The Pentagon is drawing up a list of software that should not be used by the US Department of Defense (DoD) or its contractors. The details were announced by Ellen Lord, Under Secretary of Defense for Acquisition, Technology and Logistics at a press briefing. However, Lord did not provide journalists with a copy of the list that is supposedly already in circulation around the DoD.
Lord told the media present at the briefing in the Pentagon: “What we are doing is making sure that we do not buy software that has Russian or Chinese provenance, for instance, and quite often that’s difficult to tell at first glance because of holding companies.”
The problem is further complicated by key US companies who provide access to source code to foreign governments. China and Russia are increasingly asking for access to source code to ensure that software is not used to spy on them. Large IT vendors such as IBM, Cisco, SAP and HPE have all admitted to making their code available for inspection.
What is the Pentagon worried about
Quite rightly the Pentagon is concerned about spying and cyber-attacks. There is also the concern over the theft of intellectual property (IP), something that President Trump rails about.
The issue of spying and cyber-attacks is something that intelligence communities are well versed in. The NSA exploits that have been leaked to the Internet show how many software vulnerabilities it was hoarding. It used those to craft attacks to penetrate target systems.
The same is true of other national intelligence agencies. For example, an Israeli intelligence team breached the Kaspersky antivirus software. Having done so it then watched Russian intelligence using another breach to attack computers including those of an NSA contractor. This led to Kaspersky losing a significant amount of market share as governments took action against it.
Private intelligence companies also hoard vulnerabilities as the breach of Italian surveillance company Hacking Team showed. These organisations provide their software to governments around the world.
All of these instances rely on unreported vulnerabilities. By allowing intelligence agencies access to source code, they can find and weaponise vulnerabilities. This allows them, as in the Kaspersky breach, to access sensitive US Government data. It also allows cyber-attacks to be created to shutdown or damage US DoD systems.
The worry for the tech industry
The recent publication of the Foreign Economic Espionage in Cyberspace report heaps further pressure on tech companies. It states that foreign investors have been spending large sums of money on US tech start-ups. Any walk around the myriad of start-up campus’ in Silicon Valley will show the names of investors putting money into start-ups. The fear is that some are doing so in order to get access to technology and work out how to exploit it later.
The current Pentagon spending bill, currently passing through Congress has some interesting provisions. It will require tech companies to disclose any provision of source code to foreign governments. This could lead to the Pentagon blacklisting that software.
Micro Focus is already under additional scrutiny. It purchased a large portion of the HPE software assets in 2016 including ArcSight. HPE has admitted that it provided the source code for ArcSight to Russian investigators. The US DoD cyber security teams use ArcSight. It will be interesting to see if this new approach has an impact on ArcSight sales and what Micro Focus does to retain the US DoD as a customer.
What does this mean
This is just the latest step in governments taking software vulnerabilities seriously. The irony of the US Do Not Buy list will not escape anyone in the cyber security industry. The Snowden Papers disclosed an orchestrated approach by the NSA and other US agencies to identify and weaponise vulnerabilities. Those exploits were used to attack hostile and friendly governments as the monitoring of Germany’s Chancellor Merkel’s phone showed.
The problem for the US is that it just cannot deliver the levels of revenue that software companies and their investors expect. This means that those companies have to sell to other countries and that mean, in some places, giving up access to the source code. The current trade war with China is in part around this access to intellectual property. However, the US has not used hacking as part of the trade war rhetoric, instead it has focused on IP theft.
Tech companies are going to have a problem with the current Pentagon spending bill. They can disclose access by foreign governments and risk losing highly lucrative contracts with the US and other governments. Alternatively, they can create versions of the software for US or overseas sales only. The latter is unlikely to happen given the costs of running multiple code bases or creating two identical but unlinked products.
There is, of course, a third possibility. That tech companies actually start to deliver high quality software with no vulnerabilities. But then, unicorns could be real and fairies could live at the end of my garden!