Coding is Maneuver II; A Different Conceptual Model for Certifying Software?

In the previous post, Coding is Maneuver, I made the claim that in cyberwar coding has some equivalency to maneuver warfare and that an agile cyber combatant will need to be able to write and deploy code in real time.

This idea has a few key implications for our current system of software acquisition. First, source must be open (for what should be obvious reasons). Second, the certification process to release a source code change onto the network must adapt in significant ways to support agility. It simply will not be possible to go through a traditional software acquisition, accreditation and operational testing and deployment process and turn things around in the necessary timeframes.

Maybe there is an opportunity here to re-think the conceptual basis for accreditation and testing. What if we accredited the “conditions” of the software’s production and its authors instead of the software itself and then incremented the accreditation “strength” for different types and timeframes of deployment?

In practical terms this might mean that software developed in real time during a cyber engagement by accredited personnel could receive a “spot accreditation” to be deployed into an accredited “system” with a time to live that would be enforced by the virtual machine it was deployed into. Basically, accredit the author instead of the system and then put a time and location box around the code that is enforceable by the container.

There are probably a bunch of things I haven’t considered that make this idea naive, but I don’t think the current approach is going to be agile enough. Tweaking it to make it incrementally more flexible and agile isn’t going to do it. What kind of conceptual shift, if not this one, will make it possible to stay nimble but secure in this environment?

Leave a Reply

Your email address will not be published / Required fields are marked *