版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
APPLICATIONSOF
ARTIFICIALINTELLIGENCE
(AI)FORPROTECTING
SOFTWARESUPPLYCHAINS
(SSCS)INTHEDEFENSE
INDUSTRIALBASE(DIB)
CSIAC-BCO-2023-499
SOAR
STATE-OF-THE-ARTREPORT(SOAR)
JANUARY2024
ByAbdulRahman
DISTRIBUTIONSTATEMENTA
Approvedforpublicrelease:distributionunlimited.
ContractNumber:FA8075-21-D-0001
PublishedBy:CSIAC
iii
State-of-the-ArtReport
ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
SOAR
STATE-OF-THE-ARTREPORT(SOAR)
JANUARY2024
APPLICATIONSOFARTIFICIAL INTELLIGENCE(AI)FORPROTECTINGSOFTWARESUPPLYCHAINS(SSCS)INTHEDEFENSEINDUSTRIALBASE(DIB)
ABDULRAHMAN
iv
State-of-the-ArtReport
Cybersecurity&InformationSystemsInformationAnalysisCenter
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
ABOUTCSIAC
TheCybersecurity&InformationSystemsInformationAnalysisCenter(CSIAC)isa
U.S.DepartmentofDefense(DoD)IACsponsoredbytheDefenseTechnicalInformationCenter
(DTIC).CSIACisoperatedbySURVICEEngineeringCompanyundercontractFA8075-21-D-0001andisoneofthethreenext-generationIACstransformingtheDoDIACprogram:CSIAC,DefenseSystems
InformationAnalysisCenter(DSIAC),andHomelandDefense&SecurityInformationAnalysisCenter(HDIAC).
CSIACservesastheU.S.nationalclearinghouse
forworldwidescientificandtechnicalinformationinfourtechnicalfocusareas:cybersecurity;
knowledgemanagementandinformationsharing;modelingandsimulation;andsoftwaredata
andanalysis.Assuch,CSIACcollects,analyzes,
synthesizes,anddisseminatesrelatedtechnical
informationanddataforeachofthesefocusareas.Theseeffortsfacilitateacollaborationbetween
scientistsandengineersinthecybersecurityand
informationsystemscommunitywhilepromotingimprovedproductivitybyfullyleveragingthissamecommunity’srespectiveknowledgebase.CSIAC
alsousesinformationobtainedtogeneratescientificandtechnicalproducts,includingdatabases,technologyassessments,trainingmaterials,andvarioustechnicalreports.
State-of-the-artreports(SOARs)—oneofCSIAC’s
informationproducts—providein-depthanalysisofcurrenttechnologies,evaluateandsynthesizethelatesttechnicalinformationavailable,andprovideacomprehensiveassessmentoftechnologiesrelatedtoCSIAC’stechnicalfocusareas.SpecifictopicareasareestablishedfromcollaborationwiththegreatercybersecurityandinformationsystemscommunityandvettedwithDTICtoensurethevalue-added
contributionstoWarfighterneeds.
CSIAC’smailingaddress:
CSIAC
4695MillenniumDrive
Belcamp,MD21017-1505
Telephone:(443)360-4600
v
State-of-the-ArtReport
ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
REPORTDOCUMENTATIONPAGE
FormApproved
OMBNo.0704-0188
Thepublicreportingburdenforthiscollectionofinformationisestimatedtoaverage1hourperresponse,includingthetimeforreviewinginstructions,searchingexistingdatasources,gatheringandmaintainingthedataneeded,andcompletingandreviewingthecollectionofinformation.Sendcommentsregardingthisburdenestimateoranyotheraspectofthiscollectionofinformation,includingsuggestionsforreducingtheburden,toDepartmentofDefense,WashingtonHeadquartersServices,DirectorateforInformationOperationsandReports(0704-0188),1215JeffersonDavisHighway,Suite1204,Arlington,VA22202-4302.Respondentsshouldbeawarethatnotwithstandinganyotherprovisionoflaw,nopersonshallbesubjecttoanypenaltyforfailingtocomplywithacollectionofinformationifitdoesnotdisplayacurrentlyvalidOMBcontrolnumber.
PLEASEDONOTRETURNYOURFORMTOTHEABOVEADDRESS.
1.REPORTDATE
January2024
2.REPORTTYPE
State-of-the-Art
Report
3.DATESCOVERED
4.TITLEANDSUBTITLE
ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)
5a.CONTRACTNUMBER
FA8075-21-D-0001
5b.GRANTNUMBER
5c.PROGRAMELEMENTNUMBER
6.AUTHOR(S)
AbdulRahman
5d.PROJECTNUMBER
5e.TASKNUMBER
5f.WORKUNITNUMBER
7.PERFORMINGORGANIZATIONNAME(S)ANDADDRESS(ES)
Cybersecurity&InformationSystemsInformationAnalysisCenter(CSIAC)SURVICEEngineeringCompany
4695MillenniumDrive
Belcamp,MD21017-1505
8.PERFORMINGORGANIZATIONREPORTNUMBER
CSIAC-BCO-2023-499
9.SPONSORING/MONITORINGAGENCYNAME(S)ANDADDRESS(ES)
DefenseTechnicalInformationCenter(DTIC)
8725JohnJ.KingmanRoad
FortBelvoir,VA22060
10.SPONSOR/MONITOR’SACRONYM(S)
DTIC
11.SPONSOR/MONITOR’SREPORT
NUMBER(S)
12.DISTRIBUTION/AVAILABILITYSTATEMENT
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
13.SUPPLEMENTARYNOTES
14.ABSTRACT
Theapplicationofartificialintelligence(AI)tosoftwaresupplychains(SSCs)withinthedefenseindustrialbase(DIB)holdspromisetoimprovecybersecurityposture,ensurestrictercompliancewithNationalInstituteofStandardsandTechnology(NIST)controls,andincreaseuserconfidenceinsoftwarebuiltinpartuponmodulesandlibrariesfromoutsiderepositories.AIcanprovideanalystswithsuggestedfrequenciesfor(re)scanning,supplementthreatassessmentsofinfrastructure,automatethreatintelligenceprocessing,andexpeditecybersecurityriskmanagement.Moreover,thesecurityofSSCsintheDIBcanbenefitfromsimilarusesofAIasa
recommendationengineforcommunicatingtheprobabilityofcompromise.ForU.S.DepartmentofDefensecybersecurityanalysts,
AI-drivenautomationcanprovideinsightintohowcloselysoftwarecapabilitiesdeployedonmilitaryandgovernmentnetworksadheretoNISTcompliancestandards.Theabilitytoreflectthemostup-to-datesetofvulnerabilitieswithinasystemsecurityplancouldsignificantlyimproveupontheexistingpracticeofrelyingonmanualinternalscanning.AIcanenablehuman-in-the-loopworkflowstooptimizetheintegrationofprocessedthreatintelligenceandbetteridentifyvulnerabilitiespersoftwareand/oroperatingsystem.ThisreportpresentsanddiscusseshowAIcanprotectSSCspurpose-builtfortheDIBecosystem.
15.SUBJECTTERMS
cybersecurity,cyberattack,softwaresupplychain(SSC),coderepositories,softwarevulnerabilities,cybersecurityframework,softwarebillofmaterials,artificialintelligence,machinelearning,automation,penetrationmonitoring,defenseindustrialbase,contractorsoftware,softwarebuildsecurity,third-partyvendorsecurity
16.SECURITYCLASSIFICATIONOF:
U
17.LIMITATIONOFABSTRACT
UU
18.
NUMBEROFPAGES
48
19a.NAMEOFRESPONSIBLEPERSON
Vincent“Ted”Welsh
a.REPORT
UNCLASSIFIED
b.ABSTRACT
UNCLASSIFIED
c.THISPAGE
UNCLASSIFIED
19b.TELEPHONENUMBER(includeareacode)443-360-4600
ONTHECOVER:
(Source:Shutterstock&freepik)
StandardForm298(Rev.8/98)
PrescribedbyANSIStd.Z39.18
vi
State-of-the-ArtReport
Cybersecurity&InformationSystemsInformationAnalysisCenter
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
THEAUTHOR
ABDULRAHMAN,PH.D.
Dr.AbdulRahmanisasubjectmatterexpertinthe
designandimplementationofcloudanalyticsand
architecturesthatsupportsituationalawareness
toolsforcybernetworkoperationsforcommercial
andgovernmentcustomers.Hehasover25years
ofinformationtechnologyexperience,including
softwaredevelopment,networkengineering,
systemsdesign,systemsarchitecture,security,
andnetworkmanagement.Hehaspublished
widelyontopicsinphysics,mathematics,and
informationtechnology.Dr.RahmanholdsDoctor
ofPhilosophydegreesinmathematicsandphysics.
vii
State-of-the-ArtReport
ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
ABSTRACT
Theapplicationofartificialintelligence(AI)
tosoftwaresupplychains(SSCs)withinthe
defenseindustrialbase(DIB)holdspromiseto
improvecybersecurityposture,ensurestricter
compliancewithNationalInstituteofStandards
andTechnology(NIST)controls,andincreaseuser
confidenceinsoftwarebuiltinpartuponmodules
andlibrariesfromoutsiderepositories.AIcan
provideanalystswithsuggestedfrequenciesfor
(re)scanning,supplementthreatassessments
ofinfrastructure,automatethreatintelligence
processing,andexpeditecybersecurityrisk
management.Moreover,thesecurityofSSCsin
theDIBcanbenefitfromsimilarusesofAIasa
recommendationengineforcommunicatingthe
probabilityofcompromise.ForU.S.Department
ofDefensecybersecurityanalysts,AI-driven
automationcanprovideinsightintohowclosely
softwarecapabilitiesdeployedonmilitaryand
governmentnetworksadheretoNISTcompliance
standards.Theabilitytoreflectthemostup-to-
datesetofvulnerabilitieswithinasystemsecurity
plancouldsignificantlyimproveupontheexisting
practiceofrelyingonmanualinternalscanning.
AIcanenablehuman-in-the-loopworkflowsto
optimizetheintegrationofprocessedthreat
intelligenceandbetteridentifyvulnerabilitiesper
softwareand/oroperatingsystem.Thisreport
presentsanddiscusseshowAIcanprotectSSCs
purpose-builtfortheDIBecosystem.
viii
State-of-the-ArtReport
Cybersecurity&InformationSystemsInformationAnalysisCenter
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
ACKNOWLEDGMENTS
Theauthorwouldliketothankthestaffofthe
Cybersecurity&InformationSystemsInformation
AnalysisCenterandSURVICEEngineering
Companyfortheirguidanceandreviewofthis
report.
ix
State-of-the-ArtReport
ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
EXECUTIVESUMMARY
ManagingtheintricateanddiversesupplychainwithintheU.S.governmentinvolvesaheavy
relianceonanextensiveandvariednetworkof
suppliersandvendorsforsoftwarecomponents.Thisdependenceintroducesarangeofchallengesinensuringthesecurityofthesesoftware
components.Toaddressthesesoftwaresupplychain(SSC)securitychallengeseffectively,a
combinationoftechnicalsolutions,robustsecuritypractices,collaborationamongstakeholders,andadherencetoindustrystandardsisessential.
PrioritizingSSCsecurityiscriticalfororganizationstomitigaterisksandsafeguardagainstpotential
vulnerabilitiesandattacks.Unfortunately,
federalentitiesoftenlackcompletevisibility
intotheirSSCs,includinginformationaboutthe
origin,integrity,andsecurityofbothpacketand
precursorcomponents.Thislackofvisibilitymakesitchallengingtoidentifyandmitigaterisksand
vulnerabilities.Furthermore,relianceonthird-
partyvendorsintroducesadditionalrisksrelatedtothesecuritypracticesandintegrityofprovidedsoftwarecomponents.
TosecureSSCs,itiscrucialtoimplement
preventivestrategiesagainstattacks.Thiscanbeachievedbyestablishingasecuritybaselineand
engaginginrobustandcontinuousbehavioral
monitoringpractices.Themostsophisticated
ofthesebehavior-basedmethodsinvolvesthe
utilizationofartificialintelligence(AI)modelsto
forecast,infer,predict,correlate,andpinpointlikelyweaknesses,potentialattackvectors,andavenuesofapproachwithinSSC-embeddedsoftware.
AI-poweredsystemscancontinuouslymonitorSSCsinrealtime,identifyingsuspiciousactivitiesandflaggingactionsthatwouldotherwiseallowforunauthorizedaccess.
AImodelsareparticularlywellsuitedforthe
automationofroutineSSCsecurityauditsand
assessmentsthatareintendedtodetectpotentialvulnerabilities,risks,andsecuritycontrolgaps.
Suchaproactive,real-timeapproachenables
organizationstoaddresspotentialexploitsand
vulnerabilitiespromptlyand,ifapenetrationdoesoccur,toreceiveimmediatealertstofacilitate
swiftresponsestosecurityincidents,minimizingdamage.Moreover,theintegrationofAIwith
securitycodingworkflowscanstreamlinethe
autocompletionandupdatingofrequired
compliancepractices,therebyenhancingoverallcodequality,defectreduction,andefficiency.
State-of-the-ArtReport
Cybersecurity&InformationSystemsInformationAnalysisCenter
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
ThisPageIntentionallyLeftBlank
xi
State-of-the-ArtReport
SECTION1
1.1
1.2
1.3
1.4
SECTION2
2.1
2.2
2.3
2.4
SECTION3
3.1
3.2
3.3
3.3.1
3.3.2
3.3.3
SECTION4
4.1
4.2
4.3
ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
CONTENTS
ABOUTCSIACIV
THEAUTHORVI
ABSTRACTVII
ACKNOWLEDGMENTSVIII
EXECUTIVESUMMARYIX
INTRODUCTION1-1
DefiningSSCAttacks1-1
SSCsandtheDefenseIndustrialBase1-3
SecuringSSC1-4
ReportOverview1-4
DATAMANAGEMENTSTRATEGIES2-1
Open-SourcePackages2-1
AttackSurfaceManagementandThreatModeling2-2
ApplicationCodeSecurity2-5
NISTCybersecurityFramework2-5
FEATUREDEVELOPMENT3-1
SecureSoftwareUpdates:Development,Security,andOperations(DevSecOps);
ArtificialIntelligenceforInternetTechnolocyOperations(AIOps);andMachine
LearningOperations(MLOps)3-1
PushProtection3-2
OtherSSCFrameworks3-2
GeneralFrameworks3-3
SBOMandPipelineBillofMaterials(PBOM)3-3
SupplyChainLevelsforSoftwareArtifacts(SLSA)3-
4
APPLICATIONSOFAI4-1
AIModelsWithBlockchainIntegrationWithSSCFrameworks4-1
SoftwareVulnerabilityAnalysisandDetectionUsingAI4-3
AI-EnhancedCodingReliability4-4
xii
State-of-the-ArtReport
Figure1-1
Figure1-2
Figure2-1
Figure2-2
Figure2-3
Figure3-1
Figure3-2
Figure4-1
Table2-1
Cybersecurity&InformationSystemsInformationAnalysisCenter
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
CONTENTS,continued
CONCLUSIONS5-1
REFERENCES6-
1
FIGURES
AnEnterprise’sVisibility,Understanding,andControlofItsSSCDecrease
WithEachLayeroftheBroaderDevelopmentCommunity’sInvolvement1-2
CybersecurityRisksThroughouttheSupplyChain1-5
AnSSCWithFocusonaSingleLink;SystemwideSecurityDependsonUpstream/
DownstreamTransparency,LinkValidity,andLogicalSeparationBetween
ComponentsandLinks2-1
DataFlowDiagramofanExampleAttackSurface2-3
TheSixMainPillarsofaSuccessfulCybersecurityProgram,asReflectedinthe
NISTCSFVersion2.0(Draft)2-6
BuildPlatformWorkflowforProvenance,asAttestationofCreatedArtifacts
inSupportofSSCSecurity3-4
SLSAApproachtoSSCThreatsandMitigations3-
5
NotionalArchitectureofBlockchainIntegratedWithAI(FL)andFramework;
FrameworksProvideArtifactLevelAlignmentforDistributedAI(FL)toBeTrained
OverAllLocations4-2
TABLES
NISTGuidanceforOrganizationalSupplyChainRiskManagementUnderthe
“Identify”FunctionoftheNISTCSFVersion1.12-7
1-1
State-of-the-ArtReport:SECTION1
INTRODUCTION
ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
SECTION
01
OnceusedbytheU.S.militaryinonlyitsmost
high-techsystems,softwareisnowomnipresentacrossthedefenseestablishment.AstheDefenseInnovationBoardnotedin2019,softwaredrives
“almosteverything”thattheU.S.Departmentof
Defense(DoD)“operatesanduses,”fromdiscreteweaponssystemstotheoverarchingnetworksthatprovidecommand,control,andcommunicationscapabilitiesforcommanders[1].WhileprotectingDoDsystemsfromtraditionalcyberbasedattackswillremainanenduringchallenge,threatsto
thesecurityofthesoftwaresupplychains(SSCs)thatdevelopandproducecriticalproducts
haverecentlyriseninprominenceasapreferred
threatvectorforpenetratingandcompromising
informationsystems.Byoneestimate,thenumberofSSCattacksagainstcommercialandpublic
entitiesintheUnitedStatesincreasedbymore
than700%between2019and2023[2].SSCattackshavebecomesuchanacutethreatthatthereal-
timetrackingofSSCincidentshasbecomeanichesubsectionofthecybersecuritysolutionsmarket[3].
1.1DEFININGSSCATTACKS
Asitsnamesuggests,anSSCrefersbothtothe
processofdevelopingcode-basedpackages
acrossmultiplepartiesandtheoutcomeof
chained-developmentactivitiesintousable
softwareproducts.SSCsencompasssoftware
modules,libraries,registries,andcomponents,
aswellasallthehardware,operatingsystems,
andcloudservicesthatmaybeusedduringthecodinganddevelopmentprocess.Asoneleading
softwaredeveloperRedHathaspointedout,an
SSCismostproperlyconsideredtoincludeeven
thepeoplewhowritethecode[4].Current
softwaredevelopmentpracticesarerelativelyopen,especiallywhencomparedwithtraditionalcodingmethods,whichremainedinusewellintothe
early2000s.Insteadofsingleentitiesdevelopingsoftware—entirelyinhouseandbywritingallcodefromscratch—currentpracticesintentionallydrawuponbroadsoftwarecommunities.Developers
leveragecodesourcedfromexternal(but
interconnected)librariesandmodulesthatmay
servedifferentpurposesforanapplication(e.g.,
encryption,authentication,andnetworking)[4].
Althoughthistypeofcommunitydevelopment
deliverskeyefficienciestosoftwareproduction,
italsopresentsbadactorswithawiderangeof
potentialthreatvectors.AdmittingdependenciesthroughSSCdevelopmentcanintroduce
exploitablesoftwarecodethatisvulnerableto
numerous,andcascading,vulnerabilitiesintothepostbuiltproductcodebaseline(seeFigure1-1).
AnSSCattackmightseektoexploitopen-sourceorsharedtools,ortoillicitlyaccessasingledeveloper’sproprietarybuildinfrastructures[5].Whatever
thevector,anSSCattackconsistsofatleasttwo
elements:(1)amalignactorcompromisingatleastonesupplierwithinanSSCand(2)thatvulnerabilitythenbeingusedtoharmothersupplier(s)orthe
finalproduct/customer.WhileitispossiblethatanSSCcanbepenetratedinpartduetotheactionsofaninsider,leadingdefenseintelligenceauthoritiesliketheU.S.NationalCounterintelligenceand
1-2
State-of-the-ArtReport:SECTION1
Cybersecurity&InformationSystemsInformationAnalysisCenter
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
Figure1-1.AnEnterprise’sVisibility,Understanding,andControlofItsSSCDecreaseWithEachLayeroftheBroaderDevelopmentCommunity’sInvolvement(Source:Boyensetal.[6]).
SecurityCenterseecyberbased(orsoftware
enabled)SSCattacksasthemorecommonand,thus,greaterthreatatpresent[5].
ThedocumentedabilitytoexploitvulnerabilitiesinanSSChasexistedsinceatleastthe1980s,whenthe“KenThompsonhack”or“trustingtrustattack”demonstratedtheabilitytocompromisesource
codewhileleavingbehindalmostnotraceof
alteration[7].Sincethen,themassiveexpansionofsoftwareproductionandtheubiquitoususeofconnectedinformationsystemsacrossallsectorsoftheeconomyhavemadeSSCexploitsaprime
vectorformalignactors.Forexample,SSCattacksoftentargetpopularpackagemanagers(e.g.,nodepackagemanager[npm]forJavascriptnode.js)
andtheirusercommunities.Thesecommunitieshaveexperiencedincrediblegrowthoverthe
pastdecade—thenumberofpublicrepositorieshostedintheGitHubplatformgrewfrom46,000
inearly2009tomorethan200millionby2022[5].Accordingly,adversarialnation-states,terrorists,andothertransnationalcriminalorganizations
recognizethatSSCattackscancausewidespreadandcascadingharmfuleffects,allwhilerequiringrelativelyfewresourcestoexecute[8].
AnumberofheadlinepenetrationsinrecentyearshaveraisedtheprofileofSSCattacksformalign
actors.In2017,the“NotPetya”SSCcyberattack—themostdamagingsuchattackthentodate—infectedalineofaccountingandtaxreportingsoftwareusedbytheUkrainiangovernment
beforespreadingtoseverallargemultinational
firms.ThemalwarethatRussian-sponsored
hackersinserteddisruptedemailsystemsata
majorfoodmanufactureranddisabledmultiple
logisticssystemsforaninternationalshipping
company.Indoingso,NotPetyaevencrippled
onepharmaceuticalfirm’sabilitytosupply
1-3
State-of-the-ArtReport:SECTION1
ApplicationsofArtificialIntelligence(AI)forProtectingSoftwareSupplyChains(SSCs)intheDefenseIndustrialBase(DIB)
DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease:distributionunlimited.
vaccinestotheU.S.CentersforDiseaseControl
andPrevention[9].By2020,the“SolarWinds”
cyberattack,whichoriginatedfromtheRussian
ForeignIntelligenceService,similarlypenetratedawidearrayofnetworkedsystems,primarilywithintheU.S.federalgovernment.Afterbeinginjectedwithbackdoorcode,aroutinesoftwareupdate
packageforatechnologyadministrationsuitewaswidelydownloaded;worse,thecompromisewentundetectedfornearly12months[10].
1.2SSCSANDTHEDEFENSEINDUSTRIALBASE
TheDoDacquiressoftwareproductsandsystems,professionalservices,andthesupportinghardwareandcomputingpowerneededforoperation
muchinthesamewayitobtainscratesof
5.56-mmrifleammunition—mostlypurchasing
themfromprivatefirmsandotherpublicor
nonprofitsuppliers.Generallyknownasthe
DefenseIndustrialBase(DIB),thiscollectionof
organizations,facilities,andresourcesprovides
theDoDwithhundredsofbillionsofdollarsof
productsandserviceseachyearandrepresents
thenation’senduringindustrialandeconomic
might[11].Thebroadmagnitudeandscopeof
theDoD’sacquisitionactivitiesmeansthatmorethan1millionworkersandaround60,000firms
canbeconsideredpartoftheDIB[11].Whilemanyofthesefirmsdonotdirectlyshapeorinfluence
thedevelopmentofsoftwareproductsthatentermilitarily-relevantSSCs,everysingleentity(eventhosethatonlyproducehardware,like5.56-mmcartridges)usessoftwareplatformsthatare
vulnerabletopenetration.
TheDIB’simmensescopeandwidereachinto
suppliersandsubcontractorsmakethedefenseofitsSSCsanimmensetask.Twolongstandingvulnerabilitiesfurthercomplicatethischallenge:
1.Theproductionofmicroelectronics,once
co
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2024合资公司正式职工聘用合同
- 2024中小企业融资合作协议书
- 议论文如何使语言出彩
- 中国文艺美学要略·论著·《中国文学批评史》
- 2022年教师资格证考试《小学综合素质》深度自测卷6
- 2024届贵州省织金县第一中学高三下第一次测试化学试题含解析
- 墙柱面工程(九)
- 2024全新植筋合同协议书下载
- 2024全新美陈服务合同下载
- 2024保证合同范例
- 山东枣庄市实验中学2024年中考化学押题卷含解析
- 差旅费制度财务培训
- 2023年江苏省淮安市中考历史真题含解析
- 中央金融工作会议精神2023版全文
- 初中生同伴关系对学业情绪、学业成绩的影响研究
- 知道智慧树中国近现代史纲要(河北工业大学)满分测试答案
- 太阳能光伏发电数据分析
- 低压电工模拟考试题库2024(习题带答案)
- 办公室奖惩制度模版
- 肯德基促销策略分析报告
- 税务筹划咨询服务合同
评论
0/150
提交评论