Attendees at the October NATO Edge conference, in Mons, Belgium, gathered to consider what exactly is needed to “future proof” the North Atlantic Treaty Organization, which for almost three-quarters of a century has leveraged political and military assets to preserve the freedom and security of member nations. They assessed NATO’s core capabilities – technology, collaboration, partnerships – with an eye toward strengthening those strategic assets.
A consensus emerged in Mons that, more than ever, advanced IT tools are as essential to national defense as tanks and fighter jets. NATO’s goal of IT competence – preferably IT superiority – is clear. Yet the task of modernizing and securing the alliance’s cyber capabilities won’t be attained without a sustained and concerted effort.
First, there’s the challenge of coordinating systems and networks used by the alliance’s 30 members, a roster that stands a good chance of expanding. Second, NATO and (more generally) Europe trail the U.S. in the uptake of new technology. The lag tends to be two to three years. Third, known adversaries have well-established, state-sponsored capabilities for attacking IT networks, often by exploiting security vulnerabilities in applications.
The NATO Edge summit’s theme, “Technology in Focus,” explored a range of emerging and disruptive technologies nestled under the rubric of “digital transformation,” including artificial intelligence and the promise of using it to extract operational intel from massive data sets to gain a strategic advantage. Underlying the enthusiasm for AI and cutting-edge algorithms, summit participants acknowledged a more prosaic but no less critical concern upon which the fortunes of the NATO alliance could turn: application security.
Software is the conveyance that will bring into existence the vision of a modernized, digitally transformed NATO, and summit participants were eager to talk about vulnerabilities that threaten that vision. They understand that software security is critical to attain their goals for digital transformation, AI-enabled image recognition, and cloud-native technologies, such as containers. Baking security into the applications undergirding the infrastructure of NATO’s enhanced IT capabilities will make possible the creation of a NATO military capability supported by superior logistics, communications, and coordinated force projection.
The technological connective tissue of NATO’s vision will be millions of lines of code, which must be secured. If not, NATO will find itself defending a sprawling cyber landscape that will be vulnerable to security breaches. The rapidly expanding universe of military and defense applications is, like the software that runs civilian organizations, often lacking in security. The building blocks of emerging applications include libraries of code potentially containing exploitable security flaws, third-party software contributed by unknown coders, and software created by in-house developers, some of whom may have little, if any, formal training in building secure apps.
Transforming NATO into a robust alliance equipped to deal with 21st century threats will require an aggressive program of modernization that builds security into applications from day one. The risk-reward equation that for years informed application development (and was accepted as gospel) held that delivery of software could be fast or secure, but not both. Utilization of tools that assess and secure applications at every stage of development, from initial design to retirement, ensures that software development is safe without hindering its production.
This is a repeating cycle. Just as software deployment now happens continuously, software security best practices must also happen continuously, fully integrated into development workflows.
IT leaders, overwhelmed by the seeming complexity and scope of securing applications, sometimes just want to know how to get started. The simple answer is to start where you can. Just start. Immediately. Scan open-source libraries and get them up to date and patched. Perform static scanning of in-house code to find flaws and dynamic scanning to expose vulnerabilities before it goes into production. Start with foundational blocks before doing anything more mature.
For organizations migrating toward a zero-trust architecture model, application security is critical. The U.S. Cybersecurity and Infrastructure Security Agency designated application security as one of five pillars in its zero-trust maturity model. Applications, in fact, are responsible for enforcing many of the principles of zero trust, including data security, encryption, authentication, authorization, and logging.
Elsewhere, the Biden administration’s Executive Order on Improving the Nation’s Cybersecurity requires software vendors to provide buyers with a software bill of materials that will enable agencies to know what’s in applications, empowering them to ensure their applications rely only on third-party code that is secure.
The truth is that application security is essential to the IT security of all modern organizations. NATO is no exception. If anything, the security mandates of an alliance like NATO make application security more important.
The security landscape is what some military strategists might refer to as a target-rich environment. Since mid-2021, cyber-attacks exploiting application flaws, zero-day vulnerabilities, or other security weaknesses -- have enabled a number of IT breaches, among them an attack on the SolarWinds software company; a ransomware attack that exploited Kaseya; a popular JavaScript library, UA-Parser-JS; and the Log4j java-based logging tool.
In Shakespeare’s The Tempest, Antonio says “past is prologue,” a line often thought to mean that the past determines the present. A close reading of the full passage reveals a different meaning: the past got us here; what happens next is up to us.
NATO has arrived at a pivotal moment. Emerging in real time on the geo-political stage is a new era, one in which information technology determines military supremacy. In this new world order, protecting IT assets -- from networks to applications to lines of code -- is more important than ever.
Application security is national security.
Chris Wysopal is co-founder and chief technology officer at Veracode, a Burlington, Massachusetts-based provider of SaaS application security that integrates application analysis into development pipelines.
Have an opinion?
This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET and Federal Times Senior Managing Editor Cary O’Reilly.