ST. PAUL, MINN.–If the United States wants to remain competitive in the global economy and prevent widespread penetrations of its strategic, corporate and commercial networks, enterprises and government agencies should stop relying on commercial software and go back to writing more of their own custom code, a security expert said Tuesday.
Speaking at the Secure360 Conference here, Marcus Ranum, CSO of Tenable Network Security, said that the country’s reliance on commercial off-the-shelf software has made us more susceptible to attack, not to mention less innovative and creative. While dismissing the current fascination with cyberwar as hype, Ranum said the reality is that foreign governments and intelligence agencies are doing their best to penetrate our government and commercial networks every day, just as the U.S. government is working to compromise foreign networks.
That reality means that poorly written and deployed software is a major problem, he said.
“If we’re going to maintain our place in the world, software is not a strategic problem, it is the strategic problem going forward,” Ranum said. “Covert penetration becomes something that you think about on a five, 10 or 20-year scale. If you look at the problem of doing a significant penetration, it’s not something you can do immediately.”
Using the federal government as an example, Ranum pointed out that many, if not most, of the internal software development groups that used to exist in federal agencies are now largely gone. In their place now is an army of contractors doing much the same job, but with a couple of important differences. Because the internal development teams no longer exist, the contractors are reporting to program managers instead of managers who were developers themselves.
As a result, there are fewer and fewer people inside the agencies who understand what it takes to write and deploy good software. And the software they’re getting is costing several times what it used to because it’s coming from contractors rather than internal employees.
“We’ve jammed the money valve wide open to the point that we’re spending five or six times the money on contractors,” Ranum said.
In place of this current model, Ranumm suggested that it may be time for a centralized federal development organization that focuses on writing custom software.
“Why don’t we have a government coding office? We have a government printing office,” he said. “Why don’t we have a strategic software reserve? Is this putting us at a greater or lesser risk? I’m not sure. But our own software is probably a greater threat to us than anything other people can do to us.”