The Department of Defense (DOD) acquisition chief confirmed on Friday in a press conference that they’ve been silently working on a “Do Not Buy” list of companies known to use Chinese and Russian software in their products.
Ellen Lord, defense undersecretary for acquisition and sustainment, said the Pentagon started compiling the list about six months ago. She said the Department shared the list with DOD agencies but have not enforced or made it obligatory.
Defense contractors have been warned
The Pentagon plans to work with three defense industry trade associations —the Aerospace Industries Association, the National Defense Industrial Association, and the Professional Services Council— to alert contractors about problematic products that the Pentagon sees as potential threats.
The Pentagon hopes these contractors will switch to products deemed safe for supplying the Pentagon with equipment and services for future contracts.
“What we are doing is making sure that we do not buy software that’s Russian or Chinese provenance,” Lord said, as cited by Defense One. “Quite often that’s difficult to tell at first glance because of holding companies.”
In the past year, US officials have banned the use of products from Russian antivirus vendor Kaspersky Lab and Chinese hardware vendor ZTE on government networks, citing national security concerns. US officials claim that the foreign intelligence agencies of those countries have used data gathered by these two companies to spy on the US.
Pentagon looking into code reviews by foreign intelligence
Lord also said that they’ve also been looking into the actions of US companies abroad. The official was referring to US companies which agreed to allow foreign intelligence agencies to review the source code of their software in order to be granted the permission to sell products in that country.
Back in June 2017, Reuters reported that tech firms such as IBM, Cisco, SAP, HPE, and McAfee had agreed to let a Russian government agency review the source code of their products.
HPE, in particular, let Russian investigators analyze the source code of ArcSight, a software deeply integrated within the DOD’s network.
Chinese officials are also conducting similar code reviews, albeit to a lesser degree, as Western companies have a smaller presence in China’s crowded internal market, where local companies reign undisputed.
US officials fear that Russia and China might use the knowledge they gained from analyzing these products to mount cyber-attacks on US companies and government networks where products are deployed.