Federal cybersecurity boondoggle: The Software Assurance Marketplace (SWAMP)

Way back in February, I wrote a blog about President Obama’s proposed Cybersecurity National Action Plan (CNAP). In the plan, the President called for $19 billion for cybersecurity as part of the 2017 fiscal year federal budget, a 35 percent increase over 2016 spending. 

While CNAP has a lot of thoughtful and positive proposals, I’m troubled by the fact that federal cybersecurity programs seem to have a life of their own with little oversight or ROI benefits. I often cite the Department of Homeland Security’s Einstein project as an example of this type of government cybersecurity waste. In my humble opinion, the feds are spending hundreds of millions of dollars on custom research and development for Einstein when commercial off-the-shelf (COTS) network security products could do the same job at a fraction of the cost.

+ Also on Network World: My 2 cents on CNAP +

As a part-time federal cybersecurity spending watchdog, I’ve come across another program that deserves public scrutiny: the Software Assurance Marketplace (SWAMP).

The SWAMP was first announced in 2014, supported by a $23 million-plus grant from the DHS Science and Technology Directorate. The program is described as follows:

The SWAMP is a no-cost, high-performance, centralized cloud computing platform that includes an array of open-source and commercial software security testing tools, as well as a comprehensive results viewer to simplify vulnerability remediation. 

OK—so far, so good, since insecure software is a big and underappreciated problem in the overall cybersecurity spectrum. For example, ESG research indicates that 33 percent of critical industry organizations have experienced a security incident directly related to internally developed software. 

So, the SWAMP project was certainly appropriate and well-intended when it was introduced. Since then, however, this federal program has been fraught with numerous problems, such as:

• A limited and buggy feature set. The SWAMP hasn’t kept up with its original vision and now lags behind in terms of features and code support (for example, support for RHEL is way behind current versions). From what I’ve read, users tend to complain about the site’s usability and its overall number of software bugs. (I’ve seen screen shots that seem to lead to nowhere.) It seems like the SWAMP was designed for scale rather than usability, which is a real problem when you are trying to build an online service and attract a broad array of users.  There have also been a few concerns about security issues related to the site. I’ve heard that the VM set-up has some potential for abuse, and it’s uncertain whether the SWAMP team has adequately mitigated the risks.
• Project mismanagement. I’ve heard that the project has featured consistent turnover since its inception. Thus the SWAMP now suffers from project team deficiencies in terms of leadership, team coherency, vision and execution.  
• A lack of users. While the SWAMP was announced with lots of fanfare, it failed to attract a significant user base. In the fall of 2015, the SWAMP sent an email to all users that accidentally exposed the entire user population. More than a year into this federally funded project, there were only 600 to 700 users listed, and many of these were either involved with the project itself or those who’d registered but weren’t using the service. Part of the problem here is that developers don’t want to submit their code to a “big brother” government cloud service. (Note: This may be paranoia on the part of developers, but this viewpoint is a reality that government programs should consider.) For those who don’t trust a government-sponsored cloud service, there is an open source version of the SWAMP that can be run on site. Unfortunately, there is no indication that it has gained any market traction.

So, as it stands now, the SWAMP seems to be a buggy mismanaged service that provides infrastructure to run open source software (and a very limited number of commercial offerings) for software assurance on old (and sometimes antiquated) versions of development languages like Java and Ruby. Furthermore, it seems like the SWAMP has very few actual users. Not exactly a demonstration of efficient use of taxpayer money. 

I have no doubt that DHS’s heart was in the right place when it funded the SWAMP, but its ongoing project management seems to have turned this program into an irreversible failure. Instead of throwing good money after bad, Congress should hold DHS accountable, assess the true ROI and future of the SWAMP, and move on to bigger and better things if necessary. Personally, I’d rather see the next $23 million go toward NSF-sponsored cybersecurity scholarships than another mismanaged boondoggle.