In an interview Thursday, Lt. Jamie Gateau, director of technology innovation for the Navy's Network and Space Operations Command in Dahlgren, Va., said he plans to beef up and standardize the security requirements specified in software outsourcing contracts that the group awards to external vendors. Gateau said he's also evaluating new technology that would help identify security vulnerabilities in externally sourced software.
Earlier this week, the General Accounting Office issued a report warning that Defense Department agencies that use software written outside of the United States could be placing the country's security in jeopardy. The GAO, the investigative arm of Congress, warned that programmers hostile to U.S. interests could write back doors into code that ultimately ends up in use by the military. To address software vulnerabilities and threats, the GAO recommends that the Defense Department better define software security requirements and compel program managers to lessen associated risks.
Gateau said he hasn't seen the report and that he was already planning to make the changes. "We've reached an understanding that security management is not something that can be slapped on," he said.
All future contracts awarded by the Navy's Network and Space Operations Command will contain "specific language that talks to software assurance; that secure code and reliable code will be required items," Gateau said, adding that such requirements currently aren't specified "in any concrete terms" even though most of the IT projects under the agency's watch are classified as "secret and higher." The changes would apply only to contracts written by the NSOC, though Gateau said other branches of the Navy may follow suit.
Some security experts say they're concerned that the Navy lacks uniform security requirements in its software contracts. "I'm surprised that they don't, given the sensitivity of some of these applications," says Brian Kelly, director of the Giuliani Center for Advanced Security in New York. The Defense Department "needs to be more aggressive in defining security requirements up front," he adds.
Gateau said he's also evaluating new technology designed to help detect back doors and Trojan horses in software. Among other things, he's looking at the forthcoming version 2.0 of OunceLabs Inc.'s Prexis software. The application is designed to detect malicious code by scanning for lines that appear faulty or that serve no apparent purpose. However, OunceLabs CEO Jack Danahy concedes that the product won't catch malicious code that also functions as a normal, working part of an application. "Nothing can catch that except manual code reviews," Danahy says.
As for offshore development, Gateau said he doesn't plan to write contracts that would prohibit his vendors from using developers based outside the United States. The risks identified by the GAO "aren't not specific to offshore outsourcing," he said. "We run the same risk every day, with every piece of software we run."