The Implications of COTS Vulnerabilities for the DoD and Critical U.S. Infrastructures

What Can/Should the DoD Do?

by Robert H. Anderson, Richard Hundley

Download

Download Free Electronic Document

FormatFile SizeNotes
PDF file 1.2 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Purchase

Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback15 pages $20.00 $16.00 20% Web Discount

There is a growing reliance on commercial off-the-shelf (COTS) products within critical systems on which the security and safety of the United States depend. Next-generation command and control systems within DoD depend heavily on COTS hardware and software. Typical COTS software products are large and complex, often comprising millions of lines of source code. This complexity precludes complete, unambiguous analysis of the code for "trap doors," "logic bombs," and other malevolent code possibly buried within it. In addition, increasing amounts of such code are developed by non-U.S. citizens and offshore workers with uncertain loyalties to the United States. Market forces favor functionality over security and reliability, so the problem is unlikely to disappear. In addition, DoD and the U.S. government lack sufficient market strength to compel greater security in COTS products. There are two basic approaches to "managing" this problem: making COTS used by the DoD more secure; and learning to live with insecure COTS. There are initiatives that can be undertaken in both of these areas. The authors have identified a number of candidate elements supporting each of these approaches. Those specific elements can support a variety of overall solution strategies. An outline of a possible research agenda addressing this problem is presented.

This report is part of the RAND Corporation paper series. The paper was a product of the RAND Corporation from 1948 to 2003 that captured speeches, memorials, and derivative research, usually prepared on authors' own time and meant to be the scholarly or scientific contribution of individual authors to their professional fields. Papers were less formal than reports and did not require rigorous peer review.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.