No updated software, not capable of mission. Army seeks to include software for unit readiness reporting
ABERDEEN PROVING GROUND, Md. – The military is preparing to make software a key readiness measure for units.
In the past, when units declared their readiness level, it was mostly hardware-based with no software considerations whatsoever.
âThe readiness was like, ‘Hey, do I have my parts and do I have spares and all the hardware? But if your software doesn’t work, are you ready? Probably not. It wasn’t part of the math, âJennifer Swanson, director of the Software Engineering Center, told C4ISRNET in an interview on Nov. 2.
Its center worked with the Army G-3/5/7 to define software readiness measures, such as operating an approved software version and installing the most recent software within 30 days of its release. publication. As a result, the G-3/5/7 issued a work order and conducted pilots last year to test its software readiness reports. It is now expected that a final order will be issued in FY2022 which will require units to report their software readiness.
âIf you don’t update your software, you’ll have to report it as non-mission capable,â Swanson said.
Software has proven to be of immense strategic and tactical importance as a threat vector. Obsolete software can be exploited by adversaries or prevent systems from functioning properly. Some software fixes are so critical that they must be downloaded immediately.
Swanson gave the example of the SolarWinds compromise, attributed by the US government to the Russian foreign intelligence service.
âWe had SolarWinds thereâ¦ The beauty was for SolarWinds, we had the [software repository] available and we were able to post this content on a Friday night and watch the units start pulling it down immediately, which like you said wouldn’t have been the case before that, âshe said.
The military plans to update its software repository so it can know which units downloaded which software patches, and when. The Software Repository is a portal created in October 2020 that allows units around the world to download updates, much like commercial cell phones. Previously, the military had to send hard drives to units to get their updates. This meant that the updates could not arrive on time, creating some vulnerabilities.
While the current version of the software repository allows some level of monitoring to see which units are downloading updates, managers cannot see who is downloading what. The 2.0 software repository, due out this spring, lets you know exactly who downloaded what and when.
This type of capability would have proven to be important during SolarWinds.
âFor SolarWinds for example, you have spreadsheets that are emailed all over the SIPR[Net] side of the houseâ¦ trying to figure it out, here’s a list of units and this one got it and this one loaded it up, âSwanson said. âWhat Repo 2.0 will allow you is that you don’t have to do all of that. You will know who got the patch.
It also gives the military a better idea of ââthe readiness of units when it comes to software.
There might be a problem with a unit not updating to the latest version. Maybe they’re having connectivity issues or they’re just ignoring it, Swanson said. But having that level of loyalty allows the military to contact those units to see what issues might exist. It allows the military to be proactive rather than reactive.
The software repository is currently being migrated to the military cloud from the Defense Information Systems Agency, which hosts it. Swanson said his organization has partnered with the Army’s Chief Information Officer and his DevSecOps toolset to create the updated repository.
Mark Pomerleau is a journalist for C4ISRNET, covering information warfare and cyberspace.