The Pentagon must balance speed with safety as it modernizes software

Excerpt

The Department of Defense is at grave risk of being caught flat-footed by the next software vulnerability. When an adversary discovers it, the Pentagon may not know which systems are exposed until substantial damage has been done. This blind spot is dangerous. The Pentagon needs to balance expediting its software acquisition process with a better system for gauging prospective vulnerabilities and mitigating harm in the event of an attack.

DOD understands the need for software modernization and is taking steps to improve both its development and procurement methods. A recent directive designates the Software Acquisition Pathway (SWP) as the primary process for creating both weapons and business systems. This necessary evolution marks a shift from lengthy, hardware-focused timelines to a faster and more flexible software-centric model. SWP streamlines development and emphasizes speed by allowing programs to share and repurpose software test results.

While speed is important, this new approach also magnifies potential vulnerabilities: If a flaw goes undetected in one project or only comes to light after initial testing, there may be no subsequent security tests to identify it. This creates a critical visibility problem.

Software is constantly changing. A system that passed security tests last month could be vulnerable today because of a newly discovered flaw in one of its dependencies. Without a clear record of what is inside each software package, there is no reliable way to assess whether existing test results still apply.

Dr. Georgianna “George” Shea is chief technologist at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and its Transformative Cyber Innovation Lab. She is at the forefront of cybersecurity innovation with nearly 30 years of pioneering experience across federal and commercial sectors.