Pentagon flags risky software suppliers

The US Department of Defense has revealed that it is distributing a list of foreign software suppliers it wants the military and its suppliers to avoid.

The news comes just days after a US government report on cyber espionage by China, Russia and Iran warned that software supply chains are increasingly under attack.

Due to “specific issues”, the Pentagon is circulating a do not buy list of software that does not meet “national security standards”, without giving any specific details, reports the Defense One news site.

“What we are doing is making sure that we do not buy software that’s Russian or Chinese provenance,” Ellen Lord, the undersecretary of defence for acquisition and sustainment is quoted as saying.

The list, which was started six months ago, is aimed at making it clear to all those involved in buying software for use by the military and its contractors what software has links to Russia and China because those links are not always obvious due to the use of various holding companies.

Earlier in July, a UK government report raised concerns about the shortcomings of engineering processes at Chinese firm Huawei that could put UK telecommunications networks at risk.

Despite finding that the capability of Huawei Cyber Security Evaluation Centre (HCSEC) had improved in 2017 and that technical work relevant to overall mitigation strategy can be performed at scale and with high quality, the report said the Oversight Board can provide “only limited assurance” that all risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated.

The report comes just three months after the National Cyber Security Centre (NCSC) advised the UK telecommunications sector to avoid the use of equipment and services from ZTE in China.

The Pentagon is reportedly working with the US Aerospace industries Association, the National Defense Industrial Association and the Professional Services Council to alert all contractors in the military supply chain about software suppliers identified as risky by the Pentagon and US intelligence community.

The recently published Foreign economic espionage in cyber space report by the US National Counterintelligence and Security Center (NCSC) warned that software supply chain infiltration has already threatened the critical infrastructure sector and could threaten other sectors as well.

This infiltration, the report said, is being done in several ways, including through Chinese investment in US tech firms working in artificial intelligence, through foreign intelligence services discovering vulnerabilities to exploit while examining the source code of US firms applying to export software to Russia and China, and through operatives injecting malicious code into software prior to distribution.

The US Department of Defense introduced a set of standards to defence suppliers were supposed to meet by last January, but was forced to backtrack when suppliers said they would be unable to meet those standards.

Lord admitted to reporters that the Pentagon has “softened” some of its requirements as a result, but said that this would have to change and that requirements would have to be increased in future, adding that the Pentagon planned to start “red-teaming” defence suppliers soon to test their cyber security posture.

In the UK, the Ministry of Defence continues to develop a joint initiative with industry aimed at raising the security posture throughout the UK’s defence supply chain, with increasing focus on small to medium-sized enterprises (SMEs).

“The MoD’s supply chain includes a wide range of organisations such as materials manufacturers, infrastructure providers and product manufacturers, but the cyber threats to the supply chain are real and the National Cyber Security Strategy recognises that,” Phil Blunden of the MoD’s Defence Cyber Protection Partnership (DCPP) told the 2018 Public Sector ICT Summit in London in March.

Johnathan Azaria, security researcher specialist at Imperva, said news of the Pentagon’s “do not buy” list is not surprising when considering that some software manufactured in China was shipped with out-of-the-box malware.

“The possible threat from such software ranges from unintentional security issues that simply weren’t patched properly, to a hard-coded backdoor that will grant access to the highest bidder. We hope that the news of this list will urge manufacturers to put a larger emphasis on product security,” he said.