[Congressional Record (Bound Edition), Volume 146 (2000), Part 17]
[Senate]
[Pages 25139-25140]
[From the U.S. Government Publishing Office, www.gpo.gov]



                      INFORMATION SYSTEMS SECURITY

  Mr. HOLLINGS. Mr. President, the General Accounting Office recently 
concluded that formal software management policies at eight of the 
sixteen U.S. Federal agencies they investigated were found to be 
inadequate and that controls over access to software codes were weak. I 
am convinced that the information systems used by the Department of 
Defense are critical components of the warfighting capability of the 
United States. Off-the-shelf and customized software is critical to the 
functioning of these systems. I rise today to express my concern that 
the security and integrity of critical government systems could be at 
great risk if their operational software has been procured or developed 
outside the United States or without proper oversight and control. I 
have read, with growing concern, a number of news articles that suggest 
that foreign software acquisitions can have potentially catastrophic 
consequences on both classified and unclassified national information 
management systems used by Federal agencies for sensitive applications.
  I would like to cite just few examples to illustrate my point. An 
article in the February 16, 2000, Washington Post discussed the State 
Department's purchase of an unclassified, but sensitive, business 
operations system with software code developed by former citizens of 
the Soviet Union. According to the article, State withdrew the system 
from their embassies worldwide because they were concerned that hidden 
code might have been added during development and fielding. The final 
paragraph of the article states: ``The lesson of State's fiasco is 
simple--but so important it should be hard-wired: As people and 
organizations grow more dependent on computers, they become more 
vulnerable. It's easy to forget that every line of code can be a 
potential spy or saboteur.''
  On March 2, 2000, the New York Times reported that Japanese software 
suppliers associated with the terrorist sect responsible for the Tokyo 
subway nerve gas attack had sold software programs to several Japanese 
government agencies, to include their Defense Ministry. According to 
the article, the agencies and companies that ordered the software were 
unaware that the sect was involved because the principal

[[Page 25140]]

suppliers had sub-contracted the work to others. As recently as June 
19, 2000, the Defense News reported that two German defense industry 
employees were convicted of selling missile secrets to Russia. A 
software provider could have easily employed these ``spies.'' 
Unfortunately, this is not a new phenomenon. On October 24, 1999, as we 
prepared for the Y2K transition, the Los Angeles Times ran an article 
citing concerns by security experts that the use of foreign contractors 
for Y2K solutions could have placed critical systems at risk. The 
article reports that, in the words of one government security expert, 
``The use of untested foreign sources for Y2K remediation has created a 
unique opportunity for foreign countries or companies to access and 
disrupt sensitive national security and proprietary information 
systems.'' The GAO further maintained that background screening 
policies for personnel involved in Y2K remediation were lacking or 
inadequate despite at least 85 Federal contracts being completed using 
foreign nationals.
  The Department of Defense routinely purchases software developed by 
foreign companies. The Department is often unaware of that fact. For 
many of its unclassified, but critically important, business operating 
systems, government agencies contract with a systems integrator. The 
integrator then selects the software system to be installed as part of 
the operating system. The Agencies are often not aware that the 
software was developed in a foreign country, by foreign developers, and 
perhaps, even in a foreign language. I believe that, at a minimum, the 
provision of software produced by a U.S. company (or at least software 
controlled by a U.S. company) should be a consideration in the 
acquisition process. Encouraging the Defense Department (and other 
Government agencies) to at least consider the origin and ownership of 
source codes will not eliminate vulnerability, but it is a step in the 
right direction. Additionally, it reinforces software development as a 
key component of our defense industrial base. For that reason, I urge 
the Administration to put in place protocols in the selection process 
that consider the origin of all source codes used in the development of 
information systems acquired or developed. This should include those 
acquisitions arranged via sub-contracts by prime contractors or system 
integrators.

                          ____________________