Pentagon Circulates Software ‘Do Not Buy’ List

The US Department of Defence has begun circulating a “do not buy” list of software it considers to have Russian and Chinese connections, in the country’s latest tightening of restrictions on foreign tech influence.

The Chinese and Russian governments have called previous US restrictions on companies such as Russian security software firm Kaspersky Lab and Chinese telecoms equipment makers Huawei and ZTE examples of US protectionism.

The list is designed to highlight software that doesn’t meet national security standards, said Pentagon acquisition chief Ellen Lord.

She told news website Defense One that the list indicates software considered to have Russian or Chinese provenance, something that might not be evident because of the use of holding companies.

Supply chain danger

Ever more complex supply chains have resulted in malware making its way into software or even being built into the firmware that drives hardware products.

But the Pentagon’s concerns are more specifically that foreign powers could insert spy code into government systems.

Lord said the Pentagon would work with the three major military trade associations, the Aerospace industries Association, the National Defense Industrial Association and the Professional Services Council, to alert contractors about the suspect software as part of what she called a large-scale “education process”.

In a separate report released by the National Counterintelligence and Security Centre last week, the government identified other ways foreign governments could spy on Americans via technology, highlighting, for instance, large-scale Chinese investment in US artificial intelligence start-ups.

The report also highlights concerns around US companies that have allowed Russian and Chinese government agencies to review their source code, potentially allowing them to spot vulnerabilities that could be used to attack US systems.

Infiltration

Last year Reuters reported that IBM, Cisco, SAP and HPE had allowed the FSB, Russia’s intelligence agency, to examine their source code in order to be allowed to sell to Russian government bodies.

HPE allowed the FSB to examine the source code for ArcSight, a cybersecurity product widely integrated into US military systems, Reuters said.

While the Pentagon has said there is no specific rule barring government agencies from buying software that has been examined by other governments, the report is part of a broader effort to lock down US military systems, Lord said.

Those ongoing efforts are about “making sure we have secure systems overall for our data and information”, she said.

Earlier this year GCHQ’s National Cyber Security Centre (NCSC) advised against the broader use of equipment from ZTE in UK networks due to difficulties with monitoring the large existing deployments of Huawei gear.

This month the government said that due to long-term weaknesses in Huawei’s industrial processes it could provide “only limited assurance” that any national security threats from Huawei’s kit were being successfully mitigated.

China and Russia have both also expressed concerns about their countries’ use of tech from abroad, but while China has developed large-scale local industries to provide elements such as software and microprocessors, Russia has had less success at promoting domestic products.