Now we are really in trouble. Here’s a report from a Defense Science Board Task Force on the dangers of foreign-produced software now being used by the Department of Defense. Its central conclusion is that
Each year the Department of Defense depends more on software for its administration and for the planning and execution of its missions. This growing dependency is a source of weakness exacerbated by the mounting size, complexity, and interconnectedness of its software programs. It is only a matter of time before an adversary exploits this weakness at a critical moment in history.
The software industry has become increasingly and irrevocably global. Much of the code is now written outside the United States, some in countries that many have interests inimical to those of the United States. The combination of DoD’s profound and growing dependence upon software and the expanding opportunity for adversaries to introduce malicious code into this software has led to a growing risk to the nation’s defense.
Is this a real danger?
The study itself is filled with a wealth of fascinating details about the vulnerability of critical defense computer applications to nefarious software producers. And evidently there are no easy tools for detecting deliberately planted bugs.
We thus face the danger that when, say, an American President decides to launch a nuclear strike against, say, China in response to an attack, say, by China on Taiwan, he will press the button and, thanks to malicious software, not a rocket will go off, even if he presses the button again and again.
But before we hit the panic button, let’s ask some obvious questions. How come hackers and producers of malicious code have not yet enriched themselves by raiding the major investment houses of the West? If our adversaries are as good as we are saying they are at exploiting vulnerabilities in our technology, why are their brilliant programmers not going off on freelance missions to tap in, say, to the electronic systems of a Goldman Sachs and transferring its assets to themselves?
The major investment banks from Lehman Brothers to Deutsche Bank are all enterprises that span the globe. We never read headlines about billions disappearing from their coffers at the stroke of a hacker’s key. If the investment banks can protect themselves, and if the Federal Reserve Bank can also protect itself, why can’t the Defense Department follow suit?
I don’t have an answer to this question, but if you do, please help me connect the dots.