How to fix the military’s software SNAFU
Too many of its apps are built on code riddled with vulnerabilities—and distributed by the Pentagon itself.
JOHN SPEED MEYERS | APRIL 4, 2024
COMMENTARY C4ISR CYBER AIR FORCE PENTAGON
The only institution more mired in acronyms than the U.S. military is, in my experience, the software industry. The former’s thorough embrace of the latter is reflected, for example, in this recent piece by serious commentators that includes a four-page glossary. To be sure, software’s ability to supercharge military operations make this alphabet soup palatable—but it also conceals a dangerous security SNAFU.
If software is to be more of a benefit than a liability, its inevitable flaws must be spotted and fixed before they can be exploited by China, Russia, and other adversaries. Unfortunately, in an analysis I conducted of popular open source software made available by the Pentagon for its units and contractors to use, there is strong evidence that the U.S. military is shipping software that is insecure and contains many known software vulnerabilities—CVEs, in software-speak.
Fortunately, the U.S. military, elected leaders, and the public don’t need to accept this situation as normal. There are technical and organizational solutions that would allow the military to embrace software safely. Creating safe and toil-free software requires, at a minimum, rethinking the links in the military’s software supply chain and preferring software that is rapidly updated. It also requires reconsidering the idea that there should be a single, free military-run repository of safe software. The software industry loves the idea of a “single source of truth,” but this totalitarian thinking, which military bureaucracies sometimes prefer too, is a recipe for disaster in the fast-moving world of software.
https://www.defenseone.com/ideas/2024/04/how-fix-militarys-software-snafu/395489/
