crossposted on the NoSlaves.com blog
Most engineers know there are many ways to hide malicious code and design within architecture. Yet, most subscribe to an engineering code of ethics, the thought of such a betrayal analgous to a Medical Doctor using their skills to commit murder.
Yet in terms of policy is our Government undervaluing the national loyalty of most US citizen engineers? Are they enabling U.S. Scientists, Technologists, Engineers and Mathematicians to use their skills in support of infrastructure that is within the national interest?
An alarming report, Mission Impact of the Foreign Influence on DoD Software and it’s corollary on hardware was issued recently without much fanfare.
Software has become the central ingredient of the information age, increasing productivity, facilitating the storage and transfer of information, and enabling functionality in almost every realm of human endeavor. However, as it improves the Department of Defense’s (DoD) capability, it increases DoDs dependency. Each year the Department of Defense depends more on software for its administration and for the planning and execution of its missions. This growing dependency is a source of weakness exacerbated by the mounting size, complexity and interconnectedness of its software programs. It is only a matter of time before an adversary exploits this weakness at a critical moment in history.
The software industry has become increasingly and irrevocably global. Much of the code is now written outside the United States(U.S.), some in countries that may have interests inimical to those of the United States. The combination of DoDs profound and growing dependence upon software and the expanding opportunity for adversaries to introduce malicious code into this software has led to a growing risk to the Nation’s defense
The Intelligence Community (IC) does not adequately collect and disseminate intelligence regarding the intents and capabilities of nation-state adversaries to attack and subvert DoD systems and networks through supply chain exploitations, or through other sophisticated techniques.
DoD does not consistently or adequately analyze and incorporate into its acquisition decisions what supply chain threat information is available.
Now read this:
It is not currently DoD policy to require any program, even those deemed critical by dint of a Mission Assurance Category I status, to conduct a counterintelligence review of its major suppliers, unless classified information is involved.
Get that? No one is minding the store!
We already had Trojans (malware) put into Seagate’s Maxtor hard drives and the news barely made slashdot.
There are recommendations in these reports which you may or may not feel are adequate. One thing I feel certain is that while few, in their goal for labor arbitrage, are paying attention, the reality is the world is a series of nation-states. While more and more U.S. engineers are being marginalized, their careers cut short, the reality is fewer will take ethics or national loyalty seriously or even be around to monitor those who do not.
While COTS (Commercial off the shelf system components) must surely be part of military systems as the report points out, a hidden implication of this report is that they have relied on, America has relied on the integrity of it’s STEM professionals as well as their national loyalty much more than is currently acknowledged. Americans were thrown away in favor of cheaper labor, with nary a thought about the national security implications.
You might also want to watch PBS Frontline’s CyberWar! for further background on national security threats as we become increasingly dependent upon technology.
