The U.S. government, including agencies like CISA, DARPA, OUSD R&E, and NSA, is urging for immediate action to close a significant gap in the understanding of software systems, especially in relation to national security and critical infrastructure. This “software understanding gap” arises from a mismatch between the complexity of today’s software and the ability of mission owners and operators to fully comprehend it. The gap makes it difficult to design software that is secure by default, address defects quickly, and defend against software exploits. The agencies involved in the report are calling for urgent steps to close this gap before other nations, like China and Russia, can surpass the U.S. in their capabilities to secure software-controlled systems.
Software-controlled systems are integral to U.S. critical infrastructure, including military, space, communications, energy, and transportation systems, as well as artificial intelligence. These systems rely heavily on software running on endpoints, servers, and ICT systems, which are essential for national security. The report highlights that the inability to understand the software leads to risks in identifying potential vulnerabilities, leaving critical infrastructure exposed to cyber threats. Addressing the software understanding gap is crucial to improving the nation’s ability to protect these systems from adversarial state-sponsored activities, which could compromise both security and geopolitical standing.
The report stresses that manufacturers must take immediate action to enhance their secure-by-design programs
The report stresses that manufacturers must take immediate action to enhance their secure-by-design programs, incorporating trusted third-party attestation processes. Such steps will allow customers to have greater confidence in the software they procure, knowing it has undergone rigorous security checks. The U.S. government is also urged to take coordinated action, with policies, legal requirements, and investments in technology procurement and research, to close this gap across the country’s infrastructure sectors. This includes improving the ability of mission owners and operators to routinely evaluate software systems and make decisions based on a clear understanding of their behavior and security posture.
By addressing the software understanding gap, the report suggests that not only will national security and critical infrastructure be better protected, but there will also be economic benefits. Enhancing the understanding of software will help improve decision-making before deploying new software systems, leading to increased confidence in their use. Moreover, it will help reduce the resources spent on patching and upgrading systems and strengthen the ability of the U.S. to maintain an edge in global technology competition, which is becoming increasingly important in today’s geopolitically charged environment.
