Military Software Supply Chain Runs Through Foreign-Owned Code Dependencies

Modern military software systems depend on thousands of open-source libraries and third-party components, many of which are maintained by anonymous individuals or small teams in foreign countries. A single military application can have 500+ transitive dependencies, and no one in the program office has audited more than a fraction of them. The SolarWinds attack in 2020 demonstrated that a single compromised vendor update could infiltrate the networks of the Pentagon, DHS, and the Treasury Department simultaneously. This matters because adversary intelligence services have recognized software supply chains as a high-leverage attack vector. Rather than attacking hardened military networks directly, they can compromise a single widely-used library and wait for it to be pulled into defense systems through routine updates. The XZ Utils backdoor discovered in 2024 showed that a patient adversary can spend years building trust in an open-source project before inserting a backdoor. The operational impact is that military systems could be compromised before they are ever deployed. If a backdoor exists in a cryptographic library used by a satellite communications system, every message sent through that system is potentially readable by the adversary. If a compromised logging library phones home from a classified network, the adversary gets real-time visibility into military operations. Software Bills of Materials (SBOMs) are supposed to solve this, but in practice they are generated once at delivery and never updated. The software keeps pulling new dependencies, and the SBOM becomes stale within weeks. Even when SBOMs exist, program offices lack the tools and personnel to analyze them for risk. The structural cause is that the defense acquisition system was designed to vet hardware suppliers (checking if a chip fab is in a friendly country) but has no equivalent process for software dependencies. DFARS and NIST 800-171 require cybersecurity practices from prime contractors, but those requirements do not cascade effectively to the anonymous maintainers of open-source libraries that prime contractors bundle into their deliverables.