DOD officials wary of weak spots in commercial apps
Trend toward off-the-shelf, open-source products raises red flags on security
- By Peter Buxbaum
- Sep 22, 2006
COTS in itself is a vulnerability and we don't always do a good job assuring that the software we are using is secure.' Vice Adm. Nancy Brown
While the military is moving to increase informationsharing and the acquisition of commercial software, one high-ranking official has expressed concern over the flip side of the same coin: the vulnerabilities associated with opening access to networks and in deploying standard software.
Information sharing is a key characteristic of the network-centric environment the military is building. Using commercial and standardized software contributes to the speed with which applications can be deployed on the network.
But Vice Adm. Nancy Brown, director of Command, Control, Communications and Computers systems on the Joint Staff, speaking recently at a Washington gathering of the Armed Forces Communications and Electronics Association in Arlington, Va., pointed out that the positive dimensions of these developments are accompanied by vulnerabilities that need to be addressed.
'There is a tension between information assurance and increasing capabilities,' she said. 'The dilemma is how to ensure security and confidentiality while not reducing the effectiveness of networks to warfighters.'
Data transparency is one of the top three priorities of the Air Force, according to Air Force CIO Lt. Gen. Michael Peterson, who spoke at the same event. 'It's all about turning data into something you can use,' he said.
Air Force Lt. Gen. Charles Croom Jr., director of the Defense Information Systems Agency, noted that information exchange led to the successful targeting of al-Qaida leader Abu Musab al-Zarqawi in Iraq.
As for the software DISA is acquiring, Croom said, 'Commercially available technology is clearly where DISA is headed. We're after speed, and commercial software does it for us.'
While raising red flags over the vulnerabilities associated with information sharing, Brown nonetheless recognizes its value.
'We are a nation at war and our information-sharing requirements are greater than ever,' she said. 'We need to treat information sharing as a critical warfighting weapon. But we need to balance information sharing and openness on the network with the vulnerabilities inherent in them.'
For Brown, this involves a new way to secure networks. 'The way we have protected networks traditionally has always been to lock them down,' she explained. 'It is a philosophy we borrowed from the world of physical security, where you lock the doors and bolt the windows to keep people from getting in. In a network environment, the same measures also reduce the ability to get out, so it's not the right philosophy.'
The key balancing act, for Brown, involves accommodating warfighter requirements with the need to protect information.
'How do we store information without guarding everything like it's the king's jewels, because not everything is,' she said.Further dilemmas
The acquisition of commercial software presents further dilemmas for the military IT community. Navy CIO David Wennergren said his department puts a premium on acquiring systems based on open standards.
'Gone are the days when proprietary systems fit the bill,' he said. 'Where there are standards, Web services or [Extensible Markup Language]-based systems that fit our needs, that is what we do.'
Croom noted that DISA recently awarded a $17 million Network Centric Enterprise Services contract to IBM Global Services to provide suite collaboration capabilities. The contract utilizes an existing commercial collaboration service and represents an almost complete outsourcing of collaboration tools to a commercial vendor.
But for Brown, 'COTS in itself is a vulnerability and we don't always do a good job assuring that the software we are using is secure.'
The primary problem presented by commercial software is that 'our adversaries are able to buy the same piece of software as we do,' Brown said. 'There are definite vulnerabilities in how we are using COTS. This is an area we need to look at as we get more and more dependent on commercially available products.'