Hidden Risks to Cyberspace Security from Obsolete COTS Software

Abstract

Obsolescence of Commercial Off The Shelf (COTS) hardware and software, with their shorter product life cycles, is one of the major concerns for cyberspace system/service providers. While hardware obsolescence has been widely studied, software obsolescence has received less attention. However, the increased number of cyber incidents globally calls for more attention to the use of COTS software in critical infrastructures and military systems: systems comprising 25+ product life cycles and dominated by sustainment concerns. The number of reported vulnerabilities of COTS software systems more than doubled in 2017 and continued to increase in 2018. It is already a challenge for system/service providers to keep up with the pace of vulnerabilities to sustain the resiliency of the systems. Increased use of COTS software in mission-critical systems exacerbates the situation because it forces system/ service providers to manage the risk of not being able to receive security updates for obsolete software. In today's cyber conflict, where hybrid threats are enjoying the highly connected nature of cyberspace terrain enabled with globalization and newer technologies, if cyberspace security risks stemming from obsolete COTS software in critical systems are not addressed properly, they may easily become a national security problem. Such risks must be addressed comprehensively at both governance and management levels. This paper presents the sustainability, operational efficiency and cyberspace security risks of obsolete COTS software in critical infrastructures and military systems and proposes mitigations at both governance and management levels. At the management level, a Multi Criteria Decision Making methodology is proposed for system/service providers to balance the conflicting objective functions of reaching a cost-effective solution while maximizing the system's cyberspace security and efficiency. © 2019 NATO CCD COE.