Cover: The Implications of COTS Vulnerabilities for the DoD and Critical U.S. Infrastructures

The Implications of COTS Vulnerabilities for the DoD and Critical U.S. Infrastructures

What Can/Should the DoD Do?

Published 1998

by Robert H. Anderson, Richard Hundley


Download Free Electronic Document

FormatFile SizeNotes
PDF file 1.2 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 Format Price
Add to Cart Paperback15 pages $20.00

There is a growing reliance on commercial off-the-shelf (COTS) products within critical systems on which the security and safety of the United States depend. Next-generation command and control systems within DoD depend heavily on COTS hardware and software. Typical COTS software products are large and complex, often comprising millions of lines of source code. This complexity precludes complete, unambiguous analysis of the code for "trap doors," "logic bombs," and other malevolent code possibly buried within it. In addition, increasing amounts of such code are developed by non-U.S. citizens and offshore workers with uncertain loyalties to the United States. Market forces favor functionality over security and reliability, so the problem is unlikely to disappear. In addition, DoD and the U.S. government lack sufficient market strength to compel greater security in COTS products. There are two basic approaches to "managing" this problem: making COTS used by the DoD more secure; and learning to live with insecure COTS. There are initiatives that can be undertaken in both of these areas. The authors have identified a number of candidate elements supporting each of these approaches. Those specific elements can support a variety of overall solution strategies. An outline of a possible research agenda addressing this problem is presented.

This report is part of the RAND paper series. The paper was a product of RAND from 1948 to 2003 that captured speeches, memorials, and derivative research, usually prepared on authors' own time and meant to be the scholarly or scientific contribution of individual authors to their professional fields. Papers were less formal than reports and did not require rigorous peer review.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.