The Defense Science Board task force assessed the Department of Defense's (DoD) dependence on software of foreign origin and the risks involved. The task force considered issues with supply chain management; techniques and tools to mitigate adversarial threats; software assurance within current DoD programs; and assurance standards within industry, academia, and government. This executive summary highlights the future U.S. ability to ensure and maintain a trusted supply of software to the DoD and the U.S. government. The full report states that there is no absolute guarantee that software can be sanitized of all vulnerabilities, intended or unintended, and recommends a suite of processes and mitigation strategies to reduce the risk of interrupted systems performance and ensure mission success.

Software has become the central ingredient of the information age, increasing productivity, facilitating the storage and transfer of information, and enabling functionality in almost every realm of human endeavor. However, as it improves the Department of Defense's (DoD) capability, it increases DoDs dependency. Each year the Department of Defense depends more on software for its administration and for the planning and execution of its missions. This growing dependency is a source of weakness exacerbated by the mounting size, complexity and interconnectedness of its software programs. It is only a matter of time before an adversary exploits this weakness at a critical moment in history. The software industry has become increasingly and irrevocably global. Much of the code is now written outside the United States (U.S.), some in countries that may have interests inimical to those of the United States. The combination of DoDs profound and growing dependence upon software and the expanding opportunity for adversaries to introduce malicious code into this software has led to a growing risk to the Nation's defense. A previous report of the Defense Science Board, "High Performance Microchip Supply," discussed a parallel evolution of the microchip industry and its potential impact on U.S. defense capabilities. The parallel is not exact because the microchip fabrication business requires increasingly large capital formation - a considerable barrier to entry by a lesser nation-state. Software development and production, by contrast, has a low investment threshold. It requires only talented people, who increasingly are found outside the United States. The task force on microchip supply identified two areas of risk in the off-shoring of fabrication facilities - that the U.S. could be denied access to the supply of chips and that there could be malicious modifications in these chips. Because software is so easily reproduced, the former risk is small. The latter risk of "malware," however, is serious. It is this risk that is discussed at length in this report.

The Defense Science Board (DSB) Task Force on Mission Impact of Foreign Influence on DoD Software examined areas in software security, security architecture, and risk mitigation and received briefings from industry, academia, and a number of Defense agencies. Briefings on software assurance and development processes for Defense programs were also provided. The Department's dependence on software, which is growing in size and complexity, presents tempting opportunities for U.S. adversaries to exploit. Further, the increasing interconnectedness of defense systems could lead to the exploitation of many applications through a single vulnerability. The weaknesses, among others, are significant liabilities to the Department's mission-critical systems; however, DoD cannot ignore the economic advantage of globally-produced, commercial-off-the-shelf software. The globalization trend of the software industry will continue to occur, and some of DoD's software will be developed in foreign countries. The task force found that low-level, malicious techniques have been employed to successfully penetrate sensitive, unclassified DoD systems despite efforts by DoD to maintain information security and assurance. DoD's current evaluation strategies and techniques are inadequate to deal with the growing functionality and outsourcing trend of software, making exploitation easier and defense more difficult. The problem is complex, and ultimately, an intelligent risk management process will be essential to ensure a trusted supply chain, mitigate malicious attacks, enable efficient responses and reactions. and maintain trustworthiness in the software that support DoD's critical missions. The task force outlined 11 recommendations in this report. The recommendations aim to improve the trustworthiness of DoD's software supply and address areas in procurement, intelligence, quality and security assurance, acquisition, research and development, and the National agenda.

Critical Code contemplates Department of Defense (DoD) needs and priorities for software research and suggests a research agenda and related actions. Building on two prior booksâ€"Summary of a Workshop on Software Intensive Systems and Uncertainty at Scale and Preliminary Observations on DoD Software Research Needs and Prioritiesâ€"the present volume assesses the nature of the national investment in software research and, in particular, considers ways to revitalize the knowledge base needed to design, produce, and employ software-intensive systems for tomorrow's defense needs. Critical Code discusses four sets of questions: To what extent is software capability significant for the DoD? Is it becoming more or less significant and strategic in systems development? Will the advances in software producibility needed by the DoD emerge unaided from industry at a pace sufficient to meet evolving defense requirements? What are the opportunities for the DoD to make more effective use of emerging technology to improve software capability and software producibility? In which technology areas should the DoD invest in research to advance defense software capability and producibility?

The U.S. information technology (IT) research and development (R&D) ecosystem was the envy of the world in 1995. However, this position of leadership is not a birthright, and it is now under pressure. In recent years, the rapid globalization of markets, labor pools, and capital flows have encouraged many strong national competitors. During the same period, national policies have not sufficiently buttressed the ecosystem, or have generated side effects that have reduced its effectiveness. As a result, the U.S. position in IT leadership today has materially eroded compared with that of prior decades, and the nation risks ceding IT leadership to other nations within a generation. Assessing the Impacts of Changes in the Information Technology R&D Ecosystem calls for a recommitment to providing the resources needed to fuel U.S. IT innovation, to removing important roadblocks that reduce the ecosystem's effectiveness in generating innovation and the fruits of innovation, and to becoming a lead innovator and user of IT. The book examines these issues and makes recommendations to strengthen the U.S. IT R&D ecosystem.

The United States is increasingly dependent on information and information technology for both civilian and military purposes, as are many other nations. Although there is a substantial literature on the potential impact of a cyberattack on the societal infrastructure of the United States, little has been written about the use of cyberattack as an instrument of U.S. policy. Cyberattacks-actions intended to damage adversary computer systems or networks-can be used for a variety of military purposes. But they also have application to certain missions of the intelligence community, such as covert action. They may be useful for certain domestic law enforcement purposes, and some analysts believe that they might be useful for certain private sector entities who are themselves under cyberattack. This report considers all of these applications from an integrated perspective that ties together technology, policy, legal, and ethical issues. Focusing on the use of cyberattack as an instrument of U.S. national policy, Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities explores important characteristics of cyberattack. It describes the current international and domestic legal structure as it might apply to cyberattack, and considers analogies to other domains of conflict to develop relevant insights. Of special interest to the military, intelligence, law enforcement, and homeland security communities, this report is also an essential point of departure for nongovernmental researchers interested in this rarely discussed topic.

Are nuclear arsenals safe from cyber-attack? Could terrorists launch a nuclear weapon through hacking? Are we standing at the edge of a major technological challenge to global nuclear order? These are among the many pressing security questions addressed in Andrew Futter’s ground-breaking study of the cyber threat to nuclear weapons. Hacking the Bomb provides the first ever comprehensive assessment of this worrying and little-understood strategic development, and it explains how myriad new cyber challenges will impact the way that the world thinks about and manages the ultimate weapon. The book cuts through the hype surrounding the cyber phenomenon and provides a framework through which to understand and proactively address the implications of the emerging cyber-nuclear nexus. It does this by tracing the cyber challenge right across the nuclear weapons enterprise, explains the important differences between types of cyber threats, and unpacks how cyber capabilities will impact strategic thinking, nuclear balances, deterrence thinking, and crisis management. The book makes the case for restraint in the cyber realm when it comes to nuclear weapons given the considerable risks of commingling weapons of mass disruption with weapons of mass destruction, and argues against establishing a dangerous norm of “hacking the bomb.” This timely book provides a starting point for an essential discussion about the challenges associated with the cyber-nuclear nexus, and will be of great interest to scholars and students of security studies as well as defense practitioners and policy makers.

This report examines the challenges facing the DoD in acquiring information technology (IT) and offers recommendations to improve current circumstances. The fundamental problem DoD faces is that the deliberate process through which weapon systems and IT are acquired does not match the speed at which new IT capabilities are being introduced in today¿s information age. Consequently, the principal recommendation of the study is that DoD needs a new acquisition system for IT. Roles and responsibilities for those involved in the acquisition process must be clarified and strengthened and the IT system acquisition skills required in the workforce must also be strengthened. Illustrations.