defense contractor writing simulation software for the army. In order to work on our project ( which is not even classified) , you need at minimum a secret level security clearance, ant it is mandatory that you be a US Citizen in order to get that clearance. There is no way any "Combat critical" software will ever be outsourced without a complete revamping of the way the Security Clearance's are issued.
I'm so glad to already see a bunch of comments to the effect of "well duh!" I've been wondering how long it would take the military's strong sense of self-preservation to kick in. It's one thing to be all for free markets to the extent of selling out your own population. But when you give away your military advantages to you potential adversaries for a quick market gain ...
A friend of mine and I have both been wondering when the US policy on off-shoring would change. My constant source of confusion is how we can have a War on Terror but continue to off-load most of our IT work and skills to China. No, we aren't at war with them. But they are a concern from a military strategy perspective. And to continue to become dependent on them in our current security state seems kind of stupid to me.
You can be for free markets and still choose to do things nationally to change your stance in the market. That's what trade agreements are for, etc. We hear over and over about how Japan choose to become the number one producer in X and made it happen. Sure we aren't Japan, but why not choose to defend our economy a little more aggressively? Especially if it is going to jeopardize our military standing?
We started churning out engineers for Apollo. That effort and our competition with the USSR is probably what created our current Information Economy. So why not take the long view of things (as opposed to the short view only concerned with this year's corporate profits) and choose to do something like Apollo to continue our engineering lead or to make the next big thing happen? Investing in science and engineering as a whole is only going to help the economy.
And low and behold, it makes really nifty weapons too. It's a two-fer!
"Doubt your doubts and believe your beliefs." -- Switchfoot, Ode to Chin
Anyone who watches Battlestar Galactica could tell you that maliciously placed code is a problem.
ZeroWing joke in 5 .. 4 .. 3 ..
[Insert pithy quote here]
HELLO!!! From an intelligence stand-point, who are these idiots making decisions which land top secret weapons development projects in the hands of foreign companies/governments? Is it any wonder why China is rising in military technology so fast? Why are 40%+ of the staff @ Los Alamos foreign nationals? Is it any wonder why we have security breaches?
the only permanence in existence, is the impermanence of existence.
I think this problem applies to all software out there.
One has bigger problems than malicious people planting trojans if they can't audit every line of their "mission critical" software OR hardware.
Would you trust your respirator and other hospital life support system to unaudited code whether or not it has been written by malicious people ? If not, then why should anyone trust his defense system ?
I remember there was a story long back about "intelligent guns" that identify their owners. No one thought it'd be a good idea since no one really knew the "identification" part and no one had 100% trust in it (apart from other strategic issues). If one doesn't trust a gun, what chances are of trusting a missile defense system ?
Unaudited code is untrusted code! It doesn't matter who wrote it.
- mritunjai
The UK government buys military equipment from the US which contains software which it is not permitted to review, and indeed for which it may not be allowed the latest version. And we are supposed to be about the only real international friend the US can rely on.
I have always found that a bit funny. Certain pundits keep telling us that the UK Govt. shouldn't have participated in the Eurofighter program and should instead have bought into the F.22 program (That's assuming the USA would even have let them). Well the UK did just that with the F-35, so take a look at the bickering over the F-35 work-share agreements that have arisen because the US keeps going back on it's promises to give the other F-35 program partner nations the access to some of the technology they were promised they would be able to gain access to when they put down their share of the development money. Now several F-35 program partner nations are actually wondering if they will even have complete control over their F-35 fleet or whether the USA will use access to spares, weapons, software sources and upgrades as political leverage. This is a good example why the buy-off-the-shelf argument is crap and it all boils down to technological control, technological independence and operational sovereignty. The Eurofighter may offer only 90% of the functionality of the F-22, mainly because it isn't as radar-stealthy as the F-22, but the functionality it does provide it provides at a lower price and the collaborating nations have complete control over every aspect of the Eurofighter program which would not be the case if they had bought of the shelf gear from the USA. So even if the Eurofighter is only second best I'd still prefer it because the USA can't veto (Like several F-16 have customers found out the hard way) what we can do with the Eurofighter whom we can sell it to and how and or where we upgrade it.
Hi. I work on a pretty major piece of defense software, something used for command and control. For testing we:
(step zero - specifically mark things that are critical to safety and review them extra closely at peer review time)
a) run unit testing on each team's piece of code (developers)
b) thread testing on the whole chunk of functionality (developers)
c) run test cases that are based more on real world values (testers)
d) system test cases (testers)
e) large scale tests that involve dozens of systems and the better part of a day, simulating an actual battle (testers)
f) the same thing, I believe, at the military's testing site.
We're all required to file paperwork to get security clearances.
Makes me want to kick a company that isn't doing it's job properly.
Look at all the jingoistic Americans agreeing to the BS article.
Maybe we have some greater confidence in US code. But US origin doesn't get you all that much more confidence.
The problem is that a large portion of the software the DoD uses is commercial off-the-shelf stuff. Those usually aren't written by contractors who've been investigated or cleared. So even if DoD banned use offshore-produced software, a foreign entity might not have that hard of a time infiltrating some US software company. It wouldn't take many such saboteurs if they were placed in the right companies.
So offshoring some military coders could really "hurt" USA's "ability to fight wars"? IMHO, "offshoring" the current US leadership to, for example, Antarktis and replacing it with decent human beings would be a true blow to the US's "ability to fight wars".
I work in the defense industry. All of the software for the systems I work with are not only coded in the U.S. but the programmers must have a security clearance. While it doesn't completely eliminate the threat, it is not as large as this article makes it seem. There are other factors that protect the systems. Many are closed systems so it's not like a kiddie hacker could trigger something or start "Global Thermonuclear War". As far as I can see, a bigger threat would be ot put in malicious coding into the OS where it would not be detected.
And these are the people responsible for fighting our wars and, as of yesterday, in charge of dispensing psyops directed and American citizens?
We're BONED!
Of course on-shore developers could also indtroduce similar flaws. Heck, even DOD certified developers with a clearance working directly for the pnetagon could do the same.
But there are levels of probabilty of this occuring. It's much less probably that a small group of well-screen on-shore programmers wil lintroduce issues than a facility in another country where the governemtn has no control or visibility into hiring, or systems deployment, or even tunnels under a building for that matter!
Not using offshore developers ia reasonable reduction of risk. By the way, this goes not just for the pentagon and DOD but also any company working on sensitive systems. It astounds me how many key systems companies are willing to have developed overseas when they claim to be interested in "protecting IP". Having someone else know your own IP better than yourself is a damn poor way of protecting it or keeping it from being used elsewhere.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It's about knowing that the developer isn't a known criminal or terrorist, doesn't have ties with criminals or terrorists, isn't blackmail-able, and can be punished under US law. How can you possibly verify this with a foreign developer?
China will be making our tanks and bombs soon.. why out outsource the programmers and take it a step further.. outsource the entire military! I'm sure Nancy Pelosi would be all for it seeing its being FAIR to other countries.
meh.. thanks to NAFTA and low to no import tax we soon won't have any factories to build war tanks and planes. Whats to stop another Hitler from walking into this country and taking it over. I blame the past to administrations (bush and clinton) on this..
My 2 cents. I'm sure some liberal will call my OPINION a shitty ass one.. but I don't care =). whatever floats their boat...
Enjoy...
The idea that any US military hardware or software is produced outside of the US is idiocy. Let's hope the US never has to count on its ability to manufacture anything the next time a madman tries to take over the world.
Because it frees programmers that can join the Army!
"I'm glad the Pentagon finally woke up to reality..."
Woke up to what?
The U.S. no longer has nor cares about a U.S. manufacturing industry to build it's own planes (see JSF).
When you can't even make the components the software runs on, how does not making the software wake anyone up?
I've worked in the defense industry. Yes, the idea is idiocy. That's why all software actually used in military systems is written by citizens with security clearences. I have no idea what this article is talking about, or their supposed Pentagon sources.
I once couldn't bring a prototype device into a classified area until we replaced a software driver made in England. And trying to use IP cores for FPGAs from overseas? One giant headache.
And I advise against using a blurb in BusinessWeek as "proof" of anything. No serious investor I know would soil their hands on that rag.
is that techniques we used against the Soviets during the Regan Era may also be used against us if we're not careful? Say it ain't so!
The contest for ages has been to rescue liberty from the grasp of executive power. -- Daniel Webster
Why on earth would anybody (except the lucky government contractors) need that? And if there were something good about this idea, why wouldn't it be even better to ban all foreign spending by all private entities? There is nothing about a "tax dollar" that makes it different from any other dollar once it is spent.
No, there may be some security reasons for restricting military spending, but the economic interests of America and Americans are best served by minimizing tax expenditure, not by restricting it to America.
"The good reader is a rarer swan than the good writer."
"If they black box the components properly, there is no problem to this approach."
What about physical parts?
Given cost savings, the process leaves no manufacturing base in the U.S.
What happens when you lose the ability to produce the very things that protect you?
I bet we (the USA) could have a standing army of 1,000,000 or more with a few well placed Television Adverts and Recruitment Centers thruout mainland China.
-- www.globaltics.net
Political discussion for a new world
America needs a few crushing military defeats in the wars it unnecessarily initiates. That's the only way to stop Pentagon from engaging in wars for all sorts of ridiculous, made up reasons and Joe Sixpack from approving whatever BS he hears on TV. Think about it, the US has been in war with someone practically for half a century already if not more. The only two of these wars that were justified were WWII and Afghanistan. In all the others the US wasn't even remotely threatened so the wars were designed to line the pockets of the sitting president's buddies, make him look tough and create political capital for the ruling party come the next election.
I agree with your assessment of COTS software risks, but those risks are not unique to DoD... my comments in the context of custom software or specialized embedded systems that DoD uses... and particularly the case where they might contract with a US company who subcontracts elsewhere.
using Windows!
Not using Off-Shore or Outsourced programmers - How does that make America safer?
Think about it. Its irrational. Programmers who are outsourced working on large projects will:
Nothing to see here folks, just the Bush administration scaring the pants off its civilians.
Does Off-shore = programmers in NATO countries who have not committed to the war on terror??? Yeah I have a sneaky suspicion.
Before any of you go off half cocked. I need to remind you that NATO (UK, Canada, Germany, etc...) is in Afganistan.
The only way to ensure that your software will not be stolen or sold elsewhere is to have the creators work in a closed environment with no contact with the outside then you actually need to kill the people who created it, steal their computers make sure they didnt leave a copy somewhere, kill friends and family if you think they know about it and maybe just maybe it will not get around.
Otherwise, OF COURSE OFFSHORING DEFENSE CONTRACT IS DANGEROUS
We shouldn't even be asking this question. I hope that our military is always preparing and expecting the worst, god help us if they do anything short of that.
If carrots got you drunk, rabbits would be fucked up. - Comedian Mitch Hedberg R.I.P. 03/30/68-2/24/05
How many countries there are in the world that outsources their defensive software ?
Read radical news here
I think you mean Xiang-chi :-)
Maxo has it right. There's entirely too much crying around here, where no matter what the pentagon does, they are evil and greedy. The issue is that the DoD should not offshore development of weapons systems to protect themselves from cleverly concealed backdoors or from 'enemies' learning about how a system works.
The reason the DoD buys weapons is to be able to use them against other nations (in theory). If they jeopardize their production to sabotage and give secrets to other countries, the value and efficacy of their weapons decreases.
Given the intensity of partisan rancor in this country, I think it entirely possible that domestic employees might try wreck DOD software to gain political revenge.
We should disallow hiring of anyone who has ever expressed antiwar sentiments.
We should also disqualify Democrats from working on DOD projects or having anything to do with critical infrastructure.
Just kidding (or am I?)
That i'm a heartless government financial officer defend why i decided to outsource these projects:
/my impression of the article.
In the event of a successful hacking attempt on our software and our local operations are comprimised, the estimated replacement costs of both hardware and troops is A.
A software devolopment endeavor of this type is costly if spearheaded locally due to security policies, high pay for skilled professionals, and according to market analysis would require a budget of B.
Outsourcing the development project will lower the cost by 100,000/year/person. This option can be expedited due to minimal security levels and media exposure. Estimated cost: C
now for the calculation:
If B - C > A, then Project = Outsourced
Remainder forwarded to local payroll account
"Pentagon officials report that 'maliciously placed code' could compromise the security of the Defense Department and, ultimately, hurt its ability to fight wars. The culprits: offshore programmers. While the Pentagon has stepped up its vendor screening and software testing of late, it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. The task force assigned to this issue will be soon presenting its report, and most likely will determine that offshoring presents too great a risk."
Ah, and this is news somehow?
Did they ever read their own trusted computer systems evaluation guide?
Think for a minute how dependent our military and our society are on computers and their new and spare parts. Now imagine if say Taiwan got nuked by the Chinese...
it's becoming more difficult and costly to test every line of software code
What do you mean, "more difficult and costly to test every line?" Every line, or close to every line, darned well ought to have test coverage before you commit it to your source code repository, let alone delivering it to the customer. And properly factored and coded classes and modules should be testable in isolation. If the cost of testing -- and, presumably, the cost of change -- is increasing drastically as the system size increases, you're doing something wrong....
And it's far, far more costly to deliver software that doesn't have good code coverage than it is to write good tests and deliver well-tested software.
No country... I'll repeat NO GODDAMN COUNTRY has a "right to fight a war". They have rights to DEFEND, AT HOME, not "take a war to da enemy".
More lines of code should fall under scrutiny. But, I am sure some enterprising devs will find a way to improve the automated scanning and maybe even run the stuff in infinite-scenario virtual machines to look for signal injection hijacking and other techniques. But, war is not only suppose to be costly, it should be so frightening that most sane people will refuse to fight for unjust, unclear, or bogus reasons.
Maybe such fears of code being invaded will drive UP the cost of delivering troops to places they aren't wanted, or don't belong, or are on some government's expeditionary crusades.
A nice side effect from programmers of any country that outsources programming is that maybe those countries will inspire restoration of their home-grown development talents.
Since the code can never be FULLY trusted (yeh, "never say never", right?), maybe there's going to be a reduction in the gee-shucks- golly-wally ram-roading of slews of products that taxpayers fund but which never make it to the field, but somehow make it thru umpteen years of costly prototype phases. (Yeh, don't tell me about the Osprey, the Marines Killer"/"People Killer" machine.... yeh, it's a nifty machine, but the few number of units that took Marines' lives before full production is a vastly and woefully dismal record compared to the F-14, which saw HUNDREDS of units out of production, tho lives were lost across the F-14 history...)
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Okay, here's the only specifics I saw in the article:
This includes not just software for computers and networks but, in some cases, programs for military aircraft, missile guidance, and battlefield management systems.
Okay, I can believe that "battlefield management systems" could have some commercial junk that came from somewhere, but otherwise I find large parts of this less than convincing.
About the missile guidance part I say: bullshit. Hell, for a lot of missiles, particularly older ones, the processor is custom, and so is the operating system: I repeat, no part of the missile was developed by people without citizenship and clearances. A more modern missile might run VxWorks (for example), but so what? Everything under the operating system (the board support package necessary to make VxWorks run on custom hardware), and everything on top of the operating system is largely custom, classified, and written by clearance-bearing people. Certainly you don't just buy Missile Guidance v3.2 (now with support for your uncooled IR focal plane array!) from Habeeb's Software Hut. And missile software has what might be considered a, you know, reasonably thorough testing process, where some care is taken to verify inputs and not just take things on faith.
And how do you subvert these systems? What, you DoS a Tomahawk? Or it accepts your logon attempt and you then your run your buffer overrun 'sploit and become root? There are a rather finite set of inputs to the system and access to them is controlled. I think missiles are pretty safe. Most are too single purpose to care about things that cause more general purpose computers problems.
So, yes, maybe software systems like battlefield control systems or radar control that use commercial databases or the like -- but one does not put these on the 'Net. And I'd hope that the NSA is providing some pretty rigorous guidance like "use NSA-Linux".
Yeah, plus I've seen the toilet seats in the Pentagon, and they're not that cool.
Now, if it were the Japanese Defense Attache's office, then it would be totally believable.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
A friend of mine is Indian and wrote missile firmware for the DoD. This was more than 10 years ago. I don't remember what company he worked for, but he lived in and was educated in India.
What concerns me more is that we can't find good developers here, and offshoring doesnt actually save us any money where I work. It was done out of necessity because (according to management) there was no way we could hire the amount of people we would need to support legacy development while the core developers worked on next generation code. Most of the candidates I have interviewed recently have been from India or the mid/near east, and will require a work visa to live here.
You do not want the US to just take code from the US.
That will mean no Windows. But it will also mean no BSD, no Linux and I would doubt QNX or vxworks etc.
To have EVERYTHING audited down to the programmers' parents, you'd have to do it in the US and pay for it all from scratch. That means a new highly proprietary software that costs a heck lot and comes with more bugs than Wince.
Ideally they should choose the most audited and high quality OS (regardless of who developed it), and build proprietary and secret applications over it.
So while the foreign-developer-inserting-bad-code is an apparent danger, ending up with policies than ban Linux BSD or any other high quality and opensourced OSes is a bigger but hidden danger.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Also, when I last checked, the US was a supranational state. As well as the continental US, there is Puerto Rico, and other islands in the Caribbean. There are the Hawaiian Islands. The UK is close to being a satrapy, with a notional independent government which, in fact, is called upon whenever the US wants to make war. Israel seems to have much the same relation to the US that it had to the Roman Empire - a turbulent state whose ruler cannot be relied on, and which one day may have to be crushed. The US is also trying to impose its government on Iraq and Afghanistan, and to establish rule over Cuba.
US politicians may not like their area of influence being called an empire. The remains of the British Empire may be a bit of a joke (Gibraltar, the Falklands and the Isle of Man). But, unless they withdraw within their borders and cease to try and rule other countries, that's what they are.
Whether the US empire is a good thing or a bad thing is, as the Chinese historian is supposed to have said of the French Revolution, too recent to decide.
Pining for the fjords
"They Write the Right Stuff"t ml
http://www.fastcompany.com/online/06/writestuff.h
need help, you know who not to call.
To think that the military can trust foreign nationals not to monkey with code and put hidden back-doors or special triggers into the software is highly suspect.... Especially considering that Americans can't even get voting machines made by _domestic_ companies that are proven trustworthy and without back-doors, hidden triggers, or other security compromises.
On the other hand-- I'd say the final extent of engaging in such folly is ultimately self-limiting since it is highly likely that these Republican cretins that are ruining our country and selling it down the river will one day end up, likely as not, staring down the barrel of one of their own creations. How would that be for penultimate poetic justice?
The submitter may need to read up on Hanlon a little.
Never attribute to malice,
that which is easily explained by stupidity.
- Hanlon's Razor
Glonoinha the MebiByte Slayer
Think hardware.
When all the hubbub was going on about Dubai buying US ports. Our government sold them 7 military plants on US soil.
Then there are all our politicians, who it is so very difficult to tell if they are incompetent or working for some other foreign power to weaken the United States. Since it is so hard to tell, I have to ask; "what would be the difference?"
I don't think the world works the way we think it does, with pitched armies, and Communists plotting against Capitalists. I think it's just various spheres of influence by Criminal Syndicates who own the people in power, and then use the "debate issues" to keep the citizens of various countries worried about people in other countries invading them.
It's all an extortion racket. We don't need to fear China, or Libya... we just need to worry about the whim of what the Bernanke summit decides when it's time to draw straws on which country gets torn apart for profit. Obviously, Afghanistan and Iraq had the short straws in 2003.
Whatever software or hardware we elect to throw money at only matters for the various companies at the trough who get to get paid to keep the charade going.
Oh, and read the waynemadsenreport.com about the splendid profit that Afghanistan drug exports are making for the CIA and the Russian mob. UNOCAL gets its oil pipeline, and Dubai launders Opium profits. World continues to spin on its axis.
>>"ad space available -- low rates!!!"
American software companies are the ones doing the offshoring.
--- Grow a pair, liberals... stop letting the Republicans bully you!
Uhm... British Leyland?
In fact, those who don't understand U.S. foreign policy today and over the past 60 years would do well to study that incident, and how it changed U.S. foreign policy. The bottom line is that the U.S. came to the conclusion that it couldn't trust the rest of the world to look after its own affairs. It had to bail out Europe and subdue Japan, both at incredible cost in terms of lives and dollars. That cost could have been reduced dramatically, had the U.S. become actively involved much, much earlier, and that couldn't possibly have been limited to "defending at home".
In short, the quoted point above is completely wrong.
No *American* coder would ever do anything malicious to the American government! Only them damn furriners!
*cues Team America theme song*
"AMERRRICUUUH! FUCK YEAH!!"
Is Capitalism Good for the Poor?
It takes a study to figure this out? Not only malicious code, but plain exposure of the code to outside, non-DOD people. And in some off-shore country $$$ can buy anything - a USB stick with the next F-22's flight-control firnware, for example. Has anybody even thought of it that if enemies have the source code, vulnerabilities and exploits could be found from analysis or systems developed to counter-act this software. Duh!
While I also agree that tax spending should be minimized whenever possible, I disagree that tax dollars are not different from privately spent dollars.
The difference between a tax dollar and a privately spent dollar is that the privately spent dollar isn't being taken from somebody by force. If someone wants to spend their income on a Chinese-made DVD player, then it's their right to do that. However, they don't get a lot of say in where their tax dollars are spent, nor do they have a choice as to whether they pay into the system or not (unless they fancy going to jail or having their salary garnished).
So tax dollars should always be spent with more care, and have more restrictions placed on their use, than private dollars. The taxpayers have a right -- since it is their money, essentially -- to decide where they want them to be funneled; I am suggesting, as a taxpayer, that it would be good to encourage our representatives to keep that money inside our own economy.
This would be just like me deciding when I'm standing down at Home Depot, that I'm going to buy something made in the U.S., instead of something imported. Only because I don't have that much direct control over where my tax dollars go, I'm left to instead petition government indirectly (or posit that it would be a good idea if we collectively did) to have my tax dollars spent in a manner I see fit.
While it would always be better for the government to spend $0 than anything, if they're going to spend money, I would strongly prefer that it be spent in this country than outside it. When spent inside this country, it has the side effect -- besides just in procuring the good that's needed by the government -- of encouraging domestic business, as well as putting a portion of that money directly back into the public pot via taxes on corporate income, and taxes on the salaries of the employees they have, etc.
So if we look at the economic cost to the country of foreign versus domestic spending, when money is spent overseas, it's just gone; it's a net loss to the U.S. economy. When it's spent domestically, much of that money ends up remaining in the economy, and going to pay U.S. workers (who again, pay taxes) and is invested here.
Perhaps someone could do an economic analysis of the "economic cost" of spending money in the home market versus abroad. Given sufficient evidence, I could see having some sort of cutoff for spending here versus abroad: if the foreign-made good is some amount cheaper than the domestic one, then it's worth buying it overseas, if the re-circulative effect of domestic spending wouldn't be enough to offset the higher price. However, I'm not sure how you would compute that.
Again, I'm not arguing for spending for the sake of spending, or spending purely for the sake of job creation -- I think both of those paths are wrong, however seductive they may be in the short term. But if you are buying an item for $100 from someone who is just going to pocket the whole amount, or from someone for $110 who is immediately going to turn around and give you back 30% of the purchase price (in taxes, direct and indirect), then it makes sense to go with the latter option. The 'savings' of the cheaper initial price is illusionary and shortsighted.
The government has the responsibility to go with the option that is ultimately best for the economy as a whole; that may not necessarily be the option that's the lowest retail price.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Anyone seen this new TV series called Battlestar Galactica?
This article surprised me - I thought there were sufficient controls in place to prevent just any code being used on sensitive systems. TFA seems to suggest that it's a lot more wild than I had suspected.
COTS stuff will always have a chance of a bad American or foreigner adding backdoors or whatever and even some guy with a security clearance could go bad -- it's just a lot less likely that someone would want to jeapordize their clearance and forsake their own country at the same time. COTS code shouldn't be too common in things like missle guidance systems. Last time I checked at OfficeMax I did not see Microsoft Patriot Missle Guidance System 2006 Professional on the shelf, but less sensitive systems like ERP, Finance and other Intranet related things likely incorporate uncontrolled code. In this code, backdoors, or whatever, could be used to sneak into other things that might be on the network or even the same server.
After reading the article, I am left with the feeling that perhaps code could creep in. Perhaps, even from unrelated projects where the coders are not "cleared". I'm glad they're looking into the problem and I hope they do something smart.
It sucks to have so many folks mad at us.
Offshore outsourcing of sensitive data and security code work is suicidal and also just stupid. Screw the whining about "cost cutting". It's all BS, and everyone knows it. Use homegrown programmers, not flakey geopolitically shifty foreign sources.
web analyst/API specialist
This is not only true for millitary software. All software systems that are needed to make the modern society working cannot be outsourced/offshored.